CWE-843
AllowedAccess of Resource Using Incompatible Type ('Type Confusion')
Abstraction: Base · Status: Incomplete
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
1041 vulnerabilities reference this CWE, most recent first.
GHSA-75HQ-H6G9-H4Q5
Vulnerability from github – Published: 2024-04-02 21:09 – Updated: 2025-05-02 12:54Impact
The 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. The panic in question is caused when a WebAssembly module issues a table.* instruction which uses a dropped element segment with a table that also has an externref type. This causes Wasmtime to erroneously use an empty function segment instead of an empty externref segment to perform this operation. This mismatch in types causes a panic in Wasmtime when it's asserted that an externref table is only viewed as externrefs.
This regression was introduced during the development of the 19.0.0 release and only affects the 19.0.0 release. This panic requires the reference-types WebAssembly feature to be enabled, and it is enabled by default. Toolchains are not known to generate this pattern by default so it's likely a module would need to be specifically crafted to trigger this panic.
A panic in a host runtime represents a possible denial-of-service in some scenarios. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic.
Patches
Wasmtime 19.0.1 has been released to fix this problem. Users of 19.0.0 should upgrade to 19.0.1. All other versions of Wasmtime are not affected by this issue.
Workarounds
If upgrading is not possible it's recommended to use config.reference_types(false). That will disable these modules at validation-time which prevents the possibility of a panic at runtime. If reference-types are required, however, then there is no other workaround at this time other than upgrading.
References
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "19.0.0"
},
{
"fixed": "19.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.0.0"
]
}
],
"aliases": [
"CVE-2024-30266"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-02T21:09:23Z",
"nvd_published_at": "2024-04-04T16:15:09Z",
"severity": "LOW"
},
"details": "### Impact\n\nThe 19.0.0 release of Wasmtime contains a regression introduced during its development which can lead to a guest WebAssembly module causing a panic in the host runtime. A valid WebAssembly module, when executed at runtime, may cause this panic. The panic in question is caused when a WebAssembly module issues a `table.*` instruction which uses a dropped element segment with a table that also has an `externref` type. This causes Wasmtime to erroneously use an empty function segment instead of an empty externref segment to perform this operation. This mismatch in types causes a panic in Wasmtime when it\u0027s asserted that an externref table is only viewed as externrefs.\n\nThis regression was introduced during the development of the 19.0.0 release and only affects the 19.0.0 release. This panic requires the `reference-types` WebAssembly feature to be enabled, and it is enabled by default. Toolchains are not known to generate this pattern by default so it\u0027s likely a module would need to be specifically crafted to trigger this panic.\n\nA panic in a host runtime represents a possible denial-of-service in some scenarios. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic.\n\n### Patches\n\nWasmtime 19.0.1 has been released to fix this problem. Users of 19.0.0 should upgrade to 19.0.1. All other versions of Wasmtime are not affected by this issue.\n\n### Workarounds\n\nIf upgrading is not possible it\u0027s recommended to use `config.reference_types(false)`. That will disable these modules at validation-time which prevents the possibility of a panic at runtime. If reference-types are required, however, then there is no other workaround at this time other than upgrading.\n\n### References\n\n* [Original bug report](https://github.com/bytecodealliance/wasmtime/issues/8281)\n* [PR to fix the bug](https://github.com/bytecodealliance/wasmtime/pull/8283)\n* [PR that introduced the bug](https://github.com/bytecodealliance/wasmtime/pull/8018)",
"id": "GHSA-75hq-h6g9-h4q5",
"modified": "2025-05-02T12:54:52Z",
"published": "2024-04-02T21:09:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-75hq-h6g9-h4q5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30266"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/issues/8281"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/pull/8018"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/pull/8283"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/commit/7f57d0bb0948fa56cc950278d0db230ed10e8664"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0441.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Wasmtime vulnerable to panic when using a dropped extenref-typed element segment"
}
GHSA-75VW-C383-9FJ8
Vulnerability from github – Published: 2024-12-30 21:30 – Updated: 2024-12-30 21:30Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24843.
{
"affected": [],
"aliases": [
"CVE-2024-13047"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-30T21:15:07Z",
"severity": "HIGH"
},
"details": "Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24843.",
"id": "GHSA-75vw-c383-9fj8",
"modified": "2024-12-30T21:30:47Z",
"published": "2024-12-30T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13047"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1731"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76Q6-RQ4J-JJ95
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Access of resource using incompatible type ('type confusion') in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-54109"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:15:56Z",
"severity": "MODERATE"
},
"details": "Access of resource using incompatible type (\u0027type confusion\u0027) in Windows Defender Firewall Service allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-76q6-rq4j-jj95",
"modified": "2025-09-09T18:31:21Z",
"published": "2025-09-09T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54109"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54109"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-772J-H9XW-FFP5
Vulnerability from github – Published: 2021-05-21 14:21 – Updated: 2024-10-28 21:22Impact
The API of tf.raw_ops.SparseCross allows combinations which would result in a CHECK-failure and denial of service:
import tensorflow as tf
hashed_output = False
num_buckets = 1949315406
hash_key = 1869835877
out_type = tf.string
internal_type = tf.string
indices_1 = tf.constant([0, 6], shape=[1, 2], dtype=tf.int64)
indices_2 = tf.constant([0, 0], shape=[1, 2], dtype=tf.int64)
indices = [indices_1, indices_2]
values_1 = tf.constant([0], dtype=tf.int64)
values_2 = tf.constant([72], dtype=tf.int64)
values = [values_1, values_2]
batch_size = 4
shape_1 = tf.constant([4, 122], dtype=tf.int64)
shape_2 = tf.constant([4, 188], dtype=tf.int64)
shapes = [shape_1, shape_2]
dense_1 = tf.constant([188, 127, 336, 0], shape=[4, 1], dtype=tf.int64)
dense_2 = tf.constant([341, 470, 470, 470], shape=[4, 1], dtype=tf.int64)
dense_3 = tf.constant([188, 188, 341, 922], shape=[4, 1], dtype=tf.int64)
denses = [dense_1, dense_2, dense_3]
tf.raw_ops.SparseCross(indices=indices, values=values, shapes=shapes, dense_inputs=denses, hashed_output=hashed_output,
num_buckets=num_buckets, hash_key=hash_key, out_type=out_type, internal_type=internal_type)
The above code will result in a CHECK fail in tensor.cc:
void Tensor::CheckTypeAndIsAligned(DataType expected_dtype) const {
CHECK_EQ(dtype(), expected_dtype)
<< " " << DataTypeString(expected_dtype) << " expected, got "
<< DataTypeString(dtype());
...
}
This is because the implementation is tricked to consider a tensor of type tstring which in fact contains integral elements:
if (DT_STRING == values_.dtype())
return Fingerprint64(values_.vec<tstring>().data()[start + n]);
return values_.vec<int64>().data()[start + n];
Fixing the type confusion by preventing mixing DT_STRING and DT_INT64 types solves this issue.
Patches
We have patched the issue in GitHub commit b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29519"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T23:29:36Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nThe API of `tf.raw_ops.SparseCross` allows combinations which would result in a `CHECK`-failure and denial of service:\n\n```python\nimport tensorflow as tf\n\nhashed_output = False\nnum_buckets = 1949315406\nhash_key = 1869835877\nout_type = tf.string \ninternal_type = tf.string\n\nindices_1 = tf.constant([0, 6], shape=[1, 2], dtype=tf.int64)\nindices_2 = tf.constant([0, 0], shape=[1, 2], dtype=tf.int64)\nindices = [indices_1, indices_2]\n\nvalues_1 = tf.constant([0], dtype=tf.int64)\nvalues_2 = tf.constant([72], dtype=tf.int64)\nvalues = [values_1, values_2]\n\nbatch_size = 4\nshape_1 = tf.constant([4, 122], dtype=tf.int64)\nshape_2 = tf.constant([4, 188], dtype=tf.int64)\nshapes = [shape_1, shape_2]\n\ndense_1 = tf.constant([188, 127, 336, 0], shape=[4, 1], dtype=tf.int64)\ndense_2 = tf.constant([341, 470, 470, 470], shape=[4, 1], dtype=tf.int64)\ndense_3 = tf.constant([188, 188, 341, 922], shape=[4, 1], dtype=tf.int64)\ndenses = [dense_1, dense_2, dense_3]\n\ntf.raw_ops.SparseCross(indices=indices, values=values, shapes=shapes, dense_inputs=denses, hashed_output=hashed_output,\n num_buckets=num_buckets, hash_key=hash_key, out_type=out_type, internal_type=internal_type)\n```\n\nThe above code will result in a `CHECK` fail in [`tensor.cc`](https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/framework/tensor.cc#L670-L675):\n\n```cc\nvoid Tensor::CheckTypeAndIsAligned(DataType expected_dtype) const {\n CHECK_EQ(dtype(), expected_dtype)\n \u003c\u003c \" \" \u003c\u003c DataTypeString(expected_dtype) \u003c\u003c \" expected, got \"\n \u003c\u003c DataTypeString(dtype());\n ...\n}\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/kernels/sparse_cross_op.cc#L114-L116) is tricked to consider a tensor of type `tstring` which in fact contains integral elements:\n\n```cc\n if (DT_STRING == values_.dtype())\n return Fingerprint64(values_.vec\u003ctstring\u003e().data()[start + n]);\n return values_.vec\u003cint64\u003e().data()[start + n];\n```\n\nFixing the type confusion by preventing mixing `DT_STRING` and `DT_INT64` types solves this issue.\n\n### Patches\nWe have patched the issue in GitHub commit [b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025](https://github.com/tensorflow/tensorflow/commit/b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
"id": "GHSA-772j-h9xw-ffp5",
"modified": "2024-10-28T21:22:34Z",
"published": "2021-05-21T14:21:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-772j-h9xw-ffp5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29519"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-447.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-645.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-156.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CHECK-fail in SparseCross due to type confusion"
}
GHSA-77VH-XPMG-72QH
Vulnerability from github – Published: 2021-11-18 16:02 – Updated: 2021-11-24 19:43Impact
In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.
Patches
The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document.
Release v1.0.2 includes these updates.
Workarounds
Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields.
References
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/opencontainers/image-spec * Email us at security@opencontainers.org * https://github.com/opencontainers/image-spec/commits/v1.0.2
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opencontainers/image-spec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-17T23:13:41Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nIn the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.\n\n### Patches\nThe Image Specification will be updated to recommend that both manifest and index documents contain a `mediaType` field to identify the type of document.\nRelease [v1.0.2](https://github.com/opencontainers/image-spec/releases/tag/v1.0.2) includes these updates.\n\n### Workarounds\nSoftware attempting to deserialize an ambiguous document may reject the document if it contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields.\n\n### References\nhttps://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/opencontainers/image-spec\n* Email us at [security@opencontainers.org](mailto:security@opencontainers.org)\n* https://github.com/opencontainers/image-spec/commits/v1.0.2\n",
"id": "GHSA-77vh-xpmg-72qh",
"modified": "2021-11-24T19:43:35Z",
"published": "2021-11-18T16:02:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencontainers/image-spec"
},
{
"type": "WEB",
"url": "https://github.com/opencontainers/image-spec/releases/tag/v1.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Clarify `mediaType` handling"
}
GHSA-78H3-PG4X-J8CV
Vulnerability from github – Published: 2024-05-02 21:30 – Updated: 2024-11-25 19:28libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "libxmljs2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.35.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34394"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-03T20:24:18Z",
"nvd_published_at": "2024-05-02T19:15:06Z",
"severity": "CRITICAL"
},
"details": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which invokes `XmlNode::get_local_namespaces()`) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.",
"id": "GHSA-78h3-pg4x-j8cv",
"modified": "2024-11-25T19:28:05Z",
"published": "2024-05-02T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34394"
},
{
"type": "WEB",
"url": "https://github.com/marudor/libxmljs2/issues/205"
},
{
"type": "PACKAGE",
"url": "https://github.com/marudor/libxmljs2"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/libxmljs2-namespaces-type-confusion-rce-jfsa-2024-001034098"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML"
}
GHSA-78JQ-7M93-2FVG
Vulnerability from github – Published: 2022-05-17 03:06 – Updated: 2022-05-17 03:06Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly store internationalization metadata, which allows remote attackers to bypass intended access restrictions by leveraging "type confusion" and reading property values, related to i18n.js and runtime.cc.
{
"affected": [],
"aliases": [
"CVE-2014-1730"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-26T10:55:00Z",
"severity": "HIGH"
},
"details": "Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly store internationalization metadata, which allows remote attackers to bypass intended access restrictions by leveraging \"type confusion\" and reading property values, related to i18n.js and runtime.cc.",
"id": "GHSA-78jq-7m93-2fvg",
"modified": "2022-05-17T03:06:19Z",
"published": "2022-05-17T03:06:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1730"
},
{
"type": "WEB",
"url": "https://code.google.com/p/chromium/issues/detail?id=354967"
},
{
"type": "WEB",
"url": "https://code.google.com/p/v8/source/detail?r=20375"
},
{
"type": "WEB",
"url": "https://code.google.com/p/v8/source/detail?r=20377"
},
{
"type": "WEB",
"url": "https://code.google.com/p/v8/source/detail?r=20388"
},
{
"type": "WEB",
"url": "https://code.google.com/p/v8/source/detail?r=20593"
},
{
"type": "WEB",
"url": "https://code.google.com/p/v8/source/detail?r=20595"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2014/04/stable-channel-update_24.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00049.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-05/msg00050.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/58301"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60372"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201408-16.xml"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2920"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-78M7-4XGC-XRRQ
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
Sashiko AI-review observed:
In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2).
IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18.
If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO).
This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao.
Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info?
Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this?
This patch implements the first suggestion.
I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.
{
"affected": [],
"aliases": [
"CVE-2026-43038"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:48Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n and passed to icmp6_send(), it uses IP6CB(skb2).\n\n IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n at offset 18.\n\n If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n and uses ipv6_find_tlv(skb, opt-\u003edsthao, IPV6_TLV_HAO).\n\n This would scan the inner, attacker-controlled IPv6 packet starting at that\n offset, potentially returning a fake TLV without checking if the remaining\n packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n of the packet data into skb_shared_info?\n\n Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway.",
"id": "GHSA-78m7-4xgc-xrrq",
"modified": "2026-07-14T15:31:57Z",
"published": "2026-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43038"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43038.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e41953e7d118e2702bcb217879c173d9d1d3cd4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c438ba010171b70bad22fc18b1d5bdc3627476e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4437faf135da293d16fcc4cc607316742bd0ebb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2edbb6393972a02114b6003953a5cef3104fada"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86ab3e55673a7a49a841838776f1ab18d23a67b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3d5127d998de617b130aae96b138dba22ac6a8a7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ceeebd5bd6d855b17a5df625109bfe29129d7cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0452b6526b2f54b2413b9cb4ff1ea2ac542c99c7"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464397"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-43038"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30848"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30129"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25533"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24343"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23237"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23224"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22940"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-79R8-2QH7-XQP4
Vulnerability from github – Published: 2023-11-27 18:31 – Updated: 2025-11-04 21:30A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
{
"affected": [],
"aliases": [
"CVE-2023-41257"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-27T16:15:11Z",
"severity": "HIGH"
},
"details": "A type confusion vulnerability exists in the way Foxit Reader 12.1.2.15356 handles field value properties. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.",
"id": "GHSA-79r8-2qh7-xqp4",
"modified": "2025-11-04T21:30:48Z",
"published": "2023-11-27T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41257"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1838"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1838"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7F39-34RH-FGHP
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-08-28 00:32Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-1939"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:43:57Z",
"severity": "HIGH"
},
"details": "Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-7f39-34rh-fghp",
"modified": "2024-08-28T00:32:14Z",
"published": "2024-02-29T03:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1939"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_27.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/323694592"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGWSP5MIK7CDWJQHN2SJJX2YGSSS7E4O"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6KJCEJWJR5Z54Z75LRJGELDNMFDKLZG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTGM2WHYSZAUUPENB7YO6E5ONAKE6AKJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.