Type Confusion Vulnerability
What is Type Confusion Vulnerability?
Type Confusion VulnerabilityA memory-safety bug where code accesses an object using a type incompatible with its real allocation, often enabling arbitrary read, write, or code execution.
A type confusion vulnerability arises when a program reads or writes memory through a pointer or reference whose declared type differs from the underlying object's actual type. The typical trigger is missing or incorrect downcasting, polymorphism mishandling, or speculative JIT optimizations that assume a stable shape that the attacker can change. Once the runtime treats a structure as the wrong type, methods, vtables, length fields, and inline data are misinterpreted, giving the attacker controlled read/write primitives that often escalate to code execution. JavaScript engines (V8 in Chrome, JSC in Safari) and browser renderers are frequent targets, frequently demonstrated at Pwn2Own. Defenses include strong type systems, runtime checks, sandboxing, and bounds-safe languages.
● Examples
- 01
CVE-2021-30551 V8 type-confusion exploited as a 0-day in Chrome.
- 02
A C++ static_cast where dynamic_cast was required, allowing a child-class write into an unrelated object.
● Frequently asked questions
What is Type Confusion Vulnerability?
A memory-safety bug where code accesses an object using a type incompatible with its real allocation, often enabling arbitrary read, write, or code execution. It belongs to the Application Security category of cybersecurity.
What does Type Confusion Vulnerability mean?
A memory-safety bug where code accesses an object using a type incompatible with its real allocation, often enabling arbitrary read, write, or code execution.
How does Type Confusion Vulnerability work?
A type confusion vulnerability arises when a program reads or writes memory through a pointer or reference whose declared type differs from the underlying object's actual type. The typical trigger is missing or incorrect downcasting, polymorphism mishandling, or speculative JIT optimizations that assume a stable shape that the attacker can change. Once the runtime treats a structure as the wrong type, methods, vtables, length fields, and inline data are misinterpreted, giving the attacker controlled read/write primitives that often escalate to code execution. JavaScript engines (V8 in Chrome, JSC in Safari) and browser renderers are frequent targets, frequently demonstrated at Pwn2Own. Defenses include strong type systems, runtime checks, sandboxing, and bounds-safe languages.
How do you defend against Type Confusion Vulnerability?
Defences for Type Confusion Vulnerability typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Type Confusion Vulnerability?
Common alternative names include: Bad cast, Type-mismatch bug.
● Related terms
- vulnerabilities№ 1193
Use-After-Free
A memory-safety bug where a program continues to use memory after it has been freed, often allowing attackers to control object state and hijack execution.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.
- appsec№ 564
JIT Spray
An exploit technique that abuses just-in-time compilers to plant attacker-chosen executable bytes inside legitimately generated, executable memory pages.
- appsec№ 129
Browser Sandbox
An OS-level isolation layer that confines a browser's renderer and helper processes so that compromised web code cannot read the file system or other applications.
- appsec№ 1075
Speculative Execution Side Channel
A microarchitectural vulnerability class where CPUs leak data through caches and predictors after executing instructions speculatively along paths that should not have run.
- vulnerabilities№ 399
Exploit
A piece of code, data, or technique that takes advantage of a vulnerability to cause unintended behaviour such as code execution, privilege escalation, or information disclosure.