Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-4VJ2-5MVX-3VCC

Vulnerability from github – Published: 2026-06-18 18:35 – Updated: 2026-06-18 18:35
VLAI
Details

HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-18T17:16:34Z",
    "severity": "HIGH"
  },
  "details": "HAProxy through  3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tbl.c that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memory pressure to dereference a NULL pointer and crash HAProxy worker processes, causing denial of service.",
  "id": "GHSA-4vj2-5mvx-3vcc",
  "modified": "2026-06-18T18:35:24Z",
  "published": "2026-06-18T18:35:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55204"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haproxy/haproxy/commit/9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/haproxy-null-pointer-dereference-in-hpack-dht-insert-function"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4VQ4-24QF-GQ5W

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated

In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown.

Fix by setting iscsi_conn->dd_data only if memory is actually allocated.

Panic trace:

iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libiscsi: Initialize iscsi_conn-\u003edd_data only if memory is allocated\n\nIn case of an ib_fast_reg_mr allocation failure during iSER setup, the\nmachine hits a panic because iscsi_conn-\u003edd_data is initialized\nunconditionally, even when no memory is allocated (dd_size == 0).  This\nleads invalid pointer dereference during connection teardown.\n\nFix by setting iscsi_conn-\u003edd_data only if memory is actually allocated.\n\nPanic trace:\n------------\n iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12\n iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers\n BUG: unable to handle page fault for address: fffffffffffffff8\n RIP: 0010:swake_up_locked.part.5+0xa/0x40\n Call Trace:\n  complete+0x31/0x40\n  iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]\n  iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]\n  iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]\n  iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]\n  ? netlink_lookup+0x12f/0x1b0\n  ? netlink_deliver_tap+0x2c/0x200\n  netlink_unicast+0x1ab/0x280\n  netlink_sendmsg+0x257/0x4f0\n  ? _copy_from_user+0x29/0x60\n  sock_sendmsg+0x5f/0x70",
  "id": "GHSA-4vq4-24qf-gq5w",
  "modified": "2026-05-12T15:31:00Z",
  "published": "2025-09-05T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38700"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b242ea14386a510010eabfbfc3ce81a101f3802"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35782c32528d82aa21f84cb5ceb2abd3526a8159"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ea3a256ed81f95ab0f3281a0e234b01a9cae605"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66a373f50b4249d57f5a88c7be9676f9d5884865"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ea6d961566c7d762ed0204b06db05756fdda3b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a145c269dc5380c063a20a0db7e6df2995962e9d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a33d42b7fc24fe03f239fbb0880dd5b4b4b97c19"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f53af99f441ee79599d8df6113a7144d74cf9153"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd5aad080edb501ab5c84b7623d612d0e3033403"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VRG-GM73-C852

Vulnerability from github – Published: 2022-09-10 00:00 – Updated: 2026-05-12 12:31
VLAI
Details

A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-09T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
  "id": "GHSA-4vrg-gm73-c852",
  "modified": "2026-05-12T12:31:28Z",
  "published": "2022-09-10T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38096"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2073"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VRR-6GM8-FWF2

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-10 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ata: libata-transport: fix error handling in ata_tdev_add()

In ata_tdev_add(), the return value of transport_add_device() is not checked. As a result, it causes null-ptr-deref while removing the module, because transport_remove_device() is called to remove the device that was not added.

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 CPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x48/0x3a0 lr : device_del+0x44/0x3a0 Call trace: device_del+0x48/0x3a0 attribute_container_class_device_del+0x28/0x40 transport_remove_classdev+0x60/0x7c attribute_container_device_trigger+0x118/0x120 transport_remove_device+0x20/0x30 ata_tdev_delete+0x24/0x50 [libata] ata_tlink_delete+0x40/0xa0 [libata] ata_tport_delete+0x2c/0x60 [libata] ata_port_detach+0x148/0x1b0 [libata] ata_pci_remove_one+0x50/0x80 [libata] ahci_remove_one+0x4c/0x8c [ahci]

Fix this by checking and handling return value of transport_add_device() in ata_tdev_add(). In the error path, device_del() is called to delete the device which was added earlier in this function, and ata_tdev_free() is called to free ata_dev.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:05Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-transport: fix error handling in ata_tdev_add()\n\nIn ata_tdev_add(), the return value of transport_add_device() is\nnot checked. As a result, it causes null-ptr-deref while removing\nthe module, because transport_remove_device() is called to remove\nthe device that was not added.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\nCPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G        W          6.1.0-rc3+ #36\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x48/0x3a0\nlr : device_del+0x44/0x3a0\nCall trace:\n device_del+0x48/0x3a0\n attribute_container_class_device_del+0x28/0x40\n transport_remove_classdev+0x60/0x7c\n attribute_container_device_trigger+0x118/0x120\n transport_remove_device+0x20/0x30\n ata_tdev_delete+0x24/0x50 [libata]\n ata_tlink_delete+0x40/0xa0 [libata]\n ata_tport_delete+0x2c/0x60 [libata]\n ata_port_detach+0x148/0x1b0 [libata]\n ata_pci_remove_one+0x50/0x80 [libata]\n ahci_remove_one+0x4c/0x8c [ahci]\n\nFix this by checking and handling return value of transport_add_device()\nin ata_tdev_add(). In the error path, device_del() is called to delete\nthe device which was added earlier in this function, and ata_tdev_free()\nis called to free ata_dev.",
  "id": "GHSA-4vrr-6gm8-fwf2",
  "modified": "2025-11-10T21:30:27Z",
  "published": "2025-05-01T15:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49823"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ff36351309e3eadcff297480baf4785e726de9b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef2ac07ab83163b9a53f45da20e14302591ad9cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f23058dc2398db1d8faca9a2b1ce30b85cdd8b22"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f54331962883f4fc4bf5e487e6e7cf07c4567fef"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W32-7G32-H4J6

Vulnerability from github – Published: 2023-05-22 18:30 – Updated: 2023-05-22 18:30
VLAI
Details

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-22T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.",
  "id": "GHSA-4w32-7g32-h4j6",
  "modified": "2023-05-22T18:30:27Z",
  "published": "2023-05-22T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a37"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/21926fc2-6eb1-4e24-8a36-e60f487d0257"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W49-CXR2-29FP

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-20 00:00
VLAI
Details

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.",
  "id": "GHSA-4w49-cxr2-29fp",
  "modified": "2022-07-20T00:00:24Z",
  "published": "2022-07-13T00:01:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34735"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/7"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202207-0000001342389149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W4C-CF9C-3RJ3

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_ipv6_l4proto() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-17T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_ipv6_l4proto() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.",
  "id": "GHSA-4w4c-cf9c-3rj3",
  "modified": "2022-05-13T01:02:41Z",
  "published": "2022-05-13T01:02:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8377"
    },
    {
      "type": "WEB",
      "url": "https://github.com/appneta/tcpreplay/issues/536"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V3SADKXUSHWTVAPU3WLXBDEQUHRA6ZO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YAT4AGTHQKB74ETOQPJMV67TSDIAPOC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EB3ASS7URTIA3IFSBL2DIWJAFKTBJCAW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLPY6W7Z7G6PF2JN4LXXHCACYLD4RBG6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOSEIQ3D2OONCJEVMGC2TYBC2QX4E5EJ"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-function-get_ipv6_l4proto-tcpreplay-4-3-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107085"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W56-VR39-RVQR

Vulnerability from github – Published: 2024-12-12 12:31 – Updated: 2024-12-12 12:31
VLAI
Details

Null pointer dereference vulnerability in the image decoding module Impact: Successful exploitation of this vulnerability will affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T12:15:25Z",
    "severity": "HIGH"
  },
  "details": "Null pointer dereference vulnerability in the image decoding module\nImpact: Successful exploitation of this vulnerability will affect availability.",
  "id": "GHSA-4w56-vr39-rvqr",
  "modified": "2024-12-12T12:31:16Z",
  "published": "2024-12-12T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54106"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W5W-4FHM-Q483

Vulnerability from github – Published: 2026-06-30 18:47 – Updated: 2026-06-30 18:47
VLAI
Summary
Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge
Details

Summary

A memory-safety vulnerability in Open Babel's MOL2 file format parser caused a NULL pointer dereference when reading a crafted input file.

Details

The flaw was in OBAtom::SetFormalCharge as called from the MOL2 parser. A malformed atom record caused the parser to call the method on a NULL atom pointer.

Impact

Open Babel is a C++ library and CLI used to read and write chemistry file formats; it is shipped by Linux distributions and embedded in services that may parse untrusted input. Triggering this vulnerability requires the victim to open a malicious MOL2 file with the obabel tool, the OBConversion API, or any of the language bindings (Python, Ruby, Java, R, Perl, C#, PHP).

Affected versions

All releases up to and including 3.1.1.

Patched version

3.2.0 (released 2026-05-26).

Patch

Fix commit: https://github.com/openbabel/openbabel/commit/e23a224b Tracked in #2862.

A minimized reproducer for this CVE is checked in under test/files/fuzz_regress/ and is exercised on every CI build under ASAN+UBSAN by the fuzzregresstest harness.

Credit

Reported by Vedant Madane (@VedantMadane) via VulDB.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openbabel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T18:47:00Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s MOL2 file format parser\ncaused a NULL pointer dereference when reading a crafted input file.\n\n### Details\n\nThe flaw was in `OBAtom::SetFormalCharge` as called from the MOL2\nparser. A malformed atom record caused the parser to call the method\non a NULL atom pointer.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious MOL2 file with the `obabel`\ntool, the `OBConversion` API, or any of the language bindings (Python,\nRuby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/e23a224b\nTracked in #2862.\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported by Vedant Madane (@VedantMadane) via VulDB.",
  "id": "GHSA-4w5w-4fhm-q483",
  "modified": "2026-06-30T18:47:01Z",
  "published": "2026-06-30T18:47:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-4w5w-4fhm-q483"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/issues/2848"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/pull/2862"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VedantMadane/openbabel/commit/e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oneafter/0128/blob/main/ob2/repro.mol2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbabel/openbabel"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.346651"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.346651"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.754379"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge"
}

GHSA-4W7W-2MRJ-36VW

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

locking/rtmutex: Skip remove_waiter() when waiter is not enqueued

syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI:

KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class_raw_spinlock_constructor remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt_mutex_start_proxy_lock+0x103/0x120 futex_requeue+0x10e4/0x20d0 __x64_sys_futex+0x34f/0x4d0

task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") made this fatal.

Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try_to_take_rt_mutex().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/rtmutex: Skip remove_waiter() when waiter is not enqueued\n\nsyzbot triggered the following splat in remove_waiter() via\nFUTEX_CMP_REQUEUE_PI:\n\n  KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f]\n   class_raw_spinlock_constructor\n   remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561\n   rt_mutex_start_proxy_lock+0x103/0x120\n   futex_requeue+0x10e4/0x20d0\n   __x64_sys_futex+0x34f/0x4d0\n\ntask_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection,\nleaving waiter-\u003etask nil, where 3bfdc63936dd (\"rtmutex: Use waiter::task instead\nof current in remove_waiter()\") made this fatal.\n\nFurthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter()\nupon a successfully grabbing the rtmutex. 1a1fb985f2e2 (\"futex: Handle early deadlock\nreturn correctly\"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock()\n(where \u0027ret\u0027 was only ever 0 or \u003c 0) into the wrapper. Tighten this check to\naccount for try_to_take_rt_mutex().",
  "id": "GHSA-4w7w-2mrj-36vw",
  "modified": "2026-07-07T18:30:28Z",
  "published": "2026-06-25T09:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53163"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/40a25d59e85b3c8709ac2424d44f65610467871e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4afda3a1da02129568a3a2f1898aa13e6763bcba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/55363fa0a04524d11efeaadee734d2db1756ed27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5799f9bd7fee40370b93ab1ddf001cdc7017c14d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6707d7e0b71748cb3cd95bad81dae5fe1b3c8f48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a388e3dfaf9538a680de5ed43a8ebb5dd45b6e53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.