Skip to main content

Techniques by glibc Version

This page organizes all heap exploitation techniques by the glibc versions they work on. As glibc evolves, new security checks and mitigations are added, requiring techniques to be adapted or replaced with new approaches.
The GnuLibc is under constant development and several techniques have led to consistency checks introduced in malloc/free logic. These checks regularly break some techniques and require adjustments to bypass them (if possible).

Understanding Version Compatibility

Version Indicators

  • Latest: Works on all current versions (2.35+)
  • >= X.XX: Works on version X.XX and later
  • < X.XX: Only works on versions before X.XX (patched)
  • X.XX - Y.YY: Works only in a specific version range

Structure Convention

The repository uses the directory structure glibc_<version>/technique.c for version-specific implementations.

glibc 2.41 (Latest)

Latest version with all modern mitigations active. Requires advanced techniques to bypass safe-linking, tcache double-free checks, and extensive metadata validation.

Fastbin Techniques

  • fastbin_dup.c
  • fastbin_dup_into_stack.c
  • fastbin_dup_consolidate.c
  • fastbin_reverse_into_tcache.c

Tcache Techniques

  • tcache_poisoning.c (requires heap leak)
  • tcache_house_of_spirit.c
  • tcache_stashing_unlink_attack.c
  • tcache_metadata_poisoning.c
  • tcache_relative_write.c

House Techniques

  • house_of_spirit.c
  • house_of_lore.c
  • house_of_einherjar.c
  • house_of_tangerine.c
  • house_of_water.c
  • house_of_mind_fastbin.c
  • house_of_botcake.c

Advanced Techniques

  • decrypt_safe_linking.c
  • safe_link_double_protect.c
  • sysmalloc_int_free.c
  • unsafe_unlink.c
  • poison_null_byte.c
  • large_bin_attack.c
  • mmap_overlapping_chunks.c
  • overlapping_chunks.c
Key Mitigations Active:
  • Safe-linking (requires heap leak for tcache poisoning)
  • PROTECT_PTR macro
  • Double-free detection in tcache
  • Extensive size validation
  • Top chunk integrity checks

glibc 2.40

Similar to 2.41 with minor differences in internal implementation.All techniques from 2.41 are available in 2.40. Check the glibc_2.40/ directory for version-specific implementations.

glibc 2.39

New Additions:
  • sysmalloc_int_free.c - Demonstrating freeing the nearly arbitrary sized Top Chunk
  • house_of_tangerine.c - Modern top chunk exploitation via tcache
All core techniques remain functional with minor adaptations.

glibc 2.36-2.38

Key Features:
  • Full safe-linking implementation
  • Mature tcache with double-free protection
  • house_of_water.c introduced
  • safe_link_double_protect.c available
These versions represent the modern stable state with comprehensive mitigations.

glibc 2.32-2.35

Major Change: Safe-linking Introduced in 2.32This was a watershed moment in heap exploitation. Safe-linking obfuscates forward pointers in tcache and fastbin freelists.New Requirements:
  • tcache_poisoning.c now requires a heap leak
  • decrypt_safe_linking.c introduced to reverse the obfuscation
Still Available:
  • All house techniques
  • Fastbin attacks (with safe-linking bypass)
  • Large bin attack
  • Unsorted bin techniques (until 2.29)
Patch Information:

glibc 2.31-2.33

Unique Techniques:
  • house_of_io.c (only works in this range)
This version range is post-tcache but pre-safe-linking, making it a “sweet spot” for many tcache-based attacks.Available:
  • All tcache techniques without heap leak requirement
  • tcache_poisoning.c (no heap leak needed)
  • tcache_metadata_poisoning.c
  • All fastbin techniques

glibc 2.29-2.30

Major Patches Applied:
  • Unsorted bin size validation
  • Top chunk size checks
  • Enhanced consistency checking
No Longer Available:
  • house_of_force.c
  • overlapping_chunks.c (original)
  • overlapping_chunks_2.c
  • unsorted_bin_into_stack.c
  • unsorted_bin_attack.c
  • house_of_roman.c
  • house_of_storm.c
Patch: Size validation commitStill Available:
  • All tcache techniques
  • Fastbin techniques
  • large_bin_attack.c
  • Most house techniques
New in 2.30:
  • tcache_relative_write.c

glibc 2.26-2.28

Major Addition: Tcache Introduced in 2.26This was the birth of thread-local caching, opening up an entirely new attack surface.Golden Era Techniques:
  • tcache_dup.c (2.26-2.28 only, before double-free check)
  • tcache_poisoning.c (no heap leak needed)
  • tcache_house_of_spirit.c
  • house_of_botcake.c
  • tcache_stashing_unlink_attack.c
  • fastbin_reverse_into_tcache.c
house_of_orange Patched in 2.26:
  • abort() implementation changed
  • Technique no longer works
  • Patch commit
Version 2.27 Specifics:
  • house_of_gods.c stops working (last version: 2.26)
Version 2.28 Patch:

glibc 2.23-2.25

Classic Era: No tcache, pure fastbin/smallbin/largebin exploitation

Available Techniques

  • fastbin_dup.c
  • fastbin_dup_into_stack.c
  • fastbin_dup_consolidate.c
  • unsafe_unlink.c
  • house_of_spirit.c
  • poison_null_byte.c
  • house_of_lore.c
  • overlapping_chunks.c (original version)
  • overlapping_chunks_2.c
  • house_of_force.c
  • unsorted_bin_into_stack.c
  • unsorted_bin_attack.c
  • large_bin_attack.c
  • house_of_einherjar.c
  • house_of_orange.c (up to 2.25)
  • house_of_roman.c
  • house_of_gods.c (2.24-2.26)
Notable CTF Usage:
  • Many classic CTF challenges from 2014-2016 target these versions
  • HITCON CTF 2014-stkof (unsafe_unlink)
  • PlaidCTF 2015-plaiddb (poison_null_byte)
  • Hitcon 2016 houseoforange (house_of_orange)
  • Hitcon 2016 SleepyHolder (fastbin_dup_consolidate)
Version 2.23 Specific:
  • Most stable for classic techniques
  • Widely used in CTFs
  • Good learning version

Migration Guide

From 2.23 to 2.26+ (Tcache Introduction)

1

Understand the Tcache

Learn how thread-local caching changes allocation behavior:
  • Small allocations now go to tcache first
  • Tcache has simpler structure than fastbins
  • New attack surface with tcache metadata
2

Adapt Fastbin Techniques

Many fastbin attacks now interact with tcache:
  • Use fastbin_reverse_into_tcache.c patterns
  • Tcache must be filled before fastbin is used
  • Consider tcache_poisoning.c as alternative
3

Leverage New Primitives

Take advantage of tcache-specific attacks:
  • tcache_house_of_spirit.c
  • house_of_botcake.c
  • tcache_stashing_unlink_attack.c

From 2.31 to 2.32+ (Safe-linking Introduction)

1

Obtain Heap Leak

Safe-linking requires a heap address for deobfuscation:
  • Forward pointers are XORed with heap address
  • Need heap leak for tcache_poisoning.c
  • Study decrypt_safe_linking.c
2

Use Leakless Techniques

Alternative approaches that don’t require deobfuscation:
  • safe_link_double_protect.c
  • house_of_water.c
  • Metadata-based attacks
3

Adapt Existing Exploits

Modify techniques to account for safe-linking:
  • Include heap leak primitive
  • Use PROTECT_PTR macro understanding
  • Consider double-protection bypass

From Pre-2.29 to 2.29+ (Size Validation Patch)

1

Identify Broken Techniques

These no longer work after 2.29:
  • house_of_force.c
  • overlapping_chunks.c (original)
  • unsorted_bin_into_stack.c
  • unsorted_bin_attack.c
  • house_of_roman.c
2

Find Alternatives

Replace with modern equivalents:
  • house_of_force → house_of_tangerine
  • unsorted_bin attacks → tcache or large_bin_attack
  • overlapping_chunks → mmap_overlapping_chunks or house_of_botcake
3

Focus on Tcache

Modern exploitation heavily relies on tcache:
  • More lenient checks than bins
  • Rich attack surface
  • Multiple bypass techniques available

Version-Specific Testing

Quick Setup (System Libc)

make clean base
./malloc_playground

Version-Specific Compilation

# Link against specific glibc version
H2H_USE_SYSTEM_LIBC=N make v2.23

# Or use Docker for isolated testing
make base
./glibc_run.sh 2.30 ./malloc_playground -d -p

Check Your Environment

# Verify glibc version
ldd --version

# Check binary's libc
readelf -d -W ./binary | grep RUNPATH
readelf -l -W ./binary | grep interpreter

# Debug with correct symbols
gdb -q -ex "start" ./binary

Key Patches Timeline

VersionPatchImpact
2.26abort() changeshouse_of_orange broken
2.28Tcache double-free checktcache_dup broken
2.29Size validationMany bin attacks broken
2.32Safe-linkingTcache/fastbin poisoning requires heap leak

Compatibility Matrix

This matrix shows which technique categories work on which version ranges. Individual techniques may have more specific requirements.
Category2.23-2.252.26-2.282.29-2.312.32-2.352.36+
Fastbin✅ (leak)✅ (leak)
Tcache✅ (leak)✅ (leak)
Unsorted Bin
Large Bin
Top Chunk
OverlappingAlternativeAlternative
House of Spirit
House of Lore
House of Orange
Legend:
  • ✅ Works
  • ❌ Patched/Broken
  • ✅ (leak) Requires heap leak
  • Alternative: Different technique required

Next Steps

All Techniques

Browse complete technique catalog

Glossary

Learn heap exploitation terminology

Setup Guide

Configure multi-version testing environment

Heap Basics

Understand heap internals

Build docs developers (and LLMs) love

Get started for freeTalk to us