CacheResultAdvice does not validate an object returned by the underlying ICache implementation before allowing it to be returned. If a rogue object happens to be inserted into the cache, the aspect could return that object when it isn't compatible with the return type on the method signature. If the object returned is smaller than the expected type, access to fields on the expected type will exceed the bounds of the actual instance leading to access violations or unitialized memory being accessed by managed code. This can cause the .NET Runtime to crash with access violations or result in other unexpected errors.
Since this bug can trigger the .NET runtime to crash with an access violation, it should be treated as severe.
There are two primary ways this bug can be triggered.
First, this can happen when there is a cache collision (i.e., two methods use the same cache key to store values of different types).
Second, CacheResultAdvice caches null values by comparing a cached value with a static field on CacheResultAdvice (NullValue). If the ICache implementation uses serialization (for example a SQL cache, or memcached, etc.), it will return a different instance of System.Object. This will cause CacheResultAdvice to return that instance of System.Object instead of detecting that a null value was stored in the cache.
The supplied patch against trunk@r1064 includes unit tests to illustrate both problems and provides a fix.