CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-4MQG-Q94G-WMFR
Vulnerability from github – Published: 2025-07-28 12:30 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
- htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc
- netem_dequeue calls enqueue on the child qdisc
- blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS
- Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
- As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL
- Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON();
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
{
"affected": [],
"aliases": [
"CVE-2025-38468"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T12:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n since qlen is now 0, it calls htb_qlen_notify -\u003e htb_deactivate -\u003e\n htb_deactiviate_prios -\u003e htb_remove_class_from_row -\u003e htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0) | htb_enqueue() {\n 0) + 13.635 us | netem_enqueue();\n 0) 4.719 us | htb_activate_prios();\n 0) # 2249.199 us | }\n 0) | htb_dequeue() {\n 0) 2.355 us | htb_lookup_leaf();\n 0) | netem_dequeue() {\n 0) + 11.061 us | blackhole_enqueue();\n 0) | qdisc_tree_reduce_backlog() {\n 0) | qdisc_lookup_rcu() {\n 0) 1.873 us | qdisc_match_from_root();\n 0) 6.292 us | }\n 0) 1.894 us | htb_search();\n 0) | htb_qlen_notify() {\n 0) 2.655 us | htb_deactivate_prios();\n 0) 6.933 us | }\n 0) + 25.227 us | }\n 0) 1.983 us | blackhole_dequeue();\n 0) + 86.553 us | }\n 0) # 2932.761 us | qdisc_warn_nonwc();\n 0) | htb_lookup_leaf() {\n 0) | BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/",
"id": "GHSA-4mqg-q94g-wmfr",
"modified": "2026-05-12T15:30:58Z",
"published": "2025-07-28T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38468"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4MRH-9QQ5-26W5
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup().
BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
{
"affected": [],
"aliases": [
"CVE-2026-23293"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n \u003cTASK\u003e\n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module.",
"id": "GHSA-4mrh-9qq5-26w5",
"modified": "2026-07-14T15:31:40Z",
"published": "2026-03-25T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23293"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/168ff39e4758897d2eee4756977d036d52884c7e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f93e6b4d12bd3a4517a6d447ea675f448f21434"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/649e2bb74da54c96cf20729001e283626a2fefa0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/abcd48ecdeb2e12eccb8339a35534c757782afcd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5190fcd75a1f1785c766a8d1e44d3938e168f45"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc3e62cf3bbf66280a907ec379f373d0c3b8b2bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0373e9317bc904e7bdb123d3106fe4f3cea2fb7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbbd2118982c55fb9b0a753ae0cf7194e77149fb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4MVV-QQ42-R8PX
Vulnerability from github – Published: 2022-01-26 00:00 – Updated: 2022-02-02 00:02On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2022-23016"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-25T20:15:00Z",
"severity": "HIGH"
},
"details": "On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP SSL Forward Proxy with TLS 1.3 is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-4mvv-qq42-r8px",
"modified": "2022-02-02T00:02:01Z",
"published": "2022-01-26T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23016"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K91013510"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4MWF-4888-4X35
Vulnerability from github – Published: 2024-01-18 15:30 – Updated: 2024-06-27 12:30NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation. This vulnerability is associated with program files net/sched/sch_cbs.C.
This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3.
{
"affected": [],
"aliases": [
"CVE-2021-33630"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-18T15:15:08Z",
"severity": "MODERATE"
},
"details": "NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation. This vulnerability is associated with program files net/sched/sch_cbs.C.\n\nThis issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3.\n\n",
"id": "GHSA-4mwf-4888-4x35",
"modified": "2024-06-27T12:30:43Z",
"published": "2024-01-18T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33630"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e8b9bfa110896f95d602d8c98d5f9d67e41d78c"
},
{
"type": "WEB",
"url": "https://gitee.com/src-openeuler/kernel/pulls/1389"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"type": "WEB",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1030"
},
{
"type": "WEB",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1031"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/30/10"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/30/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/30/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/30/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/30/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/31/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/31/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/03/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4P23-QFC5-2VC9
Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-11-26 18:30In the Linux kernel, the following vulnerability has been resolved:
md: make rdev_addable usable for rcu mode
Our testcase trigger panic:
BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Workqueue: md_misc md_start_sync RIP: 0010:rdev_addable+0x4d/0xf0 ... Call Trace: md_start_sync+0x329/0x480 process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x14d/0x180 ret_from_fork_asm+0x1a/0x30 Modules linked in: raid10 CR2: 00000000000000e0 ---[ end trace 0000000000000000 ]--- RIP: 0010:rdev_addable+0x4d/0xf0
md_spares_need_change in md_start_sync will call rdev_addable which protected by rcu_read_lock/rcu_read_unlock. This rcu context will help protect rdev won't be released, but rdev->mddev will be set to NULL before we call synchronize_rcu in md_kick_rdev_from_array. Fix this by using READ_ONCE and check does rdev->mddev still alive.
{
"affected": [],
"aliases": [
"CVE-2025-38621"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-22T16:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: make rdev_addable usable for rcu mode\n\nOur testcase trigger panic:\n\nBUG: kernel NULL pointer dereference, address: 00000000000000e0\n...\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94\nPREEMPT(none)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nWorkqueue: md_misc md_start_sync\nRIP: 0010:rdev_addable+0x4d/0xf0\n...\nCall Trace:\n \u003cTASK\u003e\n md_start_sync+0x329/0x480\n process_one_work+0x226/0x6d0\n worker_thread+0x19e/0x340\n kthread+0x10f/0x250\n ret_from_fork+0x14d/0x180\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nModules linked in: raid10\nCR2: 00000000000000e0\n---[ end trace 0000000000000000 ]---\nRIP: 0010:rdev_addable+0x4d/0xf0\n\nmd_spares_need_change in md_start_sync will call rdev_addable which\nprotected by rcu_read_lock/rcu_read_unlock. This rcu context will help\nprotect rdev won\u0027t be released, but rdev-\u003emddev will be set to NULL\nbefore we call synchronize_rcu in md_kick_rdev_from_array. Fix this by\nusing READ_ONCE and check does rdev-\u003emddev still alive.",
"id": "GHSA-4p23-qfc5-2vc9",
"modified": "2025-11-26T18:30:59Z",
"published": "2025-08-22T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38621"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/13017b427118f4311471ee47df74872372ca8482"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5fbe940862339cdcc34dea7a057ad18d18fa137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4P37-82F3-XMHV
Vulnerability from github – Published: 2023-07-26 21:30 – Updated: 2024-04-04 06:22Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2023-37732"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-26T21:15:10Z",
"severity": "MODERATE"
},
"details": "Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.",
"id": "GHSA-4p37-82f3-xmhv",
"modified": "2024-04-04T06:22:20Z",
"published": "2023-07-26T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37732"
},
{
"type": "WEB",
"url": "https://github.com/yasm/yasm/issues/233"
},
{
"type": "WEB",
"url": "https://gist.github.com/ChanStormstout/02eea9cf5c002b42b2ff3de5ca939520"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4P3P-CR38-V5XP
Vulnerability from github – Published: 2025-10-13 19:59 – Updated: 2025-11-05 22:07Summary
A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.
Details
The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault.
Vulnerable Code
The isSensitiveSpec function in /src/internal/backend/server.go:
func isSensitiveSpec(resource *resapi.Resource) bool {
res, err := grpcomni.CreateResource(resource) // No nil check on resource.Metadata
if err != nil {
return false
}
// ... rest of function
}
The CreateResource function expects resource.Metadata to be non-nil:
func CreateResource(resource *resources.Resource) (cosiresource.Resource, error) {
if resource.Metadata.Version == "" { // PANIC: nil pointer dereference
resource.Metadata.Version = "1"
}
// ... rest of function
}
The UpdateResource function has the same issue - it also calls CreateResource internally and expects resource.Metadata to be non-nil:
func (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) {
// ... validation code ...
obj, err := CreateResource(in.Resource) // Same vulnerability here
if err != nil {
return nil, err
}
// ... rest of function
}
Affected Endpoints
resourceServerCreate- Create Resource API endpointresourceServerUpdate- Update Resource API endpoint
Both endpoints call isSensitiveSpec which triggers the vulnerability when processing empty resources.
PoC
Send empty resource requests to the affected API endpoints:
# Create endpoint
curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Create" \
-H "Content-Type: application/json" \
-d '{}'
# Update endpoint
curl -X POST "https://your-omni-instance/api/omni.resources.ResourceService/Update" \
-H "Content-Type: application/json" \
-d '{}'
Expected Result: Server panic with segmentation fault:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]
goroutine 3305 [running]:
github.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?)
/src/internal/backend/grpc/resource.go:364 +0x20
Impact
- Vulnerability Type: Denial of Service (DoS)
- Severity: High - Complete API server crash requiring manual restart if no restart policy is applied.
- Authentication: None required (unauthenticated)
- Complexity: Low (simple HTTP request)
Mitigation
Add nil checks in the isSensitiveSpec function:
func isSensitiveSpec(resource *resapi.Resource) bool {
if resource == nil || resource.Metadata == nil {
return false
}
res, err := grpcomni.CreateResource(resource)
if err != nil {
return false
}
// ... rest of function
}
Credits
- @1c3t0rm
- @nicomda
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/siderolabs/omni"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0-beta.0"
},
{
"fixed": "1.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/siderolabs/omni"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59836"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-13T19:59:17Z",
"nvd_published_at": "2025-10-13T21:15:34Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints.\n\n## Details\n\nThe vulnerability exists in the `isSensitiveSpec` function which calls `grpcomni.CreateResource` without checking if the resource\u0027s metadata field is nil. When a resource is created with an empty `Metadata` field, the `CreateResource` function attempts to access `resource.Metadata.Version` causing a segmentation fault.\n\n### Vulnerable Code\n\nThe `isSensitiveSpec` function in `/src/internal/backend/server.go`:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n res, err := grpcomni.CreateResource(resource) // No nil check on resource.Metadata\n if err != nil {\n return false\n }\n // ... rest of function\n}\n```\n\nThe `CreateResource` function expects `resource.Metadata` to be non-nil:\n\n```go\nfunc CreateResource(resource *resources.Resource) (cosiresource.Resource, error) {\n if resource.Metadata.Version == \"\" { // PANIC: nil pointer dereference\n resource.Metadata.Version = \"1\"\n }\n // ... rest of function\n}\n```\n\nThe `UpdateResource` function has the same issue - it also calls `CreateResource` internally and expects `resource.Metadata` to be non-nil:\n\n```go\nfunc (s *ResourceServer) Update(ctx context.Context, in *resapi.UpdateRequest) (*resapi.UpdateResponse, error) {\n // ... validation code ...\n obj, err := CreateResource(in.Resource) // Same vulnerability here\n if err != nil {\n return nil, err\n }\n // ... rest of function\n}\n```\n\n### Affected Endpoints\n\n- `resourceServerCreate` - Create Resource API endpoint\n- `resourceServerUpdate` - Update Resource API endpoint\n\nBoth endpoints call `isSensitiveSpec` which triggers the vulnerability when processing empty resources.\n\n## PoC\n\nSend empty resource requests to the affected API endpoints:\n\n```bash\n# Create endpoint\ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Create\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{}\u0027\n\n# Update endpoint \ncurl -X POST \"https://your-omni-instance/api/omni.resources.ResourceService/Update\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{}\u0027\n```\n\n**Expected Result**: Server panic with segmentation fault:\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x293d970]\n\ngoroutine 3305 [running]:\ngithub.com/siderolabs/omni/internal/backend/grpc.CreateResource(0x3495420?)\n /src/internal/backend/grpc/resource.go:364 +0x20\n```\n\n## Impact\n\n- **Vulnerability Type**: Denial of Service (DoS)\n- **Severity**: High - Complete API server crash requiring manual restart if no restart policy is applied.\n- **Authentication**: None required (unauthenticated)\n- **Complexity**: Low (simple HTTP request)\n\n## Mitigation\n\nAdd nil checks in the `isSensitiveSpec` function:\n\n```go\nfunc isSensitiveSpec(resource *resapi.Resource) bool {\n if resource == nil || resource.Metadata == nil {\n return false\n }\n res, err := grpcomni.CreateResource(resource)\n if err != nil {\n return false\n }\n // ... rest of function\n}\n```\n\n## Credits\n- @1c3t0rm\n- @nicomda",
"id": "GHSA-4p3p-cr38-v5xp",
"modified": "2025-11-05T22:07:29Z",
"published": "2025-10-13T19:59:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siderolabs/omni/security/advisories/GHSA-4p3p-cr38-v5xp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59836"
},
{
"type": "WEB",
"url": "https://github.com/siderolabs/omni/commit/1396083f766a1b0380e9949968d7fc17b7afecaa"
},
{
"type": "WEB",
"url": "https://github.com/siderolabs/omni/commit/1fd954af64985a8b3dbf5b11deddbf7cd953f5ae"
},
{
"type": "PACKAGE",
"url": "https://github.com/siderolabs/omni"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Omni is Vulnerable to DoS via Empty Create/Update Resource Requests"
}
GHSA-4P43-GFMP-QJMM
Vulnerability from github – Published: 2024-09-10 12:30 – Updated: 2024-09-10 12:30A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions < V3.5.20), SIMATIC CP 1243-7 LTE (All versions < V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions < V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions < V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions < V2.4.8). The web server of the affected devices do not properly handle certain errors when using the Expect HTTP request header, resulting in NULL dereference.
This could allow a remote attacker with no privileges to cause a denial of service condition in the system.
{
"affected": [],
"aliases": [
"CVE-2023-30756"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T10:15:06Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) (All versions \u003c V3.5.20), SIMATIC CP 1243-1 (incl. SIPLUS variants) (All versions \u003c V3.5.20), SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) (All versions \u003c V3.5.20), SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) (All versions \u003c V3.5.20), SIMATIC CP 1243-7 LTE (All versions \u003c V3.5.20), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) (All versions \u003c V3.5.20), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMATIC WinCC Runtime Advanced (All versions), SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) (All versions \u003c V2.4.8), TIM 1531 IRC (6GK7543-1MX00-0XE0) (All versions \u003c V2.4.8). The web server of the affected devices do not properly handle certain errors when using the Expect HTTP request header, resulting in NULL dereference.\n\nThis could allow a remote attacker with no privileges to cause a denial of service condition in the system.",
"id": "GHSA-4p43-gfmp-qjmm",
"modified": "2024-09-10T12:30:37Z",
"published": "2024-09-10T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30756"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-423808.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4P49-59GQ-X3FH
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32A null pointer dereference was addressed with improved input validation. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. A remote attacker may be able to cause a system denial of service.
{
"affected": [],
"aliases": [
"CVE-2019-8588"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T20:15:00Z",
"severity": "HIGH"
},
"details": "A null pointer dereference was addressed with improved input validation. This issue is fixed in AirPort Base Station Firmware Update 7.8.1, AirPort Base Station Firmware Update 7.9.1. A remote attacker may be able to cause a system denial of service.",
"id": "GHSA-4p49-59gq-x3fh",
"modified": "2022-05-24T17:32:17Z",
"published": "2022-05-24T17:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8588"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210090"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210091"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4P4P-WWW8-8FV9
Vulnerability from github – Published: 2021-05-21 14:25 – Updated: 2024-11-01 17:05Impact
An attacker can trigger undefined behavior by binding to null pointer in tf.raw_ops.ParameterizedTruncatedNormal:
import tensorflow as tf
shape = tf.constant([], shape=[0], dtype=tf.int32)
means = tf.constant((1), dtype=tf.float32)
stdevs = tf.constant((1), dtype=tf.float32)
minvals = tf.constant((1), dtype=tf.float32)
maxvals = tf.constant((1), dtype=tf.float32)
tf.raw_ops.ParameterizedTruncatedNormal(
shape=shape, means=means, stdevs=stdevs, minvals=minvals, maxvals=maxvals)
This is because the implementation does not validate input arguments before accessing the first element of shape:
int32 num_batches = shape_tensor.flat<int32>()(0);
If shape argument is empty, then shape_tensor.flat<T>() is an empty array.
Patches
We have patched the issue in GitHub commit 5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29568"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-824"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T19:11:12Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can trigger undefined behavior by binding to null pointer in `tf.raw_ops.ParameterizedTruncatedNormal`:\n\n```python\nimport tensorflow as tf\n \nshape = tf.constant([], shape=[0], dtype=tf.int32)\nmeans = tf.constant((1), dtype=tf.float32)\nstdevs = tf.constant((1), dtype=tf.float32)\nminvals = tf.constant((1), dtype=tf.float32)\nmaxvals = tf.constant((1), dtype=tf.float32)\n \ntf.raw_ops.ParameterizedTruncatedNormal(\n shape=shape, means=means, stdevs=stdevs, minvals=minvals, maxvals=maxvals)\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630) does not validate input arguments before accessing the first element of `shape`:\n\n```cc\nint32 num_batches = shape_tensor.flat\u003cint32\u003e()(0);\n``` \n\nIf `shape` argument is empty, then `shape_tensor.flat\u003cT\u003e()` is an empty array.\n\n### Patches\nWe have patched the issue in GitHub commit [5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8](https://github.com/tensorflow/tensorflow/commit/5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information \nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
"id": "GHSA-4p4p-www8-8fv9",
"modified": "2024-11-01T17:05:06Z",
"published": "2021-05-21T14:25:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4p4p-www8-8fv9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29568"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-496.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-694.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-205.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Reference binding to null in `ParameterizedTruncatedNormal`"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.