Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Exploit Mitigation

Training Camp • Cybersecurity Glossary

What is Exploit Mitigation?

OS- and compiler-level defenses like ASLR, DEP/NX, stack canaries, and CFI that make vulnerabilities harder to exploit even when bugs exist.

Glossary > Application & API Security > Exploit Mitigation

Exploit Mitigation — OS- and compiler-level defenses like ASLR

Understanding Exploit Mitigation

Exploit mitigation refers to defensive techniques built into operating systems, compilers, and hardware that make it harder for attackers to successfully exploit software vulnerabilities. Rather than fixing individual bugs, mitigations raise the cost and reduce the reliability of exploitation, so that even when a flaw like a buffer overflow exists, turning it into working code execution becomes difficult or unstable.

Key mitigations work by disrupting the assumptions exploits rely on. Address Space Layout Randomization (ASLR) randomizes memory locations so attackers cannot predict addresses. Data Execution Prevention (DEP/NX) marks memory regions non-executable, blocking code injected into the stack or heap. Stack canaries (stack cookies) place a guard value before the return address to detect overflows before a function returns. Control-Flow Integrity (CFI) restricts indirect jumps and calls to valid targets, defeating return-oriented programming. These are layered, since defeating one often requires bypassing the others.

Exploit mitigation matters because software will always contain undiscovered vulnerabilities, and patching is never instantaneous. Mitigations provide defense in depth that protects systems during the window before a fix exists, including against zero-days. They shift the economics of attack: an exploit that once took hours now may require chaining an information-leak vulnerability to defeat ASLR plus a separate technique to bypass CFI, dramatically increasing attacker effort and lowering exploit reliability.

For example, a program has a stack buffer overflow. Without mitigations, an attacker overwrites the return address to point at injected shellcode and gains control. With DEP, the injected code on the stack cannot execute; with a stack canary, the overflow is detected and the program aborts before returning; and with ASLR, the attacker cannot even predict where useful code resides. To succeed, the attacker would now need an additional memory-disclosure bug and a ROP chain, a far higher bar that often makes exploitation impractical.

Learn More About Exploit Mitigation:

Ready to Get Certified?

Exploit Mitigation is one of the topics you'll master in the CEH Boot Camp.

CEH Boot Camp →