Microsoft finds security flaw in memory allocation code

BadAlloc Integer overflows affect things like IoT, OT, medical gear, leaving them vulnerable to hacks

Microsoft security researchers have discovered more than 20 critical remote code execution (RCE) vulnerabilities in Internet of Things (IoT) devices and operational technology (OT) industrial systems.

These 25 security vulnerabilities are collectively called “BadAlloc”. Memory allocation integer overflow or wraparound errors are what cause the vulnerabilities. Attackers can use them to trigger system crashes and remotely execute malicious code on IoT and OT systems.

BadAlloc is the name Microsoft’s Section 52 gave to this family of vulnerabilities discovered in embedded IoT and OT operating systems and software.

All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more.

BadAlloc vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks

The Microsoft Security Response Center wrote about the BadAlloc threat in an advisory issued on April 29. “Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash,” they wrote.

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs . They potentially affect a wide range of domains, according to Microsoft. These include consumer and medical IoT, Industrial IoT, Operational Technology (OT), and industrial control systems.

Microsoft recommends mitigating controls such as reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet.

Implementing network security monitoring to detect behavioral indicators of compromise is another solution. They also suggest strengthening network segmentation to protect critical assets.

For a full list of affected products and CVEs, please visit the DHS website: ICSA-21-119-04 Multiple RTOS .

Top story

OT security: how AI is both a threat and a protector

OT (Operational Technology) attacks can have major real-world consequences. Globally critical seaports can be...

Erik van Klinken April 16, 2025

Tech calendar

Microsoft finds security flaw in memory allocation code

BadAlloc vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks

Stay tuned, subscribe!

What will the sustainable data center of the future look like?

CISA saves MITRE’s CVE database at the 11th hour

Google Gemini 2.5 Flash can think for as long as devs want it to

NetSuite expands AI capabilities to boost efficiency for organizations

The heart of IFS beats in Sri Lanka

Infor Now 2023: Industry-specific ERP, now with RPA

VeeamON 2025

GITEX ASIA

SAS Innovate 2025

.NEXT 2025

LambdaConf 2025

Qlik Connect 2025

Try the latest high-end Synology backup system for free

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices

Are you data and AI ready?

AI & Data Architect

Cloud Account Executive – Slack