CWE-843
AllowedAccess of Resource Using Incompatible Type ('Type Confusion')
Abstraction: Base · Status: Incomplete
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
1041 vulnerabilities reference this CWE, most recent first.
GHSA-J27G-HJP9-XF7W
Vulnerability from github – Published: 2023-11-06 06:30 – Updated: 2023-11-13 21:30In keyinstall, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08157918; Issue ID: ALPS08157918.
{
"affected": [],
"aliases": [
"CVE-2023-32835"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T04:15:07Z",
"severity": "MODERATE"
},
"details": "In keyinstall, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08157918; Issue ID: ALPS08157918.",
"id": "GHSA-j27g-hjp9-xf7w",
"modified": "2023-11-13T21:30:57Z",
"published": "2023-11-06T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32835"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/November-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3M3-GFHR-JMQF
Vulnerability from github – Published: 2024-09-03 15:30 – Updated: 2024-09-06 18:31A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. This vulnerability affects Firefox < 130 and Firefox ESR < 128.2.
{
"affected": [],
"aliases": [
"CVE-2024-8385"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T13:15:05Z",
"severity": "CRITICAL"
},
"details": "A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. This vulnerability affects Firefox \u003c 130 and Firefox ESR \u003c 128.2.",
"id": "GHSA-j3m3-gfhr-jmqf",
"modified": "2024-09-06T18:31:28Z",
"published": "2024-09-03T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8385"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1911909"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-39"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-40"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3MQ-6VQF-JM43
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the setFocus method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5022.
{
"affected": [],
"aliases": [
"CVE-2017-14830"
],
"database_specific": {
"cwe_ids": [
"CWE-704",
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-20T14:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the setFocus method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5022.",
"id": "GHSA-j3mq-6vqf-jm43",
"modified": "2022-05-13T01:37:35Z",
"published": "2022-05-13T01:37:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14830"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-874"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3PM-QHWH-63J2
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31Ashlar-Vellum Cobalt AR File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of AR files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20409.
{
"affected": [],
"aliases": [
"CVE-2023-42102"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:47Z",
"severity": "HIGH"
},
"details": "Ashlar-Vellum Cobalt AR File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of AR files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20409.",
"id": "GHSA-j3pm-qhwh-63j2",
"modified": "2024-05-03T03:31:02Z",
"published": "2024-05-03T03:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42102"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1451"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3W3-P6MR-3HRH
Vulnerability from github – Published: 2026-04-04 05:55 – Updated: 2026-04-04 05:55DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata.
This issue was reproduced against dyn-future 3.0.4 under Miri. The crate is unmaintained.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "dyn-future"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T05:55:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata.\n\nThis issue was reproduced against `dyn-future` 3.0.4 under Miri. The crate is unmaintained.",
"id": "GHSA-j3w3-p6mr-3hrh",
"modified": "2026-04-04T05:55:51Z",
"published": "2026-04-04T05:55:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rustsec/advisory-db/issues/2595"
},
{
"type": "PACKAGE",
"url": "https://github.com/xacrimon/dyn-future"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0079.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DynFuture Drop Can Construct a Dangling Reference"
}
GHSA-J4GR-93R2-5WX9
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-05-24 17:07panel_login.php in UseBB 1.0.12 allows type juggling for login bypass because != is used instead of !== for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.
{
"affected": [],
"aliases": [
"CVE-2020-8088"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-27T20:15:00Z",
"severity": "HIGH"
},
"details": "panel_login.php in UseBB 1.0.12 allows type juggling for login bypass because != is used instead of !== for password hashes, which mishandles hashes that begin with 0e followed by exclusively numerical characters.",
"id": "GHSA-j4gr-93r2-5wx9",
"modified": "2022-05-24T17:07:30Z",
"published": "2022-05-24T17:07:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8088"
},
{
"type": "WEB",
"url": "https://xavibel.com/2020/01/22/usebb-forum-php-type-juggling-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J4RQ-73W6-WG33
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Type confusion in WebAssembly in Google Chrome prior to 66.0.3359.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-6122"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-02T23:15:00Z",
"severity": "HIGH"
},
"details": "Type confusion in WebAssembly in Google Chrome prior to 66.0.3359.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-j4rq-73w6-wg33",
"modified": "2022-05-24T19:19:39Z",
"published": "2022-05-24T19:19:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6122"
},
{
"type": "WEB",
"url": "https://crbug.com/836141"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J4XQ-256R-C68Q
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-34344"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:17:09Z",
"severity": "HIGH"
},
"details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-j4xq-256r-c68q",
"modified": "2026-05-12T18:30:42Z",
"published": "2026-05-12T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34344"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34344"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J58Q-JG6X-X4H9
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices.
{
"affected": [],
"aliases": [
"CVE-2020-27257"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-09T15:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices.",
"id": "GHSA-j58q-jg6x-x4h9",
"modified": "2022-05-24T17:41:29Z",
"published": "2022-05-24T17:41:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27257"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-007-02"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-184"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J5GW-2VRG-8FGX
Vulnerability from github – Published: 2025-10-21 15:42 – Updated: 2026-01-16 22:12Summary
Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.
This vulnerability was disclosed to multiple Rust tar parsers, all derived from the original async-tar fork of tar-rs.
Details
Vulnerability Description
The vulnerability stems from inconsistent handling of PAX extended headers versus ustar headers when determining file data boundaries. Specifically:
- PAX header correctly specifies the file size (e.g.,
size=1048576) - ustar header incorrectly specifies zero size (
size=000000000000) - tokio-tar advances the stream position based on the ustar size (0 bytes)
- Inner content is then interpreted as legitimate outer archive entries
Attack Mechanism
When a TAR file contains:
- An outer entry with PAX
size=Nbut ustarsize=0 - File data that begins with valid TAR header structures
- The parser treats inner content as additional outer entries
This creates a header/data desynchronization where the parser's position becomes misaligned with actual file boundaries.
Root Cause
// Vulnerable: Uses ustar size instead of PAX override
let file_size = header.size(); // Returns 0 from ustar field
let next_pos = current_pos + 512 + pad_to_512(file_size); // Advances 0 bytes
// Fixed: Apply PAX overrides before position calculation
let mut file_size = header.size();
if let Some(pax_size) = pending_pax.get("size") {
file_size = pax_size.parse().unwrap();
}
let next_pos = current_pos + 512 + pad_to_512(file_size); // Correct advance
Impact
The impact of this vulnerability depends on where astral-tokio-tar is used, and whether it is used to extract untrusted tar archives. If used to extract untrusted inputs, it may result in unexpected attacker-controlled access to the filesystem, in turn potential resulting in arbitrary code execution or credential exfiltration.
See GHSA-w476-p2h3-79g9 for how this vulnerability affects uv, astral-tokio-tar's primary downstream user. Observe that unlike this advisory,uv's advisory is considered low severity due to overlap with intentional existing capabilities in source distributions.
Workarounds
Users are advised to upgrade to version 0.5.6 or newer to address this advisory.
There is no workaround other than upgrading.
Timeline
| Date | Event |
|---|---|
| Aug 21, 2025 | Vulnerability discovered by Edera Security Team |
| Aug 21, 2025 | Initial analysis and PoC confirmed |
| Aug 22, 2025 | Maintainers notified (privately) |
| Aug 25, 2025 | Private patch and test suite shared |
| Oct 7, 2025 | Text freeze for GHSA |
| Oct 21, 2025 | Coordinated public disclosure and patched releases |
Credits
- Discovered by: Steven Noonan (Edera) and Alex Zenla (Edera)
- Coordinated disclosure: Ann Wallace (Edera)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.5"
},
"package": {
"ecosystem": "crates.io",
"name": "astral-tokio-tar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "tokio-tar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62518"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T15:42:51Z",
"nvd_published_at": "2025-10-21T17:15:40Z",
"severity": "HIGH"
},
"details": "## Summary\n\nVersions of `astral-tokio-tar` prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser incorrectly advances stream position based on ustar header size (often zero) instead of the PAX-specified size, causing it to interpret file content as legitimate tar headers.\n\nThis vulnerability was disclosed to multiple Rust tar parsers, all derived from the original `async-tar` fork of `tar-rs`.\n\n## Details\n\n### Vulnerability Description\n\nThe vulnerability stems from inconsistent handling of PAX extended headers versus ustar headers when determining file data boundaries. Specifically:\n\n1. **PAX header** correctly specifies the file size (e.g., `size=1048576`)\n2. **ustar header** incorrectly specifies zero size (`size=000000000000`)\n3. **tokio-tar** advances the stream position based on the ustar size (0 bytes)\n4. **Inner content** is then interpreted as legitimate outer archive entries\n\n### Attack Mechanism\n\nWhen a TAR file contains:\n\n- An outer entry with PAX `size=N` but ustar `size=0`\n- File data that begins with valid TAR header structures\n- The parser treats inner content as additional outer entries\n\nThis creates a **header/data desynchronization** where the parser\u0027s position becomes misaligned with actual file boundaries.\n\n### Root Cause\n\n```rust\n// Vulnerable: Uses ustar size instead of PAX override\nlet file_size = header.size(); // Returns 0 from ustar field\nlet next_pos = current_pos + 512 + pad_to_512(file_size); // Advances 0 bytes\n\n// Fixed: Apply PAX overrides before position calculation\nlet mut file_size = header.size();\nif let Some(pax_size) = pending_pax.get(\"size\") {\n file_size = pax_size.parse().unwrap();\n}\nlet next_pos = current_pos + 512 + pad_to_512(file_size); // Correct advance\n\n```\n\n## Impact\n\nThe impact of this vulnerability depends on where `astral-tokio-tar` is used, and whether it is used to extract untrusted tar archives. If used to extract untrusted inputs, it may result in unexpected attacker-controlled access to the filesystem, in turn potential resulting in arbitrary code execution or credential exfiltration.\n\nSee [**GHSA-w476-p2h3-79g9**](https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9) for how this vulnerability affects `uv`, `astral-tokio-tar`\u0027s primary downstream user. Observe that **unlike** this advisory,` uv`\u0027s advisory is considered **low severity** due to overlap with intentional existing capabilities in source distributions. \n\n## Workarounds\n\nUsers are advised to upgrade to version 0.5.6 or newer to address this advisory.\n\nThere is no workaround other than upgrading.\n\n## Timeline\n\n| Date | Event |\n| --- | --- |\n| Aug 21, 2025 | Vulnerability discovered by Edera Security Team |\n| Aug 21, 2025 | Initial analysis and PoC confirmed |\n| Aug 22, 2025 | Maintainers notified (privately) |\n| Aug 25, 2025 | Private patch and test suite shared |\n| Oct 7, 2025 | Text freeze for GHSA |\n| Oct 21, 2025 | Coordinated public disclosure and patched releases |\n\n## Credits\n\n- **Discovered by:** Steven Noonan (Edera) and Alex Zenla (Edera)\n- **Coordinated disclosure:** Ann Wallace (Edera)",
"id": "GHSA-j5gw-2vrg-8fgx",
"modified": "2026-01-16T22:12:12Z",
"published": "2025-10-21T15:42:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx"
},
{
"type": "WEB",
"url": "https://github.com/astral-sh/uv/security/advisories/GHSA-w476-p2h3-79g9"
},
{
"type": "WEB",
"url": "https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318"
},
{
"type": "WEB",
"url": "https://edera.dev/stories/tarmageddon"
},
{
"type": "PACKAGE",
"url": "https://github.com/astral-sh/tokio-tar"
},
{
"type": "WEB",
"url": "https://github.com/edera-dev/cve-tarmageddon"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0110.html"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0111.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "astral-tokio-tar Vulnerable to PAX Header Desynchronization"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.