Data Verification Bugs (DVR) Examples
CVE-2014-0160 – Heartbleed Buffer Overflow
Fig 1. BF DVR bug from DVR–MAD–(MUS & MUS) chain of CVE-2014-0160 – Heartbleed Buffer Overflow
Cause: Improper Operation
Source Code: Codebase (
State: Transferred (via network)
Consequence: Improper Data - Inconsistent Value (size)
Heartbleed is a vulnerability due to a bug in the OpenSSL that allows a server to read over the bounds of a buffer. Using the heartbeat extension tests in TLS (Transport Layer Security) and DTLS (Datagram Transport Layer Security) protocols, a user can send a heartbeat request to a server. The request contains a string and a
payload unsigned integer, which value is expected to be the string size but could be as big as
Fig. 1 presents the BF taxonomy for the Heartbeat DVR bug.
To fix the bug, the OpenSSL team added a value verification for the array size.