Format string vulnerabilities are security flaws in a programmer's code (usually these occur in the C language). It is usually present in the printf, sprintf, and syslog functions, though it can occur in any function that allows format strings (two characters, generally a "%" symbol, followed by a second character, that determines the format of the variable being parsed, be it integer, floating-point, string, or hexadecimal) to be used in an insecure way.

For example:

is the secure way of using printf(), while
is insecure, and will result in the program crashing and being susceptible to buffer overflows.

Log in or register to write something here or to contact authors.