CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-4HQJ-96CJ-GMWP
Vulnerability from github – Published: 2025-03-17 21:30 – Updated: 2025-03-17 21:30In the Linux kernel, the following vulnerability has been resolved:
ath11k: disable spectral scan during spectral deinit
When ath11k modules are removed using rmmod with spectral scan enabled, crash is observed. Different crash trace is observed for each crash.
Send spectral scan disable WMI command to firmware before cleaning the spectral dbring in the spectral_deinit API to avoid this crash.
call trace from one of the crash observed: [ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008 [ 1252.882722] pgd = 0f42e886 [ 1252.890955] [00000008] *pgd=00000000 [ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0 [ 1253.115261] Hardware name: Generic DT based system [ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k] [ 1253.125940] LR is at 0x88e31017 [ 1253.132448] pc : [<7f9387b8>] lr : [<88e31017>] psr: a0000193 [ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000 [ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080 [ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000 [ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001 [ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055 [ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141) [ 1253.458055] [<7f9387b8>] (ath11k_spectral_process_data [ath11k]) from [<7f917fdc>] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k]) [ 1253.466139] [<7f917fdc>] (ath11k_dbring_buffer_release_event [ath11k]) from [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k]) [ 1253.478807] [<7f8ea3c4>] (ath11k_wmi_tlv_op_rx [ath11k]) from [<7f8fe868>] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k]) [ 1253.490699] [<7f8fe868>] (ath11k_htc_rx_completion_handler [ath11k]) from [<7f91308c>] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k]) [ 1253.502386] [<7f91308c>] (ath11k_ce_per_engine_service [ath11k]) from [<7f9a4198>] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci]) [ 1253.514811] [<7f9a4198>] (ath11k_pci_ce_tasklet [ath11k_pci]) from [<8032227c>] (tasklet_action_common.constprop.2+0x64/0xe8) [ 1253.526476] [<8032227c>] (tasklet_action_common.constprop.2) from [<803021e8>] (__do_softirq+0x130/0x2d0) [ 1253.537756] [<803021e8>] (__do_softirq) from [<80322610>] (irq_exit+0xcc/0xe8) [ 1253.547304] [<80322610>] (irq_exit) from [<8036a4a4>] (__handle_domain_irq+0x60/0xb4) [ 1253.554428] [<8036a4a4>] (__handle_domain_irq) from [<805eb348>] (gic_handle_irq+0x4c/0x90) [ 1253.562321] [<805eb348>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)
Tested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1
{
"affected": [],
"aliases": [
"CVE-2022-49523"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: disable spectral scan during spectral deinit\n\nWhen ath11k modules are removed using rmmod with spectral scan enabled,\ncrash is observed. Different crash trace is observed for each crash.\n\nSend spectral scan disable WMI command to firmware before cleaning\nthe spectral dbring in the spectral_deinit API to avoid this crash.\n\ncall trace from one of the crash observed:\n[ 1252.880802] Unable to handle kernel NULL pointer dereference at virtual address 00000008\n[ 1252.882722] pgd = 0f42e886\n[ 1252.890955] [00000008] *pgd=00000000\n[ 1252.893478] Internal error: Oops: 5 [#1] PREEMPT SMP ARM\n[ 1253.093035] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.89 #0\n[ 1253.115261] Hardware name: Generic DT based system\n[ 1253.121149] PC is at ath11k_spectral_process_data+0x434/0x574 [ath11k]\n[ 1253.125940] LR is at 0x88e31017\n[ 1253.132448] pc : [\u003c7f9387b8\u003e] lr : [\u003c88e31017\u003e] psr: a0000193\n[ 1253.135488] sp : 80d01bc8 ip : 00000001 fp : 970e0000\n[ 1253.141737] r10: 88e31000 r9 : 970ec000 r8 : 00000080\n[ 1253.146946] r7 : 94734040 r6 : a0000113 r5 : 00000057 r4 : 00000000\n[ 1253.152159] r3 : e18cb694 r2 : 00000217 r1 : 1df1f000 r0 : 00000001\n[ 1253.158755] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user\n[ 1253.165266] Control: 10c0383d Table: 5e71006a DAC: 00000055\n[ 1253.172472] Process swapper/0 (pid: 0, stack limit = 0x60870141)\n[ 1253.458055] [\u003c7f9387b8\u003e] (ath11k_spectral_process_data [ath11k]) from [\u003c7f917fdc\u003e] (ath11k_dbring_buffer_release_event+0x214/0x2e4 [ath11k])\n[ 1253.466139] [\u003c7f917fdc\u003e] (ath11k_dbring_buffer_release_event [ath11k]) from [\u003c7f8ea3c4\u003e] (ath11k_wmi_tlv_op_rx+0x1840/0x29cc [ath11k])\n[ 1253.478807] [\u003c7f8ea3c4\u003e] (ath11k_wmi_tlv_op_rx [ath11k]) from [\u003c7f8fe868\u003e] (ath11k_htc_rx_completion_handler+0x180/0x4e0 [ath11k])\n[ 1253.490699] [\u003c7f8fe868\u003e] (ath11k_htc_rx_completion_handler [ath11k]) from [\u003c7f91308c\u003e] (ath11k_ce_per_engine_service+0x2c4/0x3b4 [ath11k])\n[ 1253.502386] [\u003c7f91308c\u003e] (ath11k_ce_per_engine_service [ath11k]) from [\u003c7f9a4198\u003e] (ath11k_pci_ce_tasklet+0x28/0x80 [ath11k_pci])\n[ 1253.514811] [\u003c7f9a4198\u003e] (ath11k_pci_ce_tasklet [ath11k_pci]) from [\u003c8032227c\u003e] (tasklet_action_common.constprop.2+0x64/0xe8)\n[ 1253.526476] [\u003c8032227c\u003e] (tasklet_action_common.constprop.2) from [\u003c803021e8\u003e] (__do_softirq+0x130/0x2d0)\n[ 1253.537756] [\u003c803021e8\u003e] (__do_softirq) from [\u003c80322610\u003e] (irq_exit+0xcc/0xe8)\n[ 1253.547304] [\u003c80322610\u003e] (irq_exit) from [\u003c8036a4a4\u003e] (__handle_domain_irq+0x60/0xb4)\n[ 1253.554428] [\u003c8036a4a4\u003e] (__handle_domain_irq) from [\u003c805eb348\u003e] (gic_handle_irq+0x4c/0x90)\n[ 1253.562321] [\u003c805eb348\u003e] (gic_handle_irq) from [\u003c80301a78\u003e] (__irq_svc+0x58/0x8c)\n\nTested-on: QCN6122 hw1.0 AHB WLAN.HK.2.6.0.1-00851-QCAHKSWPL_SILICONZ-1",
"id": "GHSA-4hqj-96cj-gmwp",
"modified": "2025-03-17T21:30:33Z",
"published": "2025-03-17T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49523"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/161c64de239c7018e0295e7e0520a19f00aa32dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/451b9076903a057b7b8d5b24dc84b3e436a1c743"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b9c54caef58d2b55074710952cda70540722c01"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60afa4f4e1350c876d8a061182a70c224de275dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8f15e67af9bec5a69e815e0230a70cffddae371a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HQW-3GGW-H3M4
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15An issue was discovered in swftools through 20200710. A NULL pointer dereference exists in the function InfoOutputDev::type3D0() located in InfoOutputDev.cc. It allows an attacker to cause Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2021-39555"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in swftools through 20200710. A NULL pointer dereference exists in the function InfoOutputDev::type3D0() located in InfoOutputDev.cc. It allows an attacker to cause Denial of Service.",
"id": "GHSA-4hqw-3ggw-h3m4",
"modified": "2022-05-24T19:15:07Z",
"published": "2022-05-24T19:15:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39555"
},
{
"type": "WEB",
"url": "https://github.com/matthiaskramm/swftools/issues/99"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4HRF-7C2R-C5X7
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.
{
"affected": [],
"aliases": [
"CVE-2011-2525"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-02-02T04:09:00Z",
"severity": "HIGH"
},
"details": "The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.",
"id": "GHSA-4hrf-7c2r-c5x7",
"modified": "2022-05-13T01:24:38Z",
"published": "2022-05-13T01:24:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2525"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=720552"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=53b0f08042f04813cd1a7473dacd3edfacb28eb3"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=53b0f08042f04813cd1a7473dacd3edfacb28eb3"
},
{
"type": "WEB",
"url": "http://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805"
},
{
"type": "WEB",
"url": "http://mirror.anl.gov/pub/linux/kernel/v2.6/ChangeLog-2.6.35"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/07/12/1"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2011-1065.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2011-1163.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HVM-HMVM-5432
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2022-05-14 03:54Type confusion in Histogram in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit a near null dereference via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2017-5023"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T07:59:00Z",
"severity": "MODERATE"
},
"details": "Type confusion in Histogram in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit a near null dereference via a crafted HTML page.",
"id": "GHSA-4hvm-hmvm-5432",
"modified": "2022-05-14T03:54:08Z",
"published": "2022-05-14T03:54:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5023"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/651443"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-66"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0206.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3776"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95792"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037718"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4HVV-7X94-7VQ8
Vulnerability from github – Published: 2021-05-21 14:28 – Updated: 2024-11-13 16:27Impact
The implementation of TrySimplify has undefined behavior due to dereferencing a null pointer in corner cases that
result in optimizing a node with no inputs.
Patches
We have patched the issue in GitHub commit e6340f0665d53716ef3197ada88936c2a5f7a2d3.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29616"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-17T21:19:51Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nThe implementation of [`TrySimplify`](https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that\nresult in optimizing a node with no inputs.\n\n### Patches\nWe have patched the issue in GitHub commit [e6340f0665d53716ef3197ada88936c2a5f7a2d3](https://github.com/tensorflow/tensorflow/commit/e6340f0665d53716ef3197ada88936c2a5f7a2d3).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-4hvv-7x94-7vq8",
"modified": "2024-11-13T16:27:50Z",
"published": "2021-05-21T14:28:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4hvv-7x94-7vq8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29616"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/e6340f0665d53716ef3197ada88936c2a5f7a2d3"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-544.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-742.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-253.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Null dereference in Grappler\u0027s `TrySimplify`"
}
GHSA-4HXF-56QJ-QRGF
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2024-04-04 02:51SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.
{
"affected": [],
"aliases": [
"CVE-2020-13435"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-24T22:15:00Z",
"severity": "MODERATE"
},
"details": "SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.",
"id": "GHSA-4hxf-56qj-qrgf",
"modified": "2024-04-04T02:51:03Z",
"published": "2022-05-24T17:18:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13435"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-26"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200528-0004"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211843"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211844"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211850"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211931"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211935"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211952"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4394-1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.sqlite.org/src/info/7a5279a25c57adf1"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Dec/32"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/19"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/20"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4J4Q-HXQH-V4Q9
Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2025-12-23 00:30In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight
Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vcpus. The bulk of vCPU creation runs outside of kvm->lock to allow creating multiple vCPUs in parallel, and so sev_info.es_active can get toggled from false=>true in the destination VM after (or during) svm_vcpu_create(), resulting in an SEV{-ES} VM effectively having a non-SEV{-ES} vCPU.
The issue manifests most visibly as a crash when trying to free a vCPU's NULL VMSA page in an SEV-ES VM, but any number of things can go wrong.
BUG: unable to handle page fault for address: ffffebde00000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O 6.15.0-smp-DEV #2 NONE Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline] RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline] RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline] RIP: 0010:PageHead include/linux/page-flags.h:866 [inline] RIP: 0010:freepages+0x3e/0x120 mm/page_alloc.c:5067 Code: <49> f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0 RSP: 0018:ffff8984551978d0 EFLAGS: 00010246 RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000 RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000 R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000 R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000 FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169 svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515 kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396 kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline] kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490 kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895 kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310 kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369 fput+0x3e4/0x9e0 fs/file_table.c:465 task_work_run+0x1a9/0x220 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x7f0/0x25b0 kernel/exit.c:953 do_group_exit+0x203/0x2d0 kernel/exit.c:1102 get_signal+0x1357/0x1480 kernel/signal.c:3034 arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218 do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f87a898e969 Modules linked in: gq(O) gsmi: Log Shutdown Reason 0x03 CR2: ffffebde00000000 ---[ end trace 0000000000000000 ]---
Deliberately don't check for a NULL VMSA when freeing the vCPU, as crashing the host is likely desirable due to the VMSA being consumed by hardware. E.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a bogus VMSA page. Accessing P ---truncated---
{
"affected": [],
"aliases": [
"CVE-2025-38455"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T16:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight\n\nReject migration of SEV{-ES} state if either the source or destination VM\nis actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the\nsection between incrementing created_vcpus and online_vcpus. The bulk of\nvCPU creation runs _outside_ of kvm-\u003elock to allow creating multiple vCPUs\nin parallel, and so sev_info.es_active can get toggled from false=\u003etrue in\nthe destination VM after (or during) svm_vcpu_create(), resulting in an\nSEV{-ES} VM effectively having a non-SEV{-ES} vCPU.\n\nThe issue manifests most visibly as a crash when trying to free a vCPU\u0027s\nNULL VMSA page in an SEV-ES VM, but any number of things can go wrong.\n\n BUG: unable to handle page fault for address: ffffebde00000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP KASAN NOPTI\n CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O 6.15.0-smp-DEV #2 NONE\n Tainted: [U]=USER, [O]=OOT_MODULE\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\n RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]\n RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]\n RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]\n RIP: 0010:PageHead include/linux/page-flags.h:866 [inline]\n RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067\n Code: \u003c49\u003e f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0\n RSP: 0018:ffff8984551978d0 EFLAGS: 00010246\n RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98\n RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000\n RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000\n R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000\n R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000\n FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0\n DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169\n svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515\n kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396\n kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline]\n kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490\n kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895\n kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310\n kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369\n __fput+0x3e4/0x9e0 fs/file_table.c:465\n task_work_run+0x1a9/0x220 kernel/task_work.c:227\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0x7f0/0x25b0 kernel/exit.c:953\n do_group_exit+0x203/0x2d0 kernel/exit.c:1102\n get_signal+0x1357/0x1480 kernel/signal.c:3034\n arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218\n do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f87a898e969\n \u003c/TASK\u003e\n Modules linked in: gq(O)\n gsmi: Log Shutdown Reason 0x03\n CR2: ffffebde00000000\n ---[ end trace 0000000000000000 ]---\n\nDeliberately don\u0027t check for a NULL VMSA when freeing the vCPU, as crashing\nthe host is likely desirable due to the VMSA being consumed by hardware.\nE.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a\nbogus VMSA page. Accessing P\n---truncated---",
"id": "GHSA-4j4q-hxqh-v4q9",
"modified": "2025-12-23T00:30:30Z",
"published": "2025-07-25T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38455"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c8e8d4d7544bb783e15078eda8ba2580e192246"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5725213149597cd9c2b075b87bc4e0f87e906c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0d9a7cf37ca09c513420dc88e0d0e805a4f0820"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecf371f8b02d5e31b9aa1da7f159f1b2107bdb01"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd044c99d831e9f837518816c7c366b04014d405"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4J53-Q2R4-27JV
Vulnerability from github – Published: 2024-04-28 15:30 – Updated: 2025-09-18 15:30In the Linux kernel, the following vulnerability has been resolved:
ice: Fix crash by keep old cfg when update TCs more than queues
There are problems if allocated queues less than Traffic Classes.
Commit a632b2a4c920 ("ice: ethtool: Prohibit improper channel config for DCB") already disallow setting less queues than TCs.
Another case is if we first set less queues, and later update more TCs config due to LLDP, ice_vsi_cfg_tc() will failed but left dirty num_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.
[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated. [ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)! [ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0 [ 95.969621] general protection fault: 0000 [#1] SMP NOPTI [ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1 [ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021 [ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60 [ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 <8b> 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c [ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206 [ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0 [ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200 [ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000 [ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100 [ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460 [ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000 [ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0 [ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 95.971530] PKRU: 55555554 [ 95.971573] Call Trace: [ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice] [ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice] [ 95.971774] ice_vsi_open+0x25/0x120 [ice] [ 95.971843] ice_open_internal+0xb8/0x1f0 [ice] [ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice] [ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice] [ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice] [ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice] [ 95.972220] dcbnl_ieee_set+0x89/0x230 [ 95.972279] ? dcbnl_ieee_del+0x150/0x150 [ 95.972341] dcb_doit+0x124/0x1b0 [ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0 [ 95.972457] ? dcb_doit+0x14d/0x1b0 [ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280 [ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100 [ 95.972661] netlink_rcv_skb+0xcf/0xf0 [ 95.972720] netlink_unicast+0x16d/0x220 [ 95.972781] netlink_sendmsg+0x2ba/0x3a0 [ 95.975891] sock_sendmsg+0x4c/0x50 [ 95.979032] syssendmsg+0x2e4/0x300 [ 95.982147] ? kmem_cache_alloc+0x13e/0x190 [ 95.985242] ? wake_up_common_lock+0x79/0x90 [ 95.988338] ? __check_object_size+0xac/0x1b0 [ 95.991440] ? _copy_to_user+0x22/0x30 [ 95.994539] ? move_addr_to_user+0xbb/0xd0 [ 95.997619] ? __sys_sendmsg+0x53/0x80 [ 96.000664] __sys_sendmsg+0x53/0x80 [ 96.003747] do_syscall_64+0x5b/0x1d0 [ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca
Only update num_txq/rxq when passed check, and restore tc_cfg if setup queue map failed.
{
"affected": [],
"aliases": [
"CVE-2022-48652"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-28T13:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix crash by keep old cfg when update TCs more than queues\n\nThere are problems if allocated queues less than Traffic Classes.\n\nCommit a632b2a4c920 (\"ice: ethtool: Prohibit improper channel config\nfor DCB\") already disallow setting less queues than TCs.\n\nAnother case is if we first set less queues, and later update more TCs\nconfig due to LLDP, ice_vsi_cfg_tc() will failed but left dirty\nnum_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.\n\n[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.\n[ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!\n[ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0\n[ 95.969621] general protection fault: 0000 [#1] SMP NOPTI\n[ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1\n[ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021\n[ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60\n[ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 \u003c8b\u003e 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c\n[ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206\n[ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0\n[ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200\n[ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000\n[ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100\n[ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460\n[ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000\n[ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0\n[ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 95.971530] PKRU: 55555554\n[ 95.971573] Call Trace:\n[ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice]\n[ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice]\n[ 95.971774] ice_vsi_open+0x25/0x120 [ice]\n[ 95.971843] ice_open_internal+0xb8/0x1f0 [ice]\n[ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice]\n[ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]\n[ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice]\n[ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice]\n[ 95.972220] dcbnl_ieee_set+0x89/0x230\n[ 95.972279] ? dcbnl_ieee_del+0x150/0x150\n[ 95.972341] dcb_doit+0x124/0x1b0\n[ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0\n[ 95.972457] ? dcb_doit+0x14d/0x1b0\n[ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280\n[ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100\n[ 95.972661] netlink_rcv_skb+0xcf/0xf0\n[ 95.972720] netlink_unicast+0x16d/0x220\n[ 95.972781] netlink_sendmsg+0x2ba/0x3a0\n[ 95.975891] sock_sendmsg+0x4c/0x50\n[ 95.979032] ___sys_sendmsg+0x2e4/0x300\n[ 95.982147] ? kmem_cache_alloc+0x13e/0x190\n[ 95.985242] ? __wake_up_common_lock+0x79/0x90\n[ 95.988338] ? __check_object_size+0xac/0x1b0\n[ 95.991440] ? _copy_to_user+0x22/0x30\n[ 95.994539] ? move_addr_to_user+0xbb/0xd0\n[ 95.997619] ? __sys_sendmsg+0x53/0x80\n[ 96.000664] __sys_sendmsg+0x53/0x80\n[ 96.003747] do_syscall_64+0x5b/0x1d0\n[ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nOnly update num_txq/rxq when passed check, and restore tc_cfg if setup\nqueue map failed.",
"id": "GHSA-4j53-q2r4-27jv",
"modified": "2025-09-18T15:30:21Z",
"published": "2024-04-28T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48652"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c945e5b4787db47d728120b56c934ba05f99864"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a509702cac95a8b450228a037c8542f57e538e5b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4J55-6FC3-6H48
Vulnerability from github – Published: 2022-05-17 01:58 – Updated: 2022-05-17 01:58In all Qualcomm products with Android releases from CAF using the Linux kernel, an untrusted pointer dereference can occur in a TrustZone syscall.
{
"affected": [],
"aliases": [
"CVE-2015-9073"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-18T18:29:00Z",
"severity": "CRITICAL"
},
"details": "In all Qualcomm products with Android releases from CAF using the Linux kernel, an untrusted pointer dereference can occur in a TrustZone syscall.",
"id": "GHSA-4j55-6fc3-6h48",
"modified": "2022-05-17T01:58:37Z",
"published": "2022-05-17T01:58:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9073"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-07-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4J99-9C7Q-M4QW
Vulnerability from github – Published: 2023-01-20 21:30 – Updated: 2025-04-03 18:30A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.
{
"affected": [],
"aliases": [
"CVE-2022-47021"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T19:15:00Z",
"severity": "HIGH"
},
"details": "A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.",
"id": "GHSA-4j99-9c7q-m4qw",
"modified": "2025-04-03T18:30:36Z",
"published": "2023-01-20T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47021"
},
{
"type": "WEB",
"url": "https://github.com/xiph/opusfile/issues/36"
},
{
"type": "WEB",
"url": "https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ODIA6QRIRBNF2HRXOE5VCZ2AFP4ZB4R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4LIKBLOE433RA44YTYUZLED4IOWJG5DV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ED4CWLBR2WQ2IXXTHZ24UYZBRNCLMJXH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYPAQANM2ZNPXRBFOS5NFXNJ7O4Q3OBD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ODIA6QRIRBNF2HRXOE5VCZ2AFP4ZB4R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIKBLOE433RA44YTYUZLED4IOWJG5DV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ED4CWLBR2WQ2IXXTHZ24UYZBRNCLMJXH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYPAQANM2ZNPXRBFOS5NFXNJ7O4Q3OBD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.