https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #25 from Martin Uecker <muecker at gwdg dot de> --- I agree that they are not idiomatic C++ and that there exist good reasons why a programmer may want to avoid them (including standards compliance). But code not being idiomatic is not a terrible good reason for having a warning. As a matter of principle, we should not warn about our own extensions without a very good reason with -std=gnu modes and neither should clang IMHO. But the idea that VLAs are inherently very dangerous is incorrect, so let's not perpetuate that myth. There are many useful things a compiler could do to improve security for VLAs and also for std::vector or elsewhere by having better static analysis and more efficient options for bounds checking. Neither clang nor GCC will currently give any compile-time warning about a problem here with -Wall -Wextra nor will there be a run-error with UBSan: https://godbolt.org/z/7vhGMn3E5 And yes, -D_GLIBXX_DEBUG which will detect the out-of-bounds access but not the memset. Maybe -D_FORTIFY_SOURCE=3 will do this (as it does for VLAs), but it does not seem to work on godbolt for both cases, so I can't check. Asan will catch both. For comparison, with VLAs we have this: https://godbolt.org/z/hGxGrc569