The memory of a process is divided into different segments. Roughly speaking, memory regions are distinguished by whether they contain data or executable code. Memory pages which are intended to store data are labeled with the No-eXecute (NX) bit. In case an application tries to execute code located in such a page, an error is raised.

This mechanism prevents primitive buffer overflow attacks injecting custom shellcode but does defend against ROP attacks. Note that once an attacker is able to execute code via ROP, the mprotect()¹⁾ function can be used to disable the protection of arbitrary memory regions.