nerdexam
(ISC)2

CISSP · Question #265

Although code using a specific program language may not be susceptible to a buffer overflow attack,

The correct answer is D. the supporting virtual machine could be susceptible.. Even if a high-level language like Java prevents buffer overflows in application code, the underlying virtual machine (e.g., JVM) that executes the bytecode is typically written in C/C++ and can itself be vulnerable to buffer overflow attacks.

Submitted by kim_seoul· Mar 5, 2026Software Development Security

Question

Although code using a specific program language may not be susceptible to a buffer overflow attack,

Options

  • Amost calls to plug-in programs are susceptible.
  • Bmost supporting application code is susceptible.
  • Cthe graphical images used by the application could be susceptible.
  • Dthe supporting virtual machine could be susceptible.

How the community answered

(39 responses)
  • A
    15% (6)
  • B
    3% (1)
  • C
    5% (2)
  • D
    77% (30)

Why each option

Even if a high-level language like Java prevents buffer overflows in application code, the underlying virtual machine (e.g., JVM) that executes the bytecode is typically written in C/C++ and can itself be vulnerable to buffer overflow attacks.

Amost calls to plug-in programs are susceptible.

Plug-in susceptibility is a separate attack surface concern and is not the primary technical reason why memory-safe language code can still be indirectly vulnerable; the question targets the foundational execution environment.

Bmost supporting application code is susceptible.

While supporting application code could theoretically be vulnerable, this is not the specific and well-established security concern that directly undermines the memory safety guarantees provided by managed languages.

Cthe graphical images used by the application could be susceptible.

Graphical images can be vectors for exploits (e.g., malformed image parsing), but this is an application-layer parsing vulnerability, not the core reason why a memory-safe language's broader execution environment remains at risk.

Dthe supporting virtual machine could be susceptible.Correct

Languages like Java and C# are memory-safe and abstract away direct memory management, making application-level buffer overflows largely impossible. However, the virtual machine (e.g., the JVM or CLR) that interprets or JIT-compiles the bytecode is itself written in native code (typically C/C++), which is susceptible to buffer overflow vulnerabilities. A flaw in the VM's own code can be exploited even though the application layer is safe, meaning the security of the entire stack depends on the VM's integrity.

Concept tested: Buffer overflow risks in virtual machine runtimes

Source: https://owasp.org/www-community/vulnerabilities/Buffer_Overflow

Topics

#Buffer overflow#Software vulnerabilities#Virtual machine security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice