Maybe this is beating a dead horse but I can’t help it. I just ran across @pwnallthethings‘ breakdown of the exploits used at last month’s Pwn2Own contest:

1. Google Chrome to SYSTEM (360Vulcan)
   • 2x UAF in Flash -> browser
   • Out-of-bounds in Chrome -> broker (duplicate)
   • Kernel out-of-bounds -> SYSTEM
2. Adobe Flash to SYSTEM (360Vulcan)
   • Flash type confusion -> browswer
   • Windows kernel UAF -> SYSTEM
3. Google Chrome (lokihardt)
   • Unknown—exploit failed
4. Microsoft Edge to SYSTEM (lokihardt)
   • Uninitialized stack var -> browser
   • Dir traversal -> SYSTEM
5. Apple Safari to root (lokihardt)
   • UAF in Safari -> browser
   • Two undisclosed vulns (presumably one KASLR)
   • Heap overflow -> root
6. Apple Safari to root (Tencent Security Team Shield)
   • UAF in Safari -> browser
   • UAF in daemon -> root
7. Adobe Flash to SYSTEM (Tencent Security Team Shield)
   • Unknown—exploit failed
8. Microsoft Edge to SYSTEM (Tencent Security Team Sniper)
   • Out-of-bounds in Edge -> browser
   • Kernal heap overflow -> SYSTEM
9. Adobe Flash to SYSTEM (Tencent Security Team Sniper)
   • Out-of-bounds in Flash -> browser
   • +KASLR in Windows
   • Windows UAF -> SYSTEM
10. Apple Safari with root (Tencent Security Team Sniper)
    • UAF in Safari -> browser
    • Out-of-bounds in OSX kernel -> root
11. Adobe Flash to SYSTEM (Tencent Xuanwu Lab)
    • Unknown—exploit failed

UAF (use-after-free), overflow, out-of-bounds, and type confusion are memory corruption bugs. The uninitialized stack var is probably a memory corruption bug. That’s the great majority of the bugs (there are only two KASLR bugs, which are usually information leaks and not memory corruptions.)

In short, when you offer a large cash reward to any hacker who can exploit your software and achieve root, their go-to bugs are memory corruption bugs in C/C++ code.