[metadata]
id = "ARR00-C"
type = "recommendation"
category = "ARR"
number = 0
title = "Understand how arrays work"
description = """
The incorrect use of arrays has traditionally been a source of
exploitablevulnerabilities. Elements referenced within an array using the
subscript operator[]are not checked unless the programmer provides adequate
bounds checking. As a result, the expressionarray [pos] = valuecan be used by an
attacker to transfer control to arbitrary code. An attacker who can control the
values of bothposandvaluein the expressionarray [pos] = valuecan perform an
arbitrary write (which is when the attacker overwrites other storage locations
with different content). The consequences range from changing a variable used to
determine what permissions the program grants to executing arbitrary code with
the permissions of the vulnerable process. Arrays are also a common source of
buffer overflows when iterators exceed the bounds of the array. An array is a
series of objects, all of which are the same size and type. Each object in an
array is called anarray element. The entire array is stored contiguously in
memory (that is, there are no gaps between elements). Arrays are commonly used
to represent a sequence of elements where random access is important but there
is little or no need to insert new elements into the sequence (which can be an
expensive operation with arrays).
"""
severity = "High"
likelihood = "Probable"
priority = "P6"
level = "L2"
cert_version = "2016 Edition (Wiki)"
last_modified = "Jul 24, 2025"
[rules.cert_c.ARR00-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/ARR00-C.+Understand+how+arrays+work"
cwe = ["CWE-119", "CWE-123", "CWE-125", "CWE-129"]