CWE-843
AllowedAccess of Resource Using Incompatible Type ('Type Confusion')
Abstraction: Base · Status: Incomplete
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
1041 vulnerabilities reference this CWE, most recent first.
GHSA-VCXJ-M8FV-W3M4
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, watchOS 5.1.3. A malicious application may be able to break out of its sandbox.
{
"affected": [],
"aliases": [
"CVE-2019-6214"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-05T16:29:00Z",
"severity": "HIGH"
},
"details": "A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, watchOS 5.1.3. A malicious application may be able to break out of its sandbox.",
"id": "GHSA-vcxj-m8fv-w3m4",
"modified": "2022-05-13T01:22:38Z",
"published": "2022-05-13T01:22:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6214"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209443"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209446"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209447"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209448"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46298"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106739"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VF23-F26F-MJJ9
Vulnerability from github – Published: 2019-09-23 18:32 – Updated: 2026-06-08 23:15Impact
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.
Patches
https://github.com/YOURLS/YOURLS/releases/tag/1.7.4 https://github.com/YOURLS/YOURLS/pull/2542
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14537
- https://github.com/Wocanilo/CVE-2019-14537
For more information
If you have any questions or comments about this advisory: * Open an issue in YOURLS repository
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yourls/yourls"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14537"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:57:30Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nYOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.\n\n### Patches\nhttps://github.com/YOURLS/YOURLS/releases/tag/1.7.4\nhttps://github.com/YOURLS/YOURLS/pull/2542\n\n### References\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14537\n* https://github.com/Wocanilo/CVE-2019-14537\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [YOURLS repository](https://github.com/YOURLS/YOURLS)",
"id": "GHSA-vf23-f26f-mjj9",
"modified": "2026-06-08T23:15:01Z",
"published": "2019-09-23T18:32:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/security/advisories/GHSA-vf23-f26f-mjj9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14537"
},
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/pull/2542"
},
{
"type": "WEB",
"url": "https://github.com/Wocanilo/CVE-2019-14537"
},
{
"type": "PACKAGE",
"url": "https://github.com/YOURLS/YOURLS"
},
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/commits/master"
},
{
"type": "WEB",
"url": "https://github.com/YOURLS/YOURLS/releases"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vf23-f26f-mjj9"
},
{
"type": "WEB",
"url": "https://security-garage.com/index.php/cves/cve-2019-14537-api-authentication-bypass-via-type-juggling"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027) in yourls/yourls"
}
GHSA-VF62-69CF-F6MV
Vulnerability from github – Published: 2026-06-08 00:30 – Updated: 2026-06-08 00:30A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-11463"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-07T23:16:41Z",
"severity": "LOW"
},
"details": "A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.",
"id": "GHSA-vf62-69cf-f6mv",
"modified": "2026-06-08T00:30:25Z",
"published": "2026-06-08T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11463"
},
{
"type": "WEB",
"url": "https://github.com/USCiLab/cereal/issues/870"
},
{
"type": "WEB",
"url": "https://gist.github.com/TrebledJ/0223c1fa3c3fd64e2c7047b8a4385ec0"
},
{
"type": "WEB",
"url": "https://github.com/USCiLab/cereal"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-11463"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/814456"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/369083"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/369083/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VFQM-4CXM-QPXR
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In SurfaceFlinger, there is possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153467444
{
"affected": [],
"aliases": [
"CVE-2020-0336"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T21:15:00Z",
"severity": "MODERATE"
},
"details": "In SurfaceFlinger, there is possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153467444",
"id": "GHSA-vfqm-4cxm-qpxr",
"modified": "2022-05-24T17:28:39Z",
"published": "2022-05-24T17:28:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0336"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VG79-F5M5-MW2X
Vulnerability from github – Published: 2026-04-11 03:30 – Updated: 2026-04-11 03:30Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25717.
{
"affected": [],
"aliases": [
"CVE-2026-5496"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-11T01:16:18Z",
"severity": "HIGH"
},
"details": "Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25717.",
"id": "GHSA-vg79-f5m5-mw2x",
"modified": "2026-04-11T03:30:30Z",
"published": "2026-04-11T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5496"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG89-XVR7-M96M
Vulnerability from github – Published: 2024-11-04 03:30 – Updated: 2024-11-04 12:32In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08960505; Issue ID: MSV-1590.
{
"affected": [],
"aliases": [
"CVE-2024-20106"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T02:15:16Z",
"severity": "MODERATE"
},
"details": "In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08960505; Issue ID: MSV-1590.",
"id": "GHSA-vg89-xvr7-m96m",
"modified": "2024-11-04T12:32:55Z",
"published": "2024-11-04T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20106"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/November-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG8W-6W5P-JHWR
Vulnerability from github – Published: 2024-12-30 18:30 – Updated: 2024-12-30 18:30Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22414.
{
"affected": [],
"aliases": [
"CVE-2024-12834"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-30T17:15:07Z",
"severity": "HIGH"
},
"details": "Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22414.",
"id": "GHSA-vg8w-6w5p-jhwr",
"modified": "2024-12-30T18:30:41Z",
"published": "2024-12-30T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12834"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1722"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VH5Q-RXQQ-3F32
Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-02-11 15:32Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2025-0291"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T19:15:38Z",
"severity": "HIGH"
},
"details": "Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-vh5q-rxqq-3f32",
"modified": "2025-02-11T15:32:21Z",
"published": "2025-01-08T21:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0291"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/383356864"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM5H-5X2V-9VQW
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-10 00:00Windows Defender Credential Guard Security Feature Bypass Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-34709"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Defender Credential Guard Security Feature Bypass Vulnerability.",
"id": "GHSA-vm5h-5x2v-9vqw",
"modified": "2022-08-10T00:00:18Z",
"published": "2022-08-10T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34709"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34709"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34709"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168314/Windows-Credential-Guard-ASN1-Decoder-Type-Confusion-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMFX-GCFQ-WVM2
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2023-07-10 13:05Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-5815"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-07T21:30:28Z",
"nvd_published_at": "2019-12-11T01:15:00Z",
"severity": "HIGH"
},
"details": "Type confusion in `xsltNumberFormatGetMultipleLevel` prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.\n\nNokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.",
"id": "GHSA-vmfx-gcfq-wvm2",
"modified": "2023-07-10T13:05:32Z",
"published": "2022-05-24T17:03:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5815"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/issues/2630"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nokogiri implementation of libxslt vulnerable to heap corruption"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.