Common Weakness Enumeration

CWE-843

Allowed

Access of Resource Using Incompatible Type ('Type Confusion')

Abstraction: Base · Status: Incomplete

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

1041 vulnerabilities reference this CWE, most recent first.

GHSA-VCXJ-M8FV-W3M4

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, watchOS 5.1.3. A malicious application may be able to break out of its sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-05T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, watchOS 5.1.3. A malicious application may be able to break out of its sandbox.",
  "id": "GHSA-vcxj-m8fv-w3m4",
  "modified": "2022-05-13T01:22:38Z",
  "published": "2022-05-13T01:22:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6214"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209443"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209446"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209447"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209448"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46298"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF23-F26F-MJJ9

Vulnerability from github – Published: 2019-09-23 18:32 – Updated: 2026-06-08 23:15
VLAI
Summary
Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
Details

Impact

YOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.

Patches

https://github.com/YOURLS/YOURLS/releases/tag/1.7.4 https://github.com/YOURLS/YOURLS/pull/2542

References

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14537
  • https://github.com/Wocanilo/CVE-2019-14537

For more information

If you have any questions or comments about this advisory: * Open an issue in YOURLS repository

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "yourls/yourls"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:57:30Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nYOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.\n\n### Patches\nhttps://github.com/YOURLS/YOURLS/releases/tag/1.7.4\nhttps://github.com/YOURLS/YOURLS/pull/2542\n\n### References\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14537\n* https://github.com/Wocanilo/CVE-2019-14537\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [YOURLS repository](https://github.com/YOURLS/YOURLS)",
  "id": "GHSA-vf23-f26f-mjj9",
  "modified": "2026-06-08T23:15:01Z",
  "published": "2019-09-23T18:32:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/YOURLS/YOURLS/security/advisories/GHSA-vf23-f26f-mjj9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YOURLS/YOURLS/pull/2542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Wocanilo/CVE-2019-14537"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/YOURLS/YOURLS"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YOURLS/YOURLS/commits/master"
    },
    {
      "type": "WEB",
      "url": "https://github.com/YOURLS/YOURLS/releases"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vf23-f26f-mjj9"
    },
    {
      "type": "WEB",
      "url": "https://security-garage.com/index.php/cves/cve-2019-14537-api-authentication-bypass-via-type-juggling"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)  in yourls/yourls"
}

GHSA-VF62-69CF-F6MV

Vulnerability from github – Published: 2026-06-08 00:30 – Updated: 2026-06-08 00:30
VLAI
Details

A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-07T23:16:41Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.",
  "id": "GHSA-vf62-69cf-f6mv",
  "modified": "2026-06-08T00:30:25Z",
  "published": "2026-06-08T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/USCiLab/cereal/issues/870"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/TrebledJ/0223c1fa3c3fd64e2c7047b8a4385ec0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/USCiLab/cereal"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-11463"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/814456"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369083"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369083/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VFQM-4CXM-QPXR

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

In SurfaceFlinger, there is possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153467444

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-17T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In SurfaceFlinger, there is possible memory corruption due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-153467444",
  "id": "GHSA-vfqm-4cxm-qpxr",
  "modified": "2022-05-24T17:28:39Z",
  "published": "2022-05-24T17:28:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0336"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VG79-F5M5-MW2X

Vulnerability from github – Published: 2026-04-11 03:30 – Updated: 2026-04-11 03:30
VLAI
Details

Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25717.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-11T01:16:18Z",
    "severity": "HIGH"
  },
  "details": "Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25717.",
  "id": "GHSA-vg79-f5m5-mw2x",
  "modified": "2026-04-11T03:30:30Z",
  "published": "2026-04-11T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5496"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG89-XVR7-M96M

Vulnerability from github – Published: 2024-11-04 03:30 – Updated: 2024-11-04 12:32
VLAI
Details

In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08960505; Issue ID: MSV-1590.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T02:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In m4u, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08960505; Issue ID: MSV-1590.",
  "id": "GHSA-vg89-xvr7-m96m",
  "modified": "2024-11-04T12:32:55Z",
  "published": "2024-11-04T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20106"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/November-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG8W-6W5P-JHWR

Vulnerability from github – Published: 2024-12-30 18:30 – Updated: 2024-12-30 18:30
VLAI
Details

Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22414.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-30T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22414.",
  "id": "GHSA-vg8w-6w5p-jhwr",
  "modified": "2024-12-30T18:30:41Z",
  "published": "2024-12-30T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12834"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VH5Q-RXQQ-3F32

Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-02-11 15:32
VLAI
Details

Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T19:15:38Z",
    "severity": "HIGH"
  },
  "details": "Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-vh5q-rxqq-3f32",
  "modified": "2025-02-11T15:32:21Z",
  "published": "2025-01-08T21:32:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0291"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/383356864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VM5H-5X2V-9VQW

Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-10 00:00
VLAI
Details

Windows Defender Credential Guard Security Feature Bypass Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Windows Defender Credential Guard Security Feature Bypass Vulnerability.",
  "id": "GHSA-vm5h-5x2v-9vqw",
  "modified": "2022-08-10T00:00:18Z",
  "published": "2022-08-10T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34709"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34709"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34709"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/168314/Windows-Credential-Guard-ASN1-Decoder-Type-Confusion-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMFX-GCFQ-WVM2

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2023-07-10 13:05
VLAI
Summary
Nokogiri implementation of libxslt vulnerable to heap corruption
Details

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-07T21:30:28Z",
    "nvd_published_at": "2019-12-11T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Type confusion in `xsltNumberFormatGetMultipleLevel` prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.\n\nNokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.",
  "id": "GHSA-vmfx-gcfq-wvm2",
  "modified": "2023-07-10T13:05:32Z",
  "published": "2022-05-24T17:03:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/issues/2630"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri implementation of libxslt vulnerable to heap corruption"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.