The vulnerabillity exists due to improper accounting of buffer size during allocation that may result in creating of bigger or smaller buffer than it's needed. Making of smaller buffer may lead to arbitrary code execution or sensitive data exposing.
The weakness is introduced during Implementation stage.