Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-843 (使用不兼容类型访问资源(类型混淆)) — Vulnerability Class 348

348 vulnerabilities classified as CWE-843 (使用不兼容类型访问资源(类型混淆)). AI Chinese analysis included.

CWE-843, Type Confusion, is a critical memory safety weakness where a resource is initialized with one data type but subsequently accessed using an incompatible type. This discrepancy often triggers logical errors or undefined behavior, particularly in memory-unsafe languages like C and C++, where the program misinterprets the underlying bit patterns. Attackers typically exploit this vulnerability by crafting malicious inputs that force the application to treat a pointer or object as a different type, potentially leading to arbitrary code execution, data corruption, or denial of service. To mitigate this risk, developers must enforce strict type checking and validation at runtime. Utilizing memory-safe programming languages, implementing comprehensive unit tests for type assertions, and employing static analysis tools can effectively detect these mismatches before deployment, ensuring that resources are always accessed according to their intended definitions.

MITRE CWE Description
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the product accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access. While this weakness is frequently associated with unions when parsing data with many different embedded object types in C, it can be present in any application that can interpret the same variable or memory location in multiple ways. This weakness is not unique to C and C++. For example, errors in PHP applications can be triggered by providing array parameters when scalars are expected, or vice versa. Languages such as Perl, which perform automatic conversion of a variable of one type when it is accessed as if it were another type, can also contain these issues.
Common Consequences (1)
Availability, Integrity, ConfidentialityRead Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart
When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution.
Examples (2)
The following code uses a union to support the representation of different types of messages. It formats messages differently, depending on their type.
#define NAME_TYPE 1 #define ID_TYPE 2 struct MessageBuffer { int msgType; union { char *name; int nameID; }; }; int main (int argc, char **argv) { struct MessageBuffer buf; char *defaultMessage = "Hello World"; buf.msgType = NAME_TYPE; buf.name = defaultMessage; printf("Pointer of buf.name is %p\n", buf.name); /* This particular value for nameID is used to make the code architecture-independent. If coming from untrusted input, it could be any value. */ buf.nameID = (int)(defaultMessage + 1); printf("Pointer of buf.name is now %p\n", buf.name); if (buf.msgType == NAME_TYPE) { printf("Message: %
Bad · C
The following PHP code accepts a value, adds 5, and prints the sum.
$value = $_GET['value']; $sum = $value + 5; echo "value parameter is '$value'<p>"; echo "SUM is $sum";
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-26110 Microsoft Office Remote Code Execution Vulnerability — Microsoft 365 Apps for Enterprise 8.4 High2026-03-10
CVE-2025-14799 Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization Bypass via Type Juggling — Brevo – Email, SMS, Web Push, Chat, and more. 6.5 Medium2026-02-18
CVE-2023-31323 AMD Processors 安全漏洞 — AMD Radeon™ RX 5000 Series Graphics Products 8.0AIHighAI2026-02-12
CVE-2026-21330 After Effects | Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843) — After Effects 7.8 High2026-02-10
CVE-2026-21519 Desktop Window Manager Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-02-10
CVE-2026-25537 jsonwebtoken has Type Confusion that leads to potential authorization bypass — jsonwebtoken 9.1AICriticalAI2026-02-04
CVE-2025-29867 Hancom Office 安全漏洞 — Hancom Office 2018 8.1AIHighAI2026-02-04
CVE-2026-1862 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2026-02-03
CVE-2025-65080 Type confusion vulnerability in Postscript interpreter — MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ 9.8AICriticalAI2026-02-03
CVE-2025-12899 net: icmp: Out of bound memory read — Zephyr 6.5 Medium2026-01-30
CVE-2026-24874 Type confusion in xray-monolith — xray-monolith 9.1 Critical2026-01-27
CVE-2026-20860 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-01-13
CVE-2026-20811 Win32k Elevation of Privilege Vulnerability — Windows 11 version 22H3 7.8 High2026-01-13
CVE-2026-22028 Preact has JSON VNode Injection issue — preact 6.1 -2026-01-08
CVE-2025-66586 Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in AzeoTech DAQFactory — DAQFactory 7.8AIHighAI2025-12-11
CVE-2025-62554 Microsoft Office Remote Code Execution Vulnerability — Microsoft 365 Apps for Enterprise 8.4 High2025-12-09
CVE-2025-13630 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-12-02
CVE-2025-41738 CODESYS Control - Invalid type usage in visualization — CODESYS Control RTE (SL) 7.5 High2025-12-01
CVE-2025-58310 Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.0 High2025-11-28
CVE-2025-64314 Huawei HarmonyOS 安全漏洞 — HarmonyOS 9.3 Critical2025-11-28
CVE-2025-13230 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-17
CVE-2025-13228 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-17
CVE-2025-13227 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-17
CVE-2025-13229 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-17
CVE-2025-13226 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-17
CVE-2025-13224 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-17
CVE-2025-12428 Microsoft Edge 安全漏洞 — Chrome 8.1 -2025-11-10
CVE-2022-50590 SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality — SuiteCRM 7.5 -2025-11-06
CVE-2025-47151 Entrouvert Lasso 安全漏洞 — Lasso 9.8 Critical2025-11-05
CVE-2025-62518 astral-tokio-tar Vulnerable to PAX Header Desynchronization — tokio-tar 8.1 High2025-10-21

Vulnerabilities classified as CWE-843 (使用不兼容类型访问资源(类型混淆)) represent 348 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.