CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-4F63-89W9-3JJV
Vulnerability from github – Published: 2022-10-11 19:00 – Updated: 2022-10-13 20:08OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl-src"
},
"ranges": [
{
"events": [
{
"introduced": "300.0.0"
},
{
"fixed": "300.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3358"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-12T20:00:56Z",
"nvd_published_at": "2022-10-11T15:15:00Z",
"severity": "HIGH"
},
"details": "OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).",
"id": "GHSA-4f63-89w9-3jjv",
"modified": "2022-10-13T20:08:51Z",
"published": "2022-10-11T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3358"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b"
},
{
"type": "PACKAGE",
"url": "https://github.com/alexcrichton/openssl-src-rs"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0059.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202402-08"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221028-0014"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20221011.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Using a Custom Cipher with `NID_undef` may lead to NULL encryption"
}
GHSA-4F6F-GR2G-X76P
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointers before using dc->clk_mgr
[WHY & HOW] dc->clk_mgr is null checked previously in the same function, indicating it might be null.
Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which dereferences null "dc->clk_mgr". (The function pointer resolves to "dcn35_apply_idle_power_optimizations".)
This fixes 1 FORWARD_NULL issue reported by Coverity.
{
"affected": [],
"aliases": [
"CVE-2024-49907"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before using dc-\u003eclk_mgr\n\n[WHY \u0026 HOW]\ndc-\u003eclk_mgr is null checked previously in the same function, indicating\nit might be null.\n\nPassing \"dc\" to \"dc-\u003ehwss.apply_idle_power_optimizations\", which\ndereferences null \"dc-\u003eclk_mgr\". (The function pointer resolves to\n\"dcn35_apply_idle_power_optimizations\".)\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.",
"id": "GHSA-4f6f-gr2g-x76p",
"modified": "2025-11-04T00:31:41Z",
"published": "2024-10-21T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49907"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f7e533c10db3d0158709a99e2129ff63add6bcd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ba3fbf75b243b2863a8be9e7c393e003d3b88f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d54001f8dccd56146973f23f3ab2ba037a21251"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95d9e0803e51d5a24276b7643b244c7477daf463"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9641bc4adf8446034e490ed543ae7e9833cfbdf5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2773e0a4b79e7a6463abdffaf8cc4f24428ba18"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a545a9403e04c6e17fdc04a26a61d9feebbba106"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4F99-6W2J-877C
Vulnerability from github – Published: 2025-05-03 00:30 – Updated: 2025-11-03 18:31In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. CVSS 3.1 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
{
"affected": [],
"aliases": [
"CVE-2022-21546"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T22:15:15Z",
"severity": "HIGH"
},
"details": "In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like \"sg_write_same --ndob\" we will crash in target_core_iblock/file\u0027s execute_write_same handlers when we go to access the se_cmd-\u003et_data_sg because its NULL. CVSS 3.1 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).",
"id": "GHSA-4f99-6w2j-877c",
"modified": "2025-11-03T18:31:16Z",
"published": "2025-05-03T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21546"
},
{
"type": "WEB",
"url": "https://git.kernel.org/linus/ccd3f449052449a917a3e577d8ba0368f43b8f29"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54e57be2573cf0b8bf650375fd8752987b6c3d3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ccd3f449052449a917a3e577d8ba0368f43b8f29"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8e6a27e9238dd294d6f2f401655f300dca20899"
},
{
"type": "WEB",
"url": "https://linux.oracle.com/cve/CVE-2022-21546.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20220628022325.14627-2-michael.christie@oracle.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FG5-FCPH-RGXC
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.
{
"affected": [],
"aliases": [
"CVE-2016-2198"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-29T22:59:00Z",
"severity": "MODERATE"
},
"details": "QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.",
"id": "GHSA-4fg5-fcph-rgxc",
"modified": "2022-05-13T01:13:42Z",
"published": "2022-05-13T01:13:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2198"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301643"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201604-01"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/01/29/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/01/30/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FJ3-XJ7W-F7CV
Vulnerability from github – Published: 2024-12-17 15:31 – Updated: 2024-12-17 18:33A NULL pointer dereference in D-Link DAP-1513 REVA_FIRMWARE_1.01 allows attackers to cause a Denial of Service (DoS) via a crafted web request without authentication. The vulnerability occurs in the /bin/webs binary of the firmware. When /bin/webs receives a carefully constructed HTTP request, it will crash and exit due to a null pointer reference, leading to a denial of service attack to the device.
{
"affected": [],
"aliases": [
"CVE-2024-36832"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-17T15:15:13Z",
"severity": "HIGH"
},
"details": "A NULL pointer dereference in D-Link DAP-1513 REVA_FIRMWARE_1.01 allows attackers to cause a Denial of Service (DoS) via a crafted web request without authentication. The vulnerability occurs in the /bin/webs binary of the firmware. When /bin/webs receives a carefully constructed HTTP request, it will crash and exit due to a null pointer reference, leading to a denial of service attack to the device.",
"id": "GHSA-4fj3-xj7w-f7cv",
"modified": "2024-12-17T18:33:48Z",
"published": "2024-12-17T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36832"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/1qTpwAg7B5E4mqkBzijjuoOWWnf3OE1HXIKBv7OcS8Mc/edit?usp=sharing"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10396"
},
{
"type": "WEB",
"url": "https://www.dlink.com/en"
},
{
"type": "WEB",
"url": "https://www.dlink.com/en/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FM6-3WMJ-6H3Q
Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-12-18 21:31In the Linux kernel, the following vulnerability has been resolved:
soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
[arj: Fix Fixes: tag to use subject from 3772e5da4454]
{
"affected": [],
"aliases": [
"CVE-2025-38145"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:29Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\naspeed_lpc_enable_snoop() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.\n\n[arj: Fix Fixes: tag to use subject from 3772e5da4454]",
"id": "GHSA-4fm6-3wmj-6h3q",
"modified": "2025-12-18T21:31:32Z",
"published": "2025-07-03T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38145"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fd889c145722579aa038c31cbc07cfdd4d75166"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2beee9cf833374550e673d428ad8b6ab37c175b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8312b1f776f71979bf33bda7acc05b348e8792c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c550999f939b529d28a914d5034cc4290066aea6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d62a589eaaec6385e3e2b25cf5a28b4560ace93f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1706e0e1a74b095cbc60375b9b1e6205f5f4c98"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f697ef117ecbf3a367dfc559a6a3589905956530"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FV5-487X-C795
Vulnerability from github – Published: 2024-04-05 18:30 – Updated: 2024-04-05 18:30NVIDIA CUDA toolkit for all platforms contains a vulnerability in cuobjdump and nvdisasm where an attacker may cause a crash by tricking a user into reading a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-0072"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-05T18:15:08Z",
"severity": "LOW"
},
"details": "\nNVIDIA CUDA toolkit for all platforms contains a vulnerability in cuobjdump and nvdisasm where an attacker may cause a crash by tricking a user into reading a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.\n\n",
"id": "GHSA-4fv5-487x-c795",
"modified": "2024-04-05T18:30:34Z",
"published": "2024-04-05T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0072"
},
{
"type": "WEB",
"url": "https://https://nvidia.custhelp.com/app/answers/detail/a_id/5517"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4FXR-V6JM-9J9M
Vulnerability from github – Published: 2025-12-04 18:30 – Updated: 2026-06-02 15:31In the Linux kernel, the following vulnerability has been resolved:
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
The function devl_rate_nodes_destroy is documented to "Unset parent for
all rate objects". However, it was only calling the driver-specific
rate_leaf_parent_set or rate_node_parent_set ops and decrementing
the parent's refcount, without actually setting the
devlink_rate->parent pointer to NULL.
This leaves a dangling pointer in the devlink_rate struct, which cause
refcount error in netdevsim[1] and mlx5[2]. In addition, this is
inconsistent with the behavior of devlink_nl_rate_parent_node_set,
where the parent pointer is correctly cleared.
This patch fixes the issue by explicitly setting devlink_rate->parent
to NULL after notifying the driver, thus fulfilling the function's
documented behavior for all rate objects.
[1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device
dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core
dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
{
"affected": [],
"aliases": [
"CVE-2025-40251"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T16:16:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\n\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\nall rate objects\". However, it was only calling the driver-specific\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\nthe parent\u0027s refcount, without actually setting the\n`devlink_rate-\u003eparent` pointer to NULL.\n\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\nwhere the parent pointer is correctly cleared.\n\nThis patch fixes the issue by explicitly setting `devlink_rate-\u003eparent`\nto NULL after notifying the driver, thus fulfilling the function\u0027s\ndocumented behavior for all rate objects.\n\n[1]\nrepro steps:\necho 1 \u003e /sys/bus/netdevsim/new_device\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\necho 1 \u003e /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\ndevlink port function rate add netdevsim/netdevsim1/test_node\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\necho 1 \u003e /sys/bus/netdevsim/del_device\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n device_unregister+0x1a/0x60\n del_device_store+0x111/0x170 [netdevsim]\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x55/0x10f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\ndevlink port function rate add pci/0000:08:00.0/group1\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\n notifier_call_chain+0x33/0xa0\n blocking_notifier_call_chain+0x3b/0x50\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\n mlx5_unload+0x1d/0x170 [mlx5_core]\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\n remove_one+0x78/0xd0 [mlx5_core]\n pci_device_remove+0x39/0xa0\n device_release_driver_internal+0x194/0x1f0\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x53/0x1f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53",
"id": "GHSA-4fxr-v6jm-9j9m",
"modified": "2026-06-02T15:31:50Z",
"published": "2025-12-04T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40251"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90e51e20bcec9bff5b2421ce1bd95704764655f5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4G32-C2J9-MX24
Vulnerability from github – Published: 2024-08-21 03:31 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Clean up error handling in vpci_scan_bus()
Smatch complains about inconsistent NULL checking in vpci_scan_bus():
drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed 'vpci_bus' could be null (see line 1021)
Instead of printing an error message and then crashing we should return an error code and clean up.
Also the NULL check is reversed so it prints an error for success instead of failure.
{
"affected": [],
"aliases": [
"CVE-2024-43875"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T01:15:11Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Clean up error handling in vpci_scan_bus()\n\nSmatch complains about inconsistent NULL checking in vpci_scan_bus():\n\n drivers/pci/endpoint/functions/pci-epf-vntb.c:1024 vpci_scan_bus() error: we previously assumed \u0027vpci_bus\u0027 could be null (see line 1021)\n\nInstead of printing an error message and then crashing we should return\nan error code and clean up.\n\nAlso the NULL check is reversed so it prints an error for success\ninstead of failure.",
"id": "GHSA-4g32-c2j9-mx24",
"modified": "2025-11-04T00:31:17Z",
"published": "2024-08-21T03:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43875"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e27e2e8697b8ce96cdef43f135426525d9d1f8f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/24414c842a24d0fd498f9db6d2a762a8dddf1832"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d368de78b60088ec9031c60c88976c0063ea4c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e0f5a96c534f781e8c57ca30459448b3bfe5429"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9e8695246bcfc028341470cbf92630cdc1ba36b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4G36-RRQ2-QQQF
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed XTENSION header of a .fit file, as demonstrated using a long string.
{
"affected": [],
"aliases": [
"CVE-2012-3236"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-07-12T21:55:00Z",
"severity": "MODERATE"
},
"details": "fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed XTENSION header of a .fit file, as demonstrated using a long string.",
"id": "GHSA-4g36-rrq2-qqqf",
"modified": "2022-05-13T01:03:54Z",
"published": "2022-05-13T01:03:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3236"
},
{
"type": "WEB",
"url": "https://bugzilla.gnome.org/show_bug.cgi?id=676804"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76658"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-06/0192.html"
},
{
"type": "WEB",
"url": "http://git.gnome.org/browse/gimp/commit/plug-ins/file-fits/fits-io.c?id=ace45631595e8781a1420842582d67160097163c"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00000.html"
},
{
"type": "WEB",
"url": "http://www.exploit-db.com/exploits/19482"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:082"
},
{
"type": "WEB",
"url": "http://www.reactionpenetrationtesting.co.uk/FIT-file-handling-dos.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/54246"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1559-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.