Common Weakness Enumeration

CWE-843

Allowed

Access of Resource Using Incompatible Type ('Type Confusion')

Abstraction: Base · Status: Incomplete

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

1041 vulnerabilities reference this CWE, most recent first.

GHSA-WQXM-QP29-HP7C

Vulnerability from github – Published: 2023-01-28 00:30 – Updated: 2023-02-06 15:30
VLAI
Details

In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-27T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Gitlab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash.",
  "id": "GHSA-wqxm-qp29-hp7c",
  "modified": "2023-02-06T15:30:22Z",
  "published": "2023-01-28T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4205"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4205.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/374082"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRC3-47R8-P9QM

Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ACPI: sysfs: validate return type of _STR method

Only buffer objects are valid return values of _STR.

If something else is returned description_show() will access invalid memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T13:15:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: sysfs: validate return type of _STR method\n\nOnly buffer objects are valid return values of _STR.\n\nIf something else is returned description_show() will access invalid\nmemory.",
  "id": "GHSA-wrc3-47r8-p9qm",
  "modified": "2025-11-04T00:31:39Z",
  "published": "2024-10-21T15:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49860"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0cdfb9178a3bba843c95c2117c82c15f1a64b9ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2364b6af90c6b6d8a4783e0d3481ca80af699554"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b081991c4363e072e1748efed0bbec8a77daba5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bb1e7d027413835b086aed35bc3f0713bc0f72b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c8d007c14aefc3f2ddf71e4c40713733dc827be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92fd5209fc014405f63a7db79802ca4b01dc0c05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0921ecd4ddc14646bb5511f49db4d7d3b0829f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f51e5a88f2e7224858b261546cf6b3037dfb1323"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f51f711d36e61fbb87c67b524fd200e05172668d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRMG-WV9P-R52J

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-28 00:00
VLAI
Details

Type confusion in V8 in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in V8 in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-wrmg-wv9p-r52j",
  "modified": "2022-07-28T00:00:49Z",
  "published": "2022-07-26T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1314"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1304658"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1314"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRQP-3QP3-GQCJ

Vulnerability from github – Published: 2026-07-03 21:31 – Updated: 2026-07-03 21:31
VLAI
Details

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T21:17:03Z",
    "severity": "HIGH"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-wrqp-3qp3-gqcj",
  "modified": "2026-07-03T21:31:40Z",
  "published": "2026-07-03T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58290"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58290"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WV7W-FGMW-6VG2

Vulnerability from github – Published: 2025-05-13 00:31 – Updated: 2025-11-03 21:33
VLAI
Details

A type confusion issue was addressed with improved state handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T22:15:21Z",
    "severity": "MODERATE"
  },
  "details": "A type confusion issue was addressed with improved state handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.",
  "id": "GHSA-wv7w-fgmw-6vg2",
  "modified": "2025-11-03T21:33:49Z",
  "published": "2025-05-13T00:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31206"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122404"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122405"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122716"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122719"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122720"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122721"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122722"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/10"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/13"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/5"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/6"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/May/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVX7-72HC-RP32

Vulnerability from github – Published: 2024-12-03 21:31 – Updated: 2025-01-02 18:30
VLAI
Details

Type Confusion in V8 in Google Chrome prior to 131.0.6778.108 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-03T19:15:08Z",
    "severity": "HIGH"
  },
  "details": "Type Confusion in V8 in Google Chrome prior to 131.0.6778.108 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-wvx7-72hc-rp32",
  "modified": "2025-01-02T18:30:35Z",
  "published": "2024-12-03T21:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12053"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/379009132"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVX9-9PHH-9J3H

Vulnerability from github – Published: 2022-01-12 00:01 – Updated: 2022-04-14 00:01
VLAI
Details

Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-11T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.",
  "id": "GHSA-wvx9-9phh-9j3h",
  "modified": "2022-04-14T00:01:00Z",
  "published": "2022-01-12T00:01:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44647"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2021-44647"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3EMGAQ5Y6GXJLY4K5DUOOEQT4MZ4J4F"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-23"
    },
    {
      "type": "WEB",
      "url": "http://lua-users.org/lists/lua-l/2021-11/msg00195.html"
    },
    {
      "type": "WEB",
      "url": "http://lua-users.org/lists/lua-l/2021-11/msg00204.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXPV-97W2-CH7X

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the openList method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5021.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-20T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the openList method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5021.",
  "id": "GHSA-wxpv-97w2-ch7x",
  "modified": "2022-05-13T01:37:36Z",
  "published": "2022-05-13T01:37:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14829"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-873"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X257-48RH-CR2J

Vulnerability from github – Published: 2025-09-17 21:30 – Updated: 2025-09-17 21:30
VLAI
Details

Ashlar-Vellum Cobalt LI File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of LI files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26051.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T21:15:42Z",
    "severity": "HIGH"
  },
  "details": "Ashlar-Vellum Cobalt LI File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of LI files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26051.",
  "id": "GHSA-x257-48rh-cr2j",
  "modified": "2025-09-17T21:30:44Z",
  "published": "2025-09-17T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8000"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-718"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2Q8-3525-P6PR

Vulnerability from github – Published: 2026-05-04 09:31 – Updated: 2026-05-04 09:31
VLAI
Details

In mutt before 2.3.2, the imap_auth_gss security level is mishandled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-04T07:16:00Z",
    "severity": "LOW"
  },
  "details": "In mutt before 2.3.2, the imap_auth_gss security level is mishandled.",
  "id": "GHSA-x2q8-3525-p6pr",
  "modified": "2026-05-04T09:31:09Z",
  "published": "2026-05-04T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43862"
    },
    {
      "type": "WEB",
      "url": "https://github.com/muttmua/mutt/commit/f547a849cdacb512800a5f477c27de217e1c8151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.