https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #19 from Aaron Ballman <aaron at aaronballman dot com> --- (In reply to Andrew Pinski from comment #18) > (In reply to Aaron Ballman from comment #17) > > In the time I opened this request, a new CVE related to VLAs came out: > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-4039 > > Everything is a security risk. Seriously it is. Everything can and will be > abused; does not mean it is always right to warn about it. Also > -fstack-protector should never be a CVE. CVEs will get to the point where > they will be ignored because how they are now pointing out non-security > issues. My point is that this was a case where the developer used the language feature and tried to do what they could to protect against security issues and still ran into the security issue which resulted in a CVE. That's pretty different from "everything can be abused". (I wasn't suggesting there's an issue with using -fstack-protector or that it's a security issue itself)