CWE-843
AllowedAccess of Resource Using Incompatible Type ('Type Confusion')
Abstraction: Base · Status: Incomplete
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
1041 vulnerabilities reference this CWE, most recent first.
GHSA-J5RV-3M5P-Q6RC
Vulnerability from github – Published: 2023-05-16 21:30 – Updated: 2025-05-05 18:32Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2023-2724"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-16T19:15:09Z",
"severity": "HIGH"
},
"details": "Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-j5rv-3m5p-q6rc",
"modified": "2025-05-05T18:32:39Z",
"published": "2023-05-16T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2724"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_16.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1433211"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73XUIHJ6UT75VFPDPLJOXJON7MVIKVZI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXFL4TDAH72PRCPD5UPZMJMKIMVOPLTI"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-17"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5404"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173131/Chrome-Internal-JavaScript-Object-Access-Via-Origin-Trials.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5XF-XFVF-PJW6
Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
{
"affected": [],
"aliases": [
"CVE-2018-4920"
],
"database_specific": {
"cwe_ids": [
"CWE-704",
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-19T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.",
"id": "GHSA-j5xf-xfvf-pjw6",
"modified": "2022-05-14T03:16:14Z",
"published": "2022-05-14T03:16:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4920"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0520"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb18-05.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103383"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040509"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J67M-WPV6-PV44
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2023-10-06 01:22A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8296, CVE-2018-8298.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.ChakraCore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-8291"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-21T20:36:21Z",
"nvd_published_at": "2018-07-11T00:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka \"Scripting Engine Memory Corruption Vulnerability.\" This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8296, CVE-2018-8298.",
"id": "GHSA-j67m-wpv6-pv44",
"modified": "2023-10-06T01:22:58Z",
"published": "2022-05-13T01:20:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8291"
},
{
"type": "WEB",
"url": "https://github.com/chakra-core/ChakraCore/pull/5444"
},
{
"type": "WEB",
"url": "https://github.com/chakra-core/ChakraCore/commit/c322694178ece209b0aa73eafd97a036def86eb1"
},
{
"type": "PACKAGE",
"url": "https://github.com/chakra-core/ChakraCore"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8291"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210124183732/http://www.securityfocus.com/bid/104637"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210515050150/http://www.securitytracker.com/id/1041258"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20211202002348/http://www.securitytracker.com/id/1041256"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45215"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ChakraCore RCE Vulnerability"
}
GHSA-J8X2-FPJJ-2HVP
Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-15 21:30Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-9859"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-11T17:15:04Z",
"severity": "HIGH"
},
"details": "Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-j8x2-fpjj-2hvp",
"modified": "2024-10-15T21:30:36Z",
"published": "2024-10-11T18:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9859"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/346197738"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J9FF-392X-7Q7V
Vulnerability from github – Published: 2024-09-19 21:33 – Updated: 2024-09-19 21:33Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43489"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-19T21:15:15Z",
"severity": "MODERATE"
},
"details": "Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability",
"id": "GHSA-j9ff-392x-7q7v",
"modified": "2024-09-19T21:33:29Z",
"published": "2024-09-19T21:33:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43489"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J9JR-2QMG-CR6M
Vulnerability from github – Published: 2023-05-19 00:30 – Updated: 2024-04-04 04:14An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
{
"affected": [],
"aliases": [
"CVE-2023-23557"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-18T22:15:09Z",
"severity": "CRITICAL"
},
"details": "An error in Hermes\u0027 algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.",
"id": "GHSA-j9jr-2qmg-cr6m",
"modified": "2024-04-04T04:14:45Z",
"published": "2023-05-19T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23557"
},
{
"type": "WEB",
"url": "https://github.com/facebook/hermes/commit/a00d237346894c6067a594983be6634f4168c9ad"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2023-23557"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J9PX-R24R-FM3P
Vulnerability from github – Published: 2025-11-05 15:31 – Updated: 2025-11-05 17:48A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-47151"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-05T15:15:39Z",
"severity": "CRITICAL"
},
"details": "A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr\u0026#39;ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.",
"id": "GHSA-j9px-r24r-fm3p",
"modified": "2025-11-05T17:48:28Z",
"published": "2025-11-05T15:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47151"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2193"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JC8M-7R22-73R7
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Access of resource using incompatible type ('type confusion') in Windows DWM allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-58541"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:41Z",
"severity": "HIGH"
},
"details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows DWM allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-jc8m-7r22-73r7",
"modified": "2026-07-14T18:32:41Z",
"published": "2026-07-14T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58541"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCP6-MR82-MCVC
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-53810"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:15:52Z",
"severity": "MODERATE"
},
"details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-jcp6-mr82-mcvc",
"modified": "2025-09-09T18:31:20Z",
"published": "2025-09-09T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53810"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53810"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCQ3-CPRP-M333
Vulnerability from github – Published: 2020-07-01 17:12 – Updated: 2021-09-22 18:47Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "mysql:mysql-connector-java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-2692"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-01T17:11:19Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).",
"id": "GHSA-jcq3-cprp-m333",
"modified": "2021-09-22T18:47:45Z",
"published": "2020-07-01T17:12:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2692"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190423-0002"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-MYSQL-174574"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107925"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Privilege escalation in mysql-connector-jav"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.