Common Weakness Enumeration

CWE-843

Allowed

Access of Resource Using Incompatible Type ('Type Confusion')

Abstraction: Base · Status: Incomplete

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

1041 vulnerabilities reference this CWE, most recent first.

GHSA-JG5C-2PC3-432M

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31
VLAI
Details

Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T18:16:14Z",
    "severity": "HIGH"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-jg5c-2pc3-432m",
  "modified": "2026-01-13T18:31:09Z",
  "published": "2026-01-13T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20860"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20860"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JG9W-WM2G-X7H3

Vulnerability from github – Published: 2022-04-06 00:01 – Updated: 2022-04-12 00:00
VLAI
Details

Type confusion in V8 in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-05T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in V8 in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-jg9w-wm2g-x7h3",
  "modified": "2022-04-12T00:00:47Z",
  "published": "2022-04-06T00:01:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0457"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1274445"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGH6-F95X-G8R7

Vulnerability from github – Published: 2025-09-17 21:30 – Updated: 2025-09-17 21:30
VLAI
Details

Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25981.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T21:15:41Z",
    "severity": "HIGH"
  },
  "details": "Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25981.",
  "id": "GHSA-jgh6-f95x-g8r7",
  "modified": "2025-09-17T21:30:43Z",
  "published": "2025-09-17T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7995"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGWV-FX37-24VQ

Vulnerability from github – Published: 2023-05-19 00:30 – Updated: 2024-04-04 04:14
VLAI
Details

A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-18T22:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.",
  "id": "GHSA-jgwv-fx37-24vq",
  "modified": "2024-04-04T04:14:49Z",
  "published": "2023-05-19T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2023-25933"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH8Q-F6HP-2RC7

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:16:04Z",
    "severity": "HIGH"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-jh8q-f6hp-2rc7",
  "modified": "2025-10-14T18:30:35Z",
  "published": "2025-10-14T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59231"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59231"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH98-GV77-C9CX

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

An issue was discovered in Softing Industrial Automation OPC UA C++ SDK before 5.66. Remote attackers to cause a denial of service (DoS) by sending crafted messages to a OPC/UA client. The client process may crash unexpectedly because of a wrong type cast, and must be restarted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-10T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Softing Industrial Automation OPC UA C++ SDK before 5.66. Remote attackers to cause a denial of service (DoS) by sending crafted messages to a OPC/UA client. The client process may crash unexpectedly because of a wrong type cast, and must be restarted.",
  "id": "GHSA-jh98-gv77-c9cx",
  "modified": "2022-05-24T19:20:27Z",
  "published": "2022-05-24T19:20:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40871"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com/fileadmin/sof-files/pdf/ia/support/Security_Bulletin-CVE-2021-40871.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JHGF-XQJM-37VH

Vulnerability from github – Published: 2025-04-15 15:30 – Updated: 2025-04-15 15:30
VLAI
Details

The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube's "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T15:16:09Z",
    "severity": "HIGH"
  },
  "details": "The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send\u00a0ActivityPub activities to PeerTube\u0027s \"inbox\" endpoint. By abusing the \"Create Activity\" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF.",
  "id": "GHSA-jhgf-xqjm-37vh",
  "modified": "2025-04-15T15:30:54Z",
  "published": "2025-04-15T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32948"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/peertube-activitypub-playlist-creation-blind-ssrf-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJFJ-R463-G4C7

Vulnerability from github – Published: 2026-07-03 21:31 – Updated: 2026-07-03 21:31
VLAI
Details

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T21:17:04Z",
    "severity": "HIGH"
  },
  "details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.",
  "id": "GHSA-jjfj-r463-g4c7",
  "modified": "2026-07-03T21:31:40Z",
  "published": "2026-07-03T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58295"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJVF-4CXJ-RQV4

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-14 18:31
VLAI
Details

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Drupal Security Kit allows HTTP DoS.This issue affects Security Kit: from 0.0.0 before 2.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:36Z",
    "severity": "MODERATE"
  },
  "details": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027) vulnerability in Drupal Security Kit allows HTTP DoS.This issue affects Security Kit: from 0.0.0 before 2.0.3.",
  "id": "GHSA-jjvf-4cxj-rqv4",
  "modified": "2025-01-14T18:31:55Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13275"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-039"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM6V-MV47-P2GV

Vulnerability from github – Published: 2023-11-20 12:30 – Updated: 2023-11-20 12:30
VLAI
Details

in OpenHarmony v3.2.2 and prior versions allow a local attacker causes system information leak through type confusion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-20T12:15:08Z",
    "severity": "MODERATE"
  },
  "details": "in OpenHarmony v3.2.2 and prior versions allow a local attacker causes system information leak through type confusion.",
  "id": "GHSA-jm6v-mv47-p2gv",
  "modified": "2023-11-20T12:30:27Z",
  "published": "2023-11-20T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46705"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2023/2023-12.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.