The reason why we patch most buffer overflow vulnerabilities is not because they're a potential RCE. You can't reliably exploit most of these bugs to get a RCE. The real reason why they're fixed is that they provide surface for a DoS attack. There's negligible difference between a heap buffer overflow leading into a segfault and a panic!("Out of bounds.").
2 March 2024
