This work addresses type confusion vulnerabilities in Rust arising from unsafe type conversions—specifically misalignment, layout inconsistency, and scope mismatch. We systematically define, for the first time, three Rust-specific type confusion patterns. To detect them statically, we propose an attributed graph modeling approach that jointly incorporates trait bound inference and pointer alias analysis, precisely capturing Rust’s ownership semantics and generic resolution mechanisms. Evaluated on 3,000 widely used crates, our tool automatically identifies 71 previously unknown vulnerabilities; 32 have been confirmed by developers, including one assigned a CVE and six RUSTSEC advisories—exceeding the total number of such reports published in the past five years. This study bridges a critical gap in both theoretical understanding and practical detection of memory-safety violations stemming from unsafe type conversions in Rust.

Rust supports type conversions and safe Rust guarantees the security of these conversions through robust static type checking and strict ownership guidelines. However, there are instances where programmers need to use unsafe Rust for certain type conversions, especially those involving pointers. Consequently, these conversions may cause severe memory corruption problems. Despite extensive research on type confusion bugs in C/C++, studies on type confusion bugs in Rust are still lacking. Also, due to Rust's new features in the type system, existing solutions in C/C++ cannot be directly applied to Rust. In this paper, we develop a static analysis tool called TYPEPULSE to detect three main categories of type confusion bugs in Rust including misalignment, inconsistent layout, and mismatched scope. TYPEPULSE first performs a type conversion analysis to collect and determine trait bounds for type pairs. Moreover, it performs a pointer alias analysis to resolve the alias relationship of pointers. Following the integration of information into the property graph, it constructs type patterns and detects each type of bug in various conversion scenarios. We run TYPEPULSE on the top 3,000 Rust packages and uncover 71 new type confusion bugs, exceeding the total number of type confusion bugs reported in RUSTSEC over the past five years. We have received 32 confirmations from developers, along with one CVE ID and six RUSTSEC IDs.