shared × unstructured — bad data written permanently, and it spreads

Type-Confusion Memory Corruption

A value read as one type but used as another writes through a bad pointer, corrupting whatever shared memory sits at that address.

01the recipe

In the wild

compound ofType Errors in Dynamic LanguagesCWE-843 Type ConfusionPointer MismanagementCWE-787 OOB WritecompoundCWE-119 Buffer Bounds

example.c

// SMELL: an integer id reinterpreted as a pointer, then written through.
// (type errors x pointer mismanagement)
union { long handle; char *ptr; } u;
u.handle = read_id();              // really an integer id from input
memcpy(u.ptr, payload, len);       // ...used as a pointer -> writes to a wild
                                   // address, corrupting adjacent shared state

// RIGHT: keep the types distinct; resolve the id to a checked object.
long id = read_id();
Object *o = lookup(id);            // id -> a real, bounds-checked object
if (o) memcpy(o->buf, payload, MIN(len, sizeof o->buf));

Treating an integer id as a pointer is an incompatible-type access (CWE-843); the write through it lands at an out-of-bounds address, silently corrupting objects other code later reads. Keep the types separate and resolve the id to a checked object before any write.

// observed

confusion: bytes written to a wild address -- adjacent state corrupted
right: id resolved to a bounds-checked object; the write stays in bounds

02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.