Vulnerability Type Distributions in CVE

"If 'smashing the stack'-style buffer overflows were the first wave of serious exploitable problems, and heap overflows were the second wave, integer overflows are the third wave," says Thomas Ptacek, a researcher with Matasano Security. "Developers have gotten more careful about the first two problems, so auditors moved on."... Numbers can be used to allocate memory, so an integer overflow can make a buffer overflow attack possible, says Steve Christey, CVE editor and principal information security engineer at Mitre.

Read darkreading story and the original report in Mitre.