CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-3QV9-34QR-5G8R
Vulnerability from github – Published: 2022-05-17 02:44 – Updated: 2022-05-17 02:44All versions of the NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a pointer passed from a user to the driver is not correctly validated before it is dereferenced for a write operation, may lead to denial of service or potential escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2017-0349"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-09T21:29:00Z",
"severity": "HIGH"
},
"details": "All versions of the NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a pointer passed from a user to the driver is not correctly validated before it is dereferenced for a write operation, may lead to denial of service or potential escalation of privileges.",
"id": "GHSA-3qv9-34qr-5g8r",
"modified": "2022-05-17T02:44:01Z",
"published": "2022-05-17T02:44:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0349"
},
{
"type": "WEB",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4462"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98513"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QX4-PQ69-7JWX
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-04 21:31In the Linux kernel, the following vulnerability has been resolved:
net: ti: icss-iep: Fix possible NULL pointer dereference for perout request
The ICSS IEP driver tracks perout and pps enable state with flags. Currently when disabling pps and perout signals during icss_iep_exit(), results in NULL pointer dereference for perout.
To fix the null pointer dereference issue, the icss_iep_perout_enable_hw function can be modified to directly clear the IEP CMP registers when disabling PPS or PEROUT, without referencing the ptp_perout_request structure, as its contents are irrelevant in this case.
{
"affected": [],
"aliases": [
"CVE-2025-37784"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T14:15:42Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icss-iep: Fix possible NULL pointer dereference for perout request\n\nThe ICSS IEP driver tracks perout and pps enable state with flags.\nCurrently when disabling pps and perout signals during icss_iep_exit(),\nresults in NULL pointer dereference for perout.\n\nTo fix the null pointer dereference issue, the icss_iep_perout_enable_hw\nfunction can be modified to directly clear the IEP CMP registers when\ndisabling PPS or PEROUT, without referencing the ptp_perout_request\nstructure, as its contents are irrelevant in this case.",
"id": "GHSA-3qx4-pq69-7jwx",
"modified": "2025-11-04T21:31:32Z",
"published": "2025-05-01T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37784"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7349c9e9979333abfce42da5f9025598083b59c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7891619d21f07a88e0275d6d43db74035aa74f69"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da5035d7aeadcfa44096dd34689bfed6c657f559"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eeec66327001421531b3fb1a2ac32efc8a2493b0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R2J-2686-WG8H
Vulnerability from github – Published: 2025-08-11 12:30 – Updated: 2025-08-11 12:30A vulnerability was determined in NASM Netwide Assember 2.17rc0. This vulnerability affects the function parse_smacro_template of the file preproc.c. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-8844"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-11T12:15:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in NASM Netwide Assember 2.17rc0. This vulnerability affects the function parse_smacro_template of the file preproc.c. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-3r2j-2686-wg8h",
"modified": "2025-08-11T12:30:35Z",
"published": "2025-08-11T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8844"
},
{
"type": "WEB",
"url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392936"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/10TSdMErFTBtLFIwfh_fia635cmtmFuei/view?usp=drive_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.319378"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.319378"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.623187"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.623196"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.623198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3R3J-9M7C-H35G
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:14The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.
{
"affected": [],
"aliases": [
"CVE-2019-11555"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-26T22:29:00Z",
"severity": "MODERATE"
},
"details": "The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.",
"id": "GHSA-3r3j-9m7c-h35g",
"modified": "2024-04-04T00:14:57Z",
"published": "2022-05-24T16:44:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11555"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T7G763UECWR7FQXOJVL67PW7C5A3SA4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJKZHAT5KPUN26JL77EUH563GAH5XZ5C"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IQ6P2GI5GSXRNLNIUNPARFZQVDEIGVZD"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/40"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/64"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.asc"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201908-25"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3969-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3969-2"
},
{
"type": "WEB",
"url": "https://w1.fi/security/2019-5"
},
{
"type": "WEB",
"url": "https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4450"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/04/18/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/04/26/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R4J-6H5P-7VP5
Vulnerability from github – Published: 2024-11-12 21:30 – Updated: 2024-11-12 21:30Illustrator versions 28.7.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-47457"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T19:15:16Z",
"severity": "MODERATE"
},
"details": "Illustrator versions 28.7.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-3r4j-6h5p-7vp5",
"modified": "2024-11-12T21:30:53Z",
"published": "2024-11-12T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47457"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/illustrator/apsb24-87.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R5X-P9RP-JRMV
Vulnerability from github – Published: 2025-11-28 15:30 – Updated: 2025-11-28 15:30Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited, a local, authenticated user with Administrator privileges can improperly load the driver as a generic kernel service. This triggers the flaw, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine.
{
"affected": [],
"aliases": [
"CVE-2025-11156"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-28T15:15:59Z",
"severity": "MODERATE"
},
"details": "Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited,\u00a0a local, authenticated user with Administrator privileges\u00a0can improperly load the driver as a generic kernel service. This triggers the flaw, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine.",
"id": "GHSA-3r5x-p9rp-jrmv",
"modified": "2025-11-28T15:30:30Z",
"published": "2025-11-28T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11156"
},
{
"type": "WEB",
"url": "https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3R64-GPPM-622W
Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-22 18:30In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Fix NULL pointer dereference when printing dev_name
When larbdev is NULL (in the case I hit, the node is incorrectly set iommus = <&iommu NUM>), it will cause device_link_add() fail and kernel crashes when we try to print dev_name(larbdev).
Let's fail the probe if a larbdev is NULL to avoid invalid inputs from dts.
It should work for normal correct setting and avoid the crash caused by my incorrect setting.
Error log: [ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 ... [ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO) [ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] [ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu] [ 18.346884][ T301] sp : ffffffc00a5635e0 [ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8 [ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38 [ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38 [ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38 [ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000 [ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0 [ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004 [ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420 [ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003 [ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2 [ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00 [ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000 [ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001 [ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005 [ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000 [ 18.360208][ T301] Hardware name: MT6873 (DT) [ 18.360771][ T301] Call trace: [ 18.361168][ T301] dump_backtrace+0xf8/0x1f0 [ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c [ 18.362305][ T301] dump_stack+0x1c/0x2c [ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump] [ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump] [ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8 [ 18.364937][ T301] die+0x16c/0x568 [ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214 [ 18.365402][ T301] do_page_fault+0xb8/0x678 [ 18.366934][ T301] do_translation_fault+0x48/0x64 [ 18.368645][ T301] do_mem_abort+0x68/0x148 [ 18.368652][ T301] el1_abort+0x40/0x64 [ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88 [ 18.368668][ T301] el1h_64_sync+0x68/0x6c [ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] ...
{
"affected": [],
"aliases": [
"CVE-2022-49424"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer dereference when printing dev_name\n\nWhen larbdev is NULL (in the case I hit, the node is incorrectly set\niommus = \u003c\u0026iommu NUM\u003e), it will cause device_link_add() fail and\nkernel crashes when we try to print dev_name(larbdev).\n\nLet\u0027s fail the probe if a larbdev is NULL to avoid invalid inputs from\ndts.\n\nIt should work for normal correct setting and avoid the crash caused\nby my incorrect setting.\n\nError log:\n[ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n...\n[ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO)\n[ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n[ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu]\n[ 18.346884][ T301] sp : ffffffc00a5635e0\n[ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8\n[ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38\n[ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38\n[ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38\n[ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000\n[ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0\n[ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004\n[ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420\n[ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003\n[ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2\n[ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00\n[ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000\n[ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001\n[ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005\n[ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000\n[ 18.360208][ T301] Hardware name: MT6873 (DT)\n[ 18.360771][ T301] Call trace:\n[ 18.361168][ T301] dump_backtrace+0xf8/0x1f0\n[ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c\n[ 18.362305][ T301] dump_stack+0x1c/0x2c\n[ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump]\n[ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump]\n[ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8\n[ 18.364937][ T301] die+0x16c/0x568\n[ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214\n[ 18.365402][ T301] do_page_fault+0xb8/0x678\n[ 18.366934][ T301] do_translation_fault+0x48/0x64\n[ 18.368645][ T301] do_mem_abort+0x68/0x148\n[ 18.368652][ T301] el1_abort+0x40/0x64\n[ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88\n[ 18.368668][ T301] el1h_64_sync+0x68/0x6c\n[ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n...",
"id": "GHSA-3r64-gppm-622w",
"modified": "2025-10-22T18:30:30Z",
"published": "2025-10-22T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49424"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8837c2682b9b2eed83e6212bcf79850c593a6fee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c3c2734e28d7fac50228c4d2b8896e8695adf304"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de78657e16f41417da9332f09c2d67d100096939"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9c63c0f73a1bbfd02624f5eae7e881df8b6830f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R6X-WMFJ-R38F
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
{
"affected": [],
"aliases": [
"CVE-2025-62465"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T18:15:58Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.",
"id": "GHSA-3r6x-wmfj-r38f",
"modified": "2025-12-09T18:30:46Z",
"published": "2025-12-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62465"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62465"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R7X-52Q9-W4PW
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-05 18:14In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix NULL pointer in can_accept_new_subflow
When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.
Call trace:
mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ...
According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons.
Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here.
This patch fixes this issue by moving the 'subflow_req->msk' under the
own_req == true conditional.
Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.
{
"affected": [],
"aliases": [
"CVE-2025-23145"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T13:15:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n\u0027mptcp_can_accept_new_subflow\u0027 because subflow_req-\u003emsk is NULL.\n\nCall trace:\n\n mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n ip_local_deliver (./net/ipv4/ip_input.c:254)\n ip_rcv_finish (./net/ipv4/ip_input.c:449)\n ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n\u0027subflow_req-\u003emsk\u0027 ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the \u0027subflow_req-\u003emsk\u0027 under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to.",
"id": "GHSA-3r7x-52q9-w4pw",
"modified": "2025-11-05T18:14:23Z",
"published": "2025-05-01T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23145"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R8G-C43C-9GW2
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 21:31In the Linux kernel, the following vulnerability has been resolved:
md-cluster: fix NULL pointer dereference in process_metadata_update
The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro.
While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run):
- bitmap_load() is called, which invokes md_cluster_ops->join().
- join() starts the "cluster_recv" thread (recv_daemon).
- At this point, recv_daemon is active and processing messages.
- However, mddev->thread (the main MD thread) is not initialized until later in md_run().
If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic.
To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
{
"affected": [],
"aliases": [
"CVE-2026-43271"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-cluster: fix NULL pointer dereference in process_metadata_update\n\nThe function process_metadata_update() blindly dereferences the \u0027thread\u0027\npointer (acquired via rcu_dereference_protected) within the wait_event()\nmacro.\n\nWhile the code comment states \"daemon thread must exist\", there is a valid\nrace condition window during the MD array startup sequence (md_run):\n\n1. bitmap_load() is called, which invokes md_cluster_ops-\u003ejoin().\n2. join() starts the \"cluster_recv\" thread (recv_daemon).\n3. At this point, recv_daemon is active and processing messages.\n4. However, mddev-\u003ethread (the main MD thread) is not initialized until\n later in md_run().\n\nIf a METADATA_UPDATED message is received from a remote node during this\nspecific window, process_metadata_update() will be called while\nmddev-\u003ethread is still NULL, leading to a kernel panic.\n\nTo fix this, we must validate the \u0027thread\u0027 pointer. If it is NULL, we\nrelease the held lock (no_new_dev_lockres) and return early, safely\nignoring the update request as the array is not yet fully ready to\nprocess it.",
"id": "GHSA-3r8g-c43c-9gw2",
"modified": "2026-05-08T21:31:21Z",
"published": "2026-05-06T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43271"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.