A buffer overflow happens when a program writes more data into a fixed-size region of memory than that region can hold. The extra bytes spill into adjacent memory, corrupting whatever was stored there. In languages like C and C++, where arrays carry no bounds information at runtime, a copy that does not check the length of its input is enough to trigger the bug. The CWE database catalogs this as CWE-120, “Buffer Copy without Checking Size of Input,” and notes that classic culprits are functions like strcpy() and gets() that copy data without any length check (cwe.mitre.org/data/definitions/120.html).
The reason buffer overflows are dangerous, rather than merely buggy, is what sits next to a buffer in memory. When a buffer lives on the call stack, the bytes just past its end include the saved return address that tells the CPU where to resume after the current function finishes. An attacker who can overwrite that address can redirect execution to code of their choosing. The canonical explanation is Aleph One’s 1996 Phrack article “Smashing the Stack for Fun and Profit,” which walks step by step through how stack memory is laid out and how an overflow can be turned into arbitrary code execution on Intel x86 Linux (phrack.org/issues/49/14.html).
That article gave the technique its enduring name and made stack smashing common knowledge among both attackers and defenders. The same underlying flaw had already powered the 1988 Morris Worm, which spread in part by overflowing a buffer in the Unix fingerd daemon. Buffer overflows on the heap, not just the stack, can be exploited as well, and the class as a whole remains one of the oldest and most damaging in computing.
Defenses have accumulated in layers rather than as a single fix: bounds-checked library functions, compiler-inserted stack canaries that detect overwritten return addresses, non-executable memory pages, and address space layout randomization that hides where useful code lives. Memory-safe languages avoid the class entirely by checking array bounds. None of these individually closes every avenue, which is why the CWE entry still ranks classic buffer overflow among the most dangerous software weaknesses.