"BadAlloc" is our code name for a class of integer-overflow related security issues found in popular memory allocators' core functions such as malloc and calloc. BadAlloc vulnerabilities affect 17 different widely used real time operating systems (i.e., VxWorks, FreeRTOS, eCos), standard C libraries (i.e., newlib, uClibc, Linux klibc), IoT device SDKs (i.e., Google Cloud IoT SDK, Texas Instruments SimpleLink SDK) and other self-memory management applications (i.e., Redis). Some of these vulnerabilities go as far back as the early 90's and all of them collectively impact millions of devices worldwide, mainly IoT and embedded devices as this was our focus.In this talk, we'll present some of the most interesting findings and discuss how we found them. We'll do a quick root-cause analysis for each of the selected cases and show, in high depth technical level, how this specific kind of vulnerability could be leveraged to a full-blown remote code execution exploit on affected systems. We'll discuss possible mitigation techniques and propose a method to check whether your application is affected by BadAlloc or similar vulnerability. Finally, a demo of a working RCE exploit will be presented.