Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-3XWF-R3FV-8C54

Vulnerability from github – Published: 2024-09-04 21:30 – Updated: 2026-05-12 12:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix null pointer deref in bond_ipsec_offload_ok

We must check if there is an active slave before dereferencing the pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-04T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix null pointer deref in bond_ipsec_offload_ok\n\nWe must check if there is an active slave before dereferencing the pointer.",
  "id": "GHSA-3xwf-r3fv-8c54",
  "modified": "2026-05-12T12:32:07Z",
  "published": "2024-09-04T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44990"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0707260a18312bbcd2a5668584e3692d0a29e3f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f5bdd68c1ce64bda6bef4d361a3de23b04ccd59"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32a0173600c63aadaf2103bf02f074982e8602ab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81216b9352be43f8958092d379f6dec85443c309"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95c90e4ad89d493a7a14fa200082e466e2548f9d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b70b0ddfed31fc92c8dc722d0afafc8e14cb550c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3XX5-G4FV-W39V

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-10-26 12:00
VLAI
Details

A vulnerability has been identified in JT Utilities (All versions < V13.0.2.0). When parsing specially crafted JT files, a race condition could cause an object to be released before being operated on, leading to NULL pointer deference condition and causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-13T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in JT Utilities (All versions \u003c V13.0.2.0). When parsing specially crafted JT files, a race condition could cause an object to be released before being operated on, leading to NULL pointer deference condition and causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.",
  "id": "GHSA-3xx5-g4fv-w39v",
  "modified": "2022-10-26T12:00:31Z",
  "published": "2022-05-24T19:07:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33715"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-209268.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3XXJ-PCR2-RVH7

Vulnerability from github – Published: 2022-02-20 00:00 – Updated: 2022-03-02 00:00
VLAI
Details

NULL Pointer Dereference in Homebrew mruby prior to 3.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Dereference in Homebrew mruby prior to 3.2.",
  "id": "GHSA-3xxj-pcr2-rvh7",
  "modified": "2022-03-02T00:00:35Z",
  "published": "2022-02-20T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0632"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mruby/mruby/commit/44f591aa8f7091e6ca6cb418e428ae6d4ceaf77d"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3e5bb8f6-30fd-4553-86dd-761e9459ce1b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-422Q-RPJC-CFGP

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer dereference exists in the function be_uint32_read() located in endianrw.h. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-17T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer dereference exists in the function be_uint32_read() located in endianrw.h. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.",
  "id": "GHSA-422q-rpjc-cfgp",
  "modified": "2022-05-13T01:02:32Z",
  "published": "2022-05-13T01:02:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8379"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2332"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-the-function-be_uint32_read-advancecomp"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/advancemame/bugs/271"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4235-RV3M-2XWX

Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21
VLAI
Details

In libwebm before 2019-03-08, a NULL pointer dereference caused by the functions OutputCluster and OutputTracks in webm_info.cc will trigger an abort, which allows a DoS attack, a similar issue to CVE-2018-19212.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-13T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "In libwebm before 2019-03-08, a NULL pointer dereference caused by the functions OutputCluster and OutputTracks in webm_info.cc will trigger an abort, which allows a DoS attack, a similar issue to CVE-2018-19212.",
  "id": "GHSA-4235-rv3m-2xwx",
  "modified": "2022-05-14T01:21:00Z",
  "published": "2022-05-14T01:21:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9746"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/webm/issues/detail?id=1605"
    },
    {
      "type": "WEB",
      "url": "https://chromium.googlesource.com/webm/libwebm/+/2427abe0bde234987ed005a3adca461e9a85dfb7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-427Q-63Q6-GGX8

Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

soc: bcm: Check for NULL return of devm_kzalloc()

As the potential failure of allocation, devm_kzalloc() may return NULL. Then the 'pd->pmb' and the follow lines of code may bring null pointer dereference.

Therefore, it is better to check the return value of devm_kzalloc() to avoid this confusion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:21Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: bcm: Check for NULL return of devm_kzalloc()\n\nAs the potential failure of allocation, devm_kzalloc() may return NULL.  Then\nthe \u0027pd-\u003epmb\u0027 and the follow lines of code may bring null pointer dereference.\n\nTherefore, it is better to check the return value of devm_kzalloc() to avoid\nthis confusion.",
  "id": "GHSA-427q-63q6-ggx8",
  "modified": "2025-03-17T18:31:48Z",
  "published": "2025-03-17T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49448"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36339ea7bae4943be01c8e9545e46e334591fecd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5650e103bfc70156001615861fb8aafb3947da6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b48b98743b568bb219152ba2e15af6ef0d3d8a9b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4bd2aafacce48db26b0a213d849818d940556dd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-428F-PQR9-FGRH

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-12-17 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfs: handle failure of nfs_get_lock_context in unlock path

When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example:

BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]---

Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T10:15:34Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: handle failure of nfs_get_lock_context in unlock path\n\nWhen memory is insufficient, the allocation of nfs_lock_context in\nnfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat\nan nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)\nas valid and proceed to execute rpc_run_task(), this will trigger a NULL\npointer dereference in nfs4_locku_prepare. For example:\n\nBUG: kernel NULL pointer dereference, address: 000000000000000c\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP PTI\nCPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40\nWorkqueue: rpciod rpc_async_schedule\nRIP: 0010:nfs4_locku_prepare+0x35/0xc2\nCode: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3\nRSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246\nRAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40\nRBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38\nR10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030\nR13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30\nFS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __rpc_execute+0xbc/0x480\n rpc_async_schedule+0x2f/0x40\n process_one_work+0x232/0x5d0\n worker_thread+0x1da/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x240\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nModules linked in:\nCR2: 000000000000000c\n---[ end trace 0000000000000000 ]---\n\nFree the allocated nfs4_unlockdata when nfs_get_lock_context() fails and\nreturn NULL to terminate subsequent rpc_run_task, preventing NULL pointer\ndereference.",
  "id": "GHSA-428f-pqr9-fgrh",
  "modified": "2025-12-17T21:30:31Z",
  "published": "2025-06-18T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38023"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c189fd40a09a03f9a900bedb2d9064f1734d72a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72f552e00c50f265896d3c19edc6696aa2910081"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85fb7f8ca5f8c138579fdfc9b97b3083e6077d40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6879a076b98c99c9fe747816fe1c29543442441"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c457dc1ec770a22636b473ce5d35614adfe97636"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da824f1271633bcb515ca8084cda3eda4b3ace51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db6f5ee1fc8f54d079d0751292c2fc2d78e3aad1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f601960af04d2ecb007c928ba153d34051acd9c1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42FR-8XJF-GHXH

Vulnerability from github – Published: 2022-05-01 07:39 – Updated: 2022-05-01 07:39
VLAI
Details

FileZilla Server before 0.9.22 allows remote attackers to cause a denial of service (crash) via a wildcard argument to the (1) LIST or (2) NLST commands, which results in a NULL pointer dereference, a different set of vectors than CVE-2006-6564. NOTE: CVE analysis suggests that the problem might be due to a malformed PORT command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-6565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-12-15T11:28:00Z",
    "severity": "MODERATE"
  },
  "details": "FileZilla Server before 0.9.22 allows remote attackers to cause a denial of service (crash) via a wildcard argument to the (1) LIST or (2) NLST commands, which results in a NULL pointer dereference, a different set of vectors than CVE-2006-6564.  NOTE: CVE analysis suggests that the problem might be due to a malformed PORT command.",
  "id": "GHSA-42fr-8xjf-ghxh",
  "modified": "2022-05-01T07:39:19Z",
  "published": "2022-05-01T07:39:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6565"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30853"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/2914"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/project/shownotes.php?release_id=470364\u0026group_id=21558"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/4937"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-42HW-46GP-FFQ7

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-10 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: insert tree mod log move in push_node_left

There is a fairly unlikely race condition in tree mod log rewind that can result in a kernel panic which has the following trace:

[530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096 [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096 [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002 [530.618] #PF: supervisor read access in kernel mode [530.629] #PF: error_code(0x0000) - not-present page [530.641] PGD 0 P4D 0 [530.647] Oops: 0000 [#1] SMP [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1 [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017 [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00 [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246 [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100 [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8 [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000 [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0 [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000 [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0 [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [530.928] Call Trace: [530.934] ? btrfs_printk+0x13b/0x18c [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130 [530.955] btrfs_map_bio+0x75/0x330 [530.963] ? kmem_cache_alloc+0x12a/0x2d0 [530.973] ? btrfs_submit_metadata_bio+0x63/0x100 [530.984] btrfs_submit_metadata_bio+0xa4/0x100 [530.995] submit_extent_page+0x30f/0x360 [531.004] read_extent_buffer_pages+0x49e/0x6d0 [531.015] ? submit_extent_page+0x360/0x360 [531.025] btree_read_extent_buffer_pages+0x5f/0x150 [531.037] read_tree_block+0x37/0x60 [531.046] read_block_for_search+0x18b/0x410 [531.056] btrfs_search_old_slot+0x198/0x2f0 [531.066] resolve_indirect_ref+0xfe/0x6f0 [531.076] ? ulist_alloc+0x31/0x60 [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0 [531.095] find_parent_nodes+0x720/0x1830 [531.105] ? ulist_alloc+0x10/0x60 [531.113] iterate_extent_inodes+0xea/0x370 [531.123] ? btrfs_previous_extent_item+0x8f/0x110 [531.134] ? btrfs_search_path_in_tree+0x240/0x240 [531.146] iterate_inodes_from_logical+0x98/0xd0 [531.157] ? btrfs_search_path_in_tree+0x240/0x240 [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180 [531.179] btrfs_ioctl+0xe2/0x2eb0

This occurs when logical inode resolution takes a tree mod log sequence number, and then while backref walking hits a rewind on a busy node which has the following sequence of tree mod log operations (numbers filled in from a specific example, but they are somewhat arbitrary)

REMOVE_WHILE_FREEING slot 532 REMOVE_WHILE_FREEING slot 531 REMOVE_WHILE_FREEING slot 530 ... REMOVE_WHILE_FREEING slot 0 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0 ADD slot 455 ADD slot 454 ADD slot 453 ... ADD slot 0 MOVE src slot 0 -> dst slot 456 nritems 533 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0

When this sequence gets applied via btrfs_tree_mod_log_rewind, it allocates a fresh rewind eb, and first inserts the correct key info for the 533 elements, then overwrites the first 456 of them, then decrements the count by 456 via the add ops, then rewinds the move by doing a memmove from 456:988->0:532. We have never written anything past 532, ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: insert tree mod log move in push_node_left\n\nThere is a fairly unlikely race condition in tree mod log rewind that\ncan result in a kernel panic which has the following trace:\n\n  [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096\n  [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096\n  [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002\n  [530.618] #PF: supervisor read access in kernel mode\n  [530.629] #PF: error_code(0x0000) - not-present page\n  [530.641] PGD 0 P4D 0\n  [530.647] Oops: 0000 [#1] SMP\n  [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S         O  K   5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1\n  [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017\n  [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00\n  [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246\n  [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100\n  [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8\n  [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff\n  [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000\n  [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0\n  [530.848] FS:  00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000\n  [530.866] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0\n  [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  [530.928] Call Trace:\n  [530.934]  ? btrfs_printk+0x13b/0x18c\n  [530.943]  ? btrfs_bio_counter_inc_blocked+0x3d/0x130\n  [530.955]  btrfs_map_bio+0x75/0x330\n  [530.963]  ? kmem_cache_alloc+0x12a/0x2d0\n  [530.973]  ? btrfs_submit_metadata_bio+0x63/0x100\n  [530.984]  btrfs_submit_metadata_bio+0xa4/0x100\n  [530.995]  submit_extent_page+0x30f/0x360\n  [531.004]  read_extent_buffer_pages+0x49e/0x6d0\n  [531.015]  ? submit_extent_page+0x360/0x360\n  [531.025]  btree_read_extent_buffer_pages+0x5f/0x150\n  [531.037]  read_tree_block+0x37/0x60\n  [531.046]  read_block_for_search+0x18b/0x410\n  [531.056]  btrfs_search_old_slot+0x198/0x2f0\n  [531.066]  resolve_indirect_ref+0xfe/0x6f0\n  [531.076]  ? ulist_alloc+0x31/0x60\n  [531.084]  ? kmem_cache_alloc_trace+0x12e/0x2b0\n  [531.095]  find_parent_nodes+0x720/0x1830\n  [531.105]  ? ulist_alloc+0x10/0x60\n  [531.113]  iterate_extent_inodes+0xea/0x370\n  [531.123]  ? btrfs_previous_extent_item+0x8f/0x110\n  [531.134]  ? btrfs_search_path_in_tree+0x240/0x240\n  [531.146]  iterate_inodes_from_logical+0x98/0xd0\n  [531.157]  ? btrfs_search_path_in_tree+0x240/0x240\n  [531.168]  btrfs_ioctl_logical_to_ino+0xd9/0x180\n  [531.179]  btrfs_ioctl+0xe2/0x2eb0\n\nThis occurs when logical inode resolution takes a tree mod log sequence\nnumber, and then while backref walking hits a rewind on a busy node\nwhich has the following sequence of tree mod log operations (numbers\nfilled in from a specific example, but they are somewhat arbitrary)\n\n  REMOVE_WHILE_FREEING slot 532\n  REMOVE_WHILE_FREEING slot 531\n  REMOVE_WHILE_FREEING slot 530\n  ...\n  REMOVE_WHILE_FREEING slot 0\n  REMOVE slot 455\n  REMOVE slot 454\n  REMOVE slot 453\n  ...\n  REMOVE slot 0\n  ADD slot 455\n  ADD slot 454\n  ADD slot 453\n  ...\n  ADD slot 0\n  MOVE src slot 0 -\u003e dst slot 456 nritems 533\n  REMOVE slot 455\n  REMOVE slot 454\n  REMOVE slot 453\n  ...\n  REMOVE slot 0\n\nWhen this sequence gets applied via btrfs_tree_mod_log_rewind, it\nallocates a fresh rewind eb, and first inserts the correct key info for\nthe 533 elements, then overwrites the first 456 of them, then decrements\nthe count by 456 via the add ops, then rewinds the move by doing a\nmemmove from 456:988-\u003e0:532. We have never written anything past 532,\n---truncated---",
  "id": "GHSA-42hw-46gp-ffq7",
  "modified": "2026-02-10T00:30:27Z",
  "published": "2025-10-04T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53538"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/11f14402fe3437852cb44945b3b9f1bdb4032956"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cead5422a0e3d13b0bcee986c0f5c4ebb94100b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42JR-FVMF-Q363

Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2025-11-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uvc: Initialize frame-based format color matching descriptor

Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color matching descriptor for frame-based format which was added in commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching descriptors") that added handling for uncompressed and mjpeg format.

Crash is seen when userspace configuration (via configfs) does not explicitly define the color matching descriptor. If color_matching is not found, config_group_find_item() returns NULL. The code then jumps to out_put_cm, where it calls config_item_put(color_matching);. If color_matching is NULL, this will dereference a null pointer, leading to a crash.

[ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c [ 2.756273] Mem abort info: [ 2.760080] ESR = 0x0000000096000005 [ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.771068] SET = 0, FnV = 0 [ 2.771069] EA = 0, S1PTW = 0 [ 2.771070] FSC = 0x05: level 1 translation fault [ 2.771071] Data abort info: [ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000 [ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 2.771084] Dumping ftrace buffer: [ 2.771085] (ftrace buffer empty) [ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15 [ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT) [ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc [ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771146] sp : ffffffc08140bbb0 [ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250 [ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768 [ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48 [ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00 [ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250 [ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615 [ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0 [ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a [ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000 [ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000 [ 2.771156] Call trace: [ 2.771157] __uvcg_fill_strm+0x198/0x2cc [ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290 [ 2.771159] configfs_symlink+0x1f8/0x630 [ 2.771161] vfs_symlink+0x114/0x1a0 [ 2.771163] do_symlinkat+0x94/0x28c [ 2.771164] __arm64_sys_symlinkat+0x54/0x70 [ 2.771164] invoke_syscall+0x58/0x114 [ 2.771166] el0_svc_common+0x80/0xe0 [ 2.771168] do_el0_svc+0x1c/0x28 [ 2.771169] el0_svc+0x3c/0x70 [ 2.771172] el0t_64_sync_handler+0x68/0xbc [ 2.771173] el0t_64_sync+0x1a8/0x1ac

Initialize color matching descriptor for frame-based format to prevent NULL pointer crash by mirroring the handling done for uncompressed and mjpeg formats.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Initialize frame-based format color matching descriptor\n\nFix NULL pointer crash in uvcg_framebased_make due to uninitialized color\nmatching descriptor for frame-based format which was added in\ncommit f5e7bdd34aca (\"usb: gadget: uvc: Allow creating new color matching\ndescriptors\") that added handling for uncompressed and mjpeg format.\n\nCrash is seen when userspace configuration (via configfs) does not\nexplicitly define the color matching descriptor. If color_matching is not\nfound, config_group_find_item() returns NULL. The code then jumps to\nout_put_cm, where it calls config_item_put(color_matching);. If\ncolor_matching is NULL, this will dereference a null pointer, leading to a\ncrash.\n\n[    2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c\n[    2.756273] Mem abort info:\n[    2.760080]   ESR = 0x0000000096000005\n[    2.764872]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    2.771068]   SET = 0, FnV = 0\n[    2.771069]   EA = 0, S1PTW = 0\n[    2.771070]   FSC = 0x05: level 1 translation fault\n[    2.771071] Data abort info:\n[    2.771072]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[    2.771073]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    2.771074]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000\n[    2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[    2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[    2.771084] Dumping ftrace buffer:\n[    2.771085]    (ftrace buffer empty)\n[    2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G        W   E      6.6.58-android15\n[    2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)\n[    2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[    2.771141] pc : __uvcg_fill_strm+0x198/0x2cc\n[    2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771146] sp : ffffffc08140bbb0\n[    2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250\n[    2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768\n[    2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48\n[    2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00\n[    2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250\n[    2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615\n[    2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0\n[    2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a\n[    2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000\n[    2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000\n[    2.771156] Call trace:\n[    2.771157]  __uvcg_fill_strm+0x198/0x2cc\n[    2.771157]  __uvcg_iter_strm_cls+0xc8/0x17c\n[    2.771158]  uvcg_streaming_class_allow_link+0x240/0x290\n[    2.771159]  configfs_symlink+0x1f8/0x630\n[    2.771161]  vfs_symlink+0x114/0x1a0\n[    2.771163]  do_symlinkat+0x94/0x28c\n[    2.771164]  __arm64_sys_symlinkat+0x54/0x70\n[    2.771164]  invoke_syscall+0x58/0x114\n[    2.771166]  el0_svc_common+0x80/0xe0\n[    2.771168]  do_el0_svc+0x1c/0x28\n[    2.771169]  el0_svc+0x3c/0x70\n[    2.771172]  el0t_64_sync_handler+0x68/0xbc\n[    2.771173]  el0t_64_sync+0x1a8/0x1ac\n\nInitialize color matching descriptor for frame-based format to prevent\nNULL pointer crash by mirroring the handling done for uncompressed and\nmjpeg formats.",
  "id": "GHSA-42jr-fvmf-q363",
  "modified": "2025-11-28T15:30:29Z",
  "published": "2025-08-19T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38558"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/323a80a1a5ace319a722909c006d5bdb2a35d273"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6db61c1aa23075eeee90e083ca3f6567a5635da6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f8576fc9d1a203d12474bf52710c7af68cae490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.