Skip to main content

​
Overview

This page provides a comprehensive matrix showing which heap exploitation techniques work with which glibc versions. Understanding technique compatibility is essential for:
  • CTF challenge exploitation
  • Vulnerability assessment
  • Exploit development
  • Security research
Always verify the glibc version of your target before selecting an exploitation technique. Using an incompatible technique will result in crashes or malloc errors.

​
Quick Reference Legend

SymbolMeaning
βœ…Technique works on this version
❌Technique patched/doesn’t work
🟑Technique requires modifications
πŸ†•Technique introduced in this version

​
Complete Technique Compatibility Matrix

​
Basic Techniques

Technique2.232.242.272.312.322.332.342.35+
first_fitβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…
calc_tcache_idxβŒβŒβœ…βœ…βœ…βœ…βœ…βœ…
Basic techniques like first_fit demonstrate allocator behavior and work across all versions. calc_tcache_idx requires tcache support (2.26+).

​
Fastbin Attacks

Technique2.232.242.272.312.322.332.342.35+
fastbin_dupβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…
fastbin_dup_into_stackβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…
fastbin_dup_consolidateβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…
fastbin_reverse_into_tcacheβŒβŒπŸ†•βœ…βœ…βœ…βœ…βœ…
Fastbin attacks remain viable across versions but may require adaptations for tcache interaction in 2.27+.
Technique2.232.242.272.312.322.332.342.35+Patch
unsafe_unlinkβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-
overlapping_chunksβœ…βœ…βœ…βŒβŒβŒβŒβŒb90ddd08
overlapping_chunks_2βœ…βœ…βœ…βŒβŒβŒβŒβŒb90ddd08
mmap_overlapping_chunksβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-
Both overlapping_chunks techniques were patched in glibc 2.29 due to enhanced size consistency checks.

​
House Techniques

Technique2.232.242.272.312.322.332.342.35+Patch
house_of_spiritβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-
house_of_loreβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-
house_of_forceβœ…βœ…βœ…βŒβŒβŒβŒβŒ30a17d8c
house_of_einherjarβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-
house_of_orangeβœ…βŒβŒβŒβŒβŒβŒβŒ91e7cf98
house_of_romanβœ…βœ…βœ…βŒβŒβŒβŒβŒb90ddd08
house_of_mind_fastbinβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-
house_of_stormβœ…βœ…βœ…βŒβŒβŒβŒβŒ-
house_of_godsβœ…βœ…βŒβŒβŒβŒβŒβŒ-
house_of_ioβŒβŒβŒπŸ†•βœ…βœ…βŒβŒ-

​
Modern House Techniques (2.26+)

Technique2.272.312.322.332.342.352.36+2.39+
house_of_waterβŒβŒβŒβŒβŒβŒπŸ†•βœ…
house_of_tangerineβŒβŒβŒβŒβŒβŒβŒπŸ†•
house_of_botcakeπŸ†•βœ…βœ…βœ…βœ…βœ…βœ…βœ…
house_of_water and house_of_tangerine are cutting-edge techniques that work around modern protections.

​
Tcache Attacks

Technique2.232.242.272.312.322.332.342.35+Notes
tcache_dup (obsolete)βŒβŒπŸ†•βŒβŒβŒβŒβŒPatched 2.29
tcache_poisoningβŒβŒπŸ†•βœ…πŸŸ‘πŸŸ‘πŸŸ‘πŸŸ‘Requires heap leak 2.32+
tcache_house_of_spiritβŒβŒπŸ†•βœ…βœ…βœ…βœ…βœ…-
tcache_stashing_unlink_attackβŒβŒπŸ†•βœ…βœ…βœ…βœ…βœ…-
tcache_metadata_poisoningβŒβŒπŸ†•βœ…βœ…βœ…βœ…βœ…-
tcache_relative_writeβŒβŒβŒβŒβŒβŒβŒβœ…2.30+
tcache_poisoning requires a heap leak starting from glibc 2.32 due to safe-linking protection.

​
Bin Attacks

Technique2.232.242.272.312.322.332.342.35+Patch
unsorted_bin_into_stackβœ…βœ…βœ…βŒβŒβŒβŒβŒb90ddd08
unsorted_bin_attackβœ…βœ…βœ…βŒβŒβŒβŒβŒb90ddd08
large_bin_attackβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…-

​
Special Techniques

Technique2.232.242.272.312.322.332.342.35+
poison_null_byteβœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…
decrypt_safe_linkingβŒβŒβŒβŒπŸ†•βœ…βœ…βœ…
safe_link_double_protectβŒβŒβŒβŒπŸŸ‘πŸŸ‘πŸŸ‘βœ…
sysmalloc_int_freeβŒβŒβŒβŒβŒβŒβŒβœ…

​
Version-Specific Adaptations

​
glibc 2.23 - The β€œGolden Age”

Why it’s popular:
  • Most techniques work without modification
  • Minimal protections
  • Common in older CTF challenges
  • Good for learning fundamentals
Available Techniques: 
fastbin_dup, fastbin_dup_into_stack, unsafe_unlink, 
house_of_spirit, poison_null_byte, house_of_lore,
overlapping_chunks, overlapping_chunks_2, house_of_force,
unsorted_bin_into_stack, unsorted_bin_attack, house_of_orange,
house_of_roman, house_of_gods

​
glibc 2.27 - tcache Era Begins

Major Change:
  • tcache enabled by default (Ubuntu builds)
  • New attack surface
  • Fastbin behavior changes
New Techniques: 
tcache_dup (later patched), tcache_poisoning,
tcache_house_of_spirit, tcache_stashing_unlink_attack,
fastbin_reverse_into_tcache, house_of_botcake
Patched: 
house_of_gods (< 2.27)

​
glibc 2.29 - The Great Patching

Major Changes:
  • Comprehensive size consistency checks
  • Many classic techniques patched
Patched Techniques: 
overlapping_chunks, overlapping_chunks_2, house_of_force,
unsorted_bin_into_stack, unsorted_bin_attack, house_of_roman,
house_of_storm, tcache_dup
Still Working: 
fastbin attacks, tcache attacks, large_bin_attack,
house_of_spirit, house_of_lore, house_of_einherjar,
poison_null_byte, unsafe_unlink

​
glibc 2.32 - Safe-Linking

Major Change:
  • Pointer obfuscation in tcache/fastbins
  • Heap leak becomes essential
Impact:
  • tcache_poisoning now requires heap leak
  • All blind tcache attacks impossible
  • New techniques needed
New Techniques: 
decrypt_safe_linking, safe_link_double_protect
Adaptation Required: 
tcache_poisoning (🟑 requires heap leak)
fastbin_dup (🟑 requires decryption)

​
glibc 2.35+ - Modern Era

Status:
  • Most stable modern version
  • Many techniques updated for compatibility
  • Good target for modern CTF challenges
Working Techniques: 
All fastbin attacks, most tcache attacks, large_bin_attack,
house_of_spirit, house_of_lore, house_of_einherjar,
house_of_mind_fastbin, house_of_botcake, poison_null_byte,
unsafe_unlink, mmap_overlapping_chunks

​
glibc 2.39+ - Cutting Edge

New Techniques: 
house_of_tangerine, sysmalloc_int_free
Status:
  • Actively developed
  • New techniques being researched
  • Some experimental techniques

​
Practical Selection Guide

​
For CTF Players

Target Version: glibc 2.23-2.27Recommended Techniques:
  • fastbin_dup
  • house_of_spirit
  • unsorted_bin_attack (< 2.29)
  • house_of_force (< 2.29)
  • poison_null_byte
Learning Path:
  1. Start with first_fit and basic allocator behavior
  2. Practice fastbin attacks
  3. Try house techniques
  4. Attempt unsorted bin exploitation

​
Quick Version Check

To check the glibc version of a binary: 
# Method 1: Check linked libc
ldd ./binary | grep libc

# Method 2: Run the binary and check version
./binary --version

# Method 3: Extract from binary
strings ./binary | grep GLIBC_

# Method 4: Use checksec tools
checksec --file=./binary

​
Testing Technique Compatibility

​
Test a Technique on Multiple Versions

#!/bin/bash
# Test fastbin_dup across versions

for version in 2.23 2.27 2.31 2.35 2.39; do
  echo "Testing glibc $version"
  H2H_USE_SYSTEM_LIBC=N make v$version
  ./glibc_$version/fastbin_dup
  echo "---"
done

​
Verify Technique Availability

# Check if a technique exists for a version
ls -la glibc_2.35/ | grep house_of_force  # Won't exist - patched
ls -la glibc_2.23/ | grep house_of_force  # Exists

​
Notable CTF Challenges by Version

​
glibc 2.23 Challenges

  • PlaidCTF 2015 - plaiddb (poison_null_byte)
  • Hitcon 2016 - houseoforange (house_of_orange)
  • Hitcon 2016 - SleepyHolder (fastbin_dup_consolidate)
  • Seccon 2016 - tinypad (house_of_einherjar)

​
glibc 2.27+ Challenges

  • Hitcon 2019 - one punch man (tcache_stashing_unlink_attack)
  • 0ctf 2018 - heapstorm2 (large_bin_attack)
  • 37c3 Potluck 2023 - Tamagoyaki (house_of_water, safe_link_double_protect)
  • PicoCTF 2024 - high frequency troubles (house_of_tangerine)

​
Summary Table: Major Protection Milestones

VersionMajor ProtectionTechniques PatchedNew Techniques
2.26tcache, unlink checks-tcache attacks
2.27Fastbin checks, double-freetcache_duphouse_of_botcake
2.29Size consistency7+ classic techniques-
2.32Safe-linkingBlind tcache attacksdecrypt_safe_linking
2.36+Ongoing hardening-house_of_water, house_of_tangerine

​
Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us