Here’s an example of something that happens a lot:

Let’s say your program needs a username. You make that username a maximum of 50 characters long, so you save a spot in memory 50 bytes long for it.

But oh no there is one place in the app where it asks for a username but forgot to check how long the username the user gives you is.

If your user gives you a username longer than 50 characters it can’t fit in the memory you put aside for it, so it goes past that and overwrites other parts of memory. Maybe those parts of memory are parts of your program’s code!

This small error means a hacker just has to send your program a long username and they can rewrite parts of your program’s code, meaning they can do anything including making the program grant the hacker access to your system.