Buffer overflow attacks exploit programming weaknesses that allow users direct access to working memory. This allows malicious users to inject executable code through input interfaces intended for other purposes. Languages like C and C++ that provide direct access to memory are particularly susceptible to buffer overflow attacks, unless programmers carefully screen and validate all user input.
C and C++ do not automatically perform bounds checking on arrays or other data structures (such as strings). Also, these languages make frequent use of pointers, which allow functions to directly reference memory locations. This allows users to overwrite memory locations outside the intended bounds by injecting crafted input much larger than the programmer expected the program to receive. In this manner, executable code can be inserted into what should have been data areas. This active code can then be called later through the careful manipulation of pointers.
References: