Common Weakness Enumeration

CWE-843

Allowed

Access of Resource Using Incompatible Type ('Type Confusion')

Abstraction: Base · Status: Incomplete

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

1041 vulnerabilities reference this CWE, most recent first.

GHSA-J5RV-3M5P-Q6RC

Vulnerability from github – Published: 2023-05-16 21:30 – Updated: 2025-05-05 18:32
VLAI
Details

Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-16T19:15:09Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-j5rv-3m5p-q6rc",
  "modified": "2025-05-05T18:32:39Z",
  "published": "2023-05-16T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2724"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_16.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1433211"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73XUIHJ6UT75VFPDPLJOXJON7MVIKVZI"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXFL4TDAH72PRCPD5UPZMJMKIMVOPLTI"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202309-17"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5404"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173131/Chrome-Internal-JavaScript-Object-Access-Via-Origin-Trials.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5XF-XFVF-PJW6

Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16
VLAI
Details

Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-19T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.",
  "id": "GHSA-j5xf-xfvf-pjw6",
  "modified": "2022-05-14T03:16:14Z",
  "published": "2022-05-14T03:16:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4920"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0520"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb18-05.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103383"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040509"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J67M-WPV6-PV44

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2023-10-06 01:22
VLAI
Summary
ChakraCore RCE Vulnerability
Details

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8296, CVE-2018-8298.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.ChakraCore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-8291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-21T20:36:21Z",
    "nvd_published_at": "2018-07-11T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka \"Scripting Engine Memory Corruption Vulnerability.\" This affects ChakraCore, Internet Explorer 11, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8296, CVE-2018-8298.",
  "id": "GHSA-j67m-wpv6-pv44",
  "modified": "2023-10-06T01:22:58Z",
  "published": "2022-05-13T01:20:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chakra-core/ChakraCore/pull/5444"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chakra-core/ChakraCore/commit/c322694178ece209b0aa73eafd97a036def86eb1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chakra-core/ChakraCore"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8291"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210124183732/http://www.securityfocus.com/bid/104637"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210515050150/http://www.securitytracker.com/id/1041258"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20211202002348/http://www.securitytracker.com/id/1041256"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ChakraCore RCE Vulnerability"
}

GHSA-J8X2-FPJJ-2HVP

Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-15 21:30
VLAI
Details

Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T17:15:04Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in WebAssembly in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-j8x2-fpjj-2hvp",
  "modified": "2024-10-15T21:30:36Z",
  "published": "2024-10-11T18:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9859"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/346197738"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9FF-392X-7Q7V

Vulnerability from github – Published: 2024-09-19 21:33 – Updated: 2024-09-19 21:33
VLAI
Details

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-19T21:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability",
  "id": "GHSA-j9ff-392x-7q7v",
  "modified": "2024-09-19T21:33:29Z",
  "published": "2024-09-19T21:33:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43489"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9JR-2QMG-CR6M

Vulnerability from github – Published: 2023-05-19 00:30 – Updated: 2024-04-04 04:14
VLAI
Details

An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-18T22:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "An error in Hermes\u0027 algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.",
  "id": "GHSA-j9jr-2qmg-cr6m",
  "modified": "2024-04-04T04:14:45Z",
  "published": "2023-05-19T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23557"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hermes/commit/a00d237346894c6067a594983be6634f4168c9ad"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2023-23557"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9PX-R24R-FM3P

Vulnerability from github – Published: 2025-11-05 15:31 – Updated: 2025-11-05 17:48
VLAI
Details

A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr'ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-05T15:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "A type confusion vulnerability exists in the lasso_node_impl_init_from_xml functionality of Entr\u0026#39;ouvert Lasso 2.5.1 and 2.8.2. A specially crafted SAML response can lead to an arbitrary code execution. An attacker can send a malformed SAML response to trigger this vulnerability.",
  "id": "GHSA-j9px-r24r-fm3p",
  "modified": "2025-11-05T17:48:28Z",
  "published": "2025-11-05T15:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47151"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2193"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2193"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC8M-7R22-73R7

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Access of resource using incompatible type ('type confusion') in Windows DWM allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:41Z",
    "severity": "HIGH"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows DWM allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-jc8m-7r22-73r7",
  "modified": "2026-07-14T18:32:41Z",
  "published": "2026-07-14T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58541"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCP6-MR82-MCVC

Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31
VLAI
Details

Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-jcp6-mr82-mcvc",
  "modified": "2025-09-09T18:31:20Z",
  "published": "2025-09-09T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53810"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53810"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCQ3-CPRP-M333

Vulnerability from github – Published: 2020-07-01 17:12 – Updated: 2021-09-22 18:47
VLAI
Summary
Privilege escalation in mysql-connector-jav
Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "mysql:mysql-connector-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-2692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-01T17:11:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).",
  "id": "GHSA-jcq3-cprp-m333",
  "modified": "2021-09-22T18:47:45Z",
  "published": "2020-07-01T17:12:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2692"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190423-0002"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-MYSQL-174574"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107925"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Privilege escalation in mysql-connector-jav"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.