CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
Incomplete
2011-06-01
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Naam: Access of Resource Using Incompatible Type ('Type Confusion')
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Algemene informatie
Introductiemodi
ImplementationToepasselijke platforms
Taal
Name: C (Undetermined)Name: C++ (Undetermined)
Veelvoorkomende gevolgen
| Bereik | Impact | Waarschijnlijkheid |
|---|---|---|
| Availability Integrity Confidentiality | Read Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart Note: When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution. |
Waargenomen voorbeelden
| Referenties | Beschrijving |
|---|---|
CVE-2025-32352 | Type confusion in PHP app allows authentication bypass when users have passwords whose MD5 hashes can be interpreted as numbers |
CVE-2010-4577 | Type confusion in CSS sequence leads to out-of-bounds read. |
CVE-2011-0611 | Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild. |
CVE-2010-0258 | Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended. |
Detectiemethoden
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Effectiviteit : High
Notities kwetsbaarheidsmapping
Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notities
Referenties
REF-811
Attacking InteroperabilityMark Dowd, Ryan Smith, David Dewey.
http://hustlelabs.com/stuff/bh2009_dowd_smith_dewey.pdf
REF-62
The Art of Software Security AssessmentMark Dowd, John McDonald, Justin Schuh.
Indiening
| Naam | Organisatie | Datum | Releasedatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.13 |
Wijzigingen
| Naam | Organisatie | Datum | Opmerking |
|---|---|---|---|
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Research_Gaps | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Detection_Factors, Observed_Examples, Weakness_Ordinalities |
