Heap Exploitation Fundamentals: Understanding Use-After-Free Vulnerabilities

What Is a Use-After-Free Vulnerability?

A Use-After-Free (UAF) vulnerability occurs when a program continues to use a memory pointer after the memory it references has been freed. In languages like C and C++ where memory management is manual, this is a surprisingly common mistake — and one with serious security implications.

From an attacker's perspective, UAF bugs are highly desirable: they can often be turned into arbitrary code execution, and they frequently bypass modern exploit mitigations like ASLR and stack canaries.

The Memory Lifecycle: Where It Goes Wrong

To understand UAF, you need to understand how dynamic memory allocation works. When a program calls malloc(), the allocator carves out a chunk of heap memory and returns a pointer. When free() is called on that pointer, the memory is returned to the allocator's free list — but the pointer variable itself still holds the old address.

If the program then dereferences that pointer again, it reads or writes memory that now belongs to another allocation. Three dangerous scenarios emerge:

• Read-after-free: Leaking data from a reallocated chunk (information disclosure).
• Write-after-free: Corrupting a reallocated chunk's contents (data corruption or control-flow hijack).
• Call-after-free: Executing a function pointer that now points to attacker-controlled data (code execution).

A Simplified Vulnerable Pattern

Consider this pseudo-code:

Widget *w = new Widget();
w->initialize();
delete w;          // memory freed
// ... some code path ...
w->render();       // UAF: w still points to freed memory

In practice, UAFs are often far more subtle — buried in complex object lifecycles, event handlers, or multi-threaded race conditions where deallocation and reuse happen concurrently.

How Attackers Exploit UAF

The standard exploitation technique is called heap grooming or heap shaping. The goal is to control what gets allocated in the freed memory slot before the vulnerable code accesses it again.

1. Trigger the free: Cause the target object to be deallocated, ideally through a controllable code path.
2. Spray controlled data: Flood the heap with attacker-controlled allocations of the same size, hoping one lands in the freed slot. This is called a heap spray.
3. Trigger the use: Execute the code path that uses the now-freed pointer — which now points to attacker data.
4. Redirect execution: If the object contained a virtual function table (vtable) pointer, overwriting it redirects virtual function calls to arbitrary code.

Real-World Impact

UAF bugs have been at the root of some of the most critical vulnerabilities in browsers, kernels, and enterprise software. Browser engines are particularly susceptible because they manage enormous numbers of JavaScript objects with complex lifetimes. Kernel-level UAFs are especially prized because they can lead to privilege escalation from user space to ring-0.

Why UAFs Are Hard to Eliminate

Several factors make UAF bugs persistent despite decades of awareness:

• Manual memory management: C and C++ provide no automatic protection against dangling pointers.
• Code complexity: Large codebases with many contributors make ownership semantics difficult to track.
• Async and event-driven code: Callbacks and event queues create non-obvious lifetimes where objects can be freed while still referenced.
• Race conditions: In multi-threaded code, a concurrent free can create a UAF that's nearly impossible to reproduce deterministically.

Mitigations and Defenses

Modern systems employ several layers of defense:

• Memory-safe languages: Rust's ownership model makes UAF impossible at compile time.
• Smart pointers: C++ std::shared_ptr and std::unique_ptr enforce ownership semantics.
• Heap allocator hardening: Allocators like PartitionAlloc (Chrome) and scudo (Android) isolate allocations by type, making cross-type UAF exploitation harder.
• AddressSanitizer (ASan): A compiler-based tool that detects UAF at runtime — invaluable during development and fuzzing.
• Pointer Authentication Codes (PAC): ARM hardware feature that signs pointers, making hijacking harder.

Conclusion

Use-After-Free remains one of the most impactful vulnerability classes precisely because it sits at the intersection of unavoidable complexity and dangerous memory semantics. Understanding how these bugs are constructed and exploited is essential knowledge for both offensive researchers finding them and defenders trying to prevent them.