Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-4X55-VRFR-PM6M

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00
VLAI
Details

An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.",
  "id": "GHSA-4x55-vrfr-pm6m",
  "modified": "2022-09-08T00:00:33Z",
  "published": "2022-09-02T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3078"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2\u0026id=e6a21a14106d9718aa4f8e115b1e474888eeba44"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4X74-8Q36-FC3H

Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2026-05-12 12:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet.

Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic :

IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.

When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len

Then the following sets gso_segs to 0 :

gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size);

Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/

qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;

This leads to the following crash in fq_codel [1]

qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel.

This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug.

[1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB

Code starting with the faulting instruction

0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T18:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\n\nAfter commit 7c6d2ecbda83 (\"net: be more gentle about silly gso\nrequests coming from user\") virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\n\nThen commit cf9acc90c80ec (\"net: virtio_net_hdr_to_skb: count\ntransport header in UFO\") while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\n\nIPv4 SKB_GSO_UDP, gso_size=3, skb-\u003elen = 28.\n\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb-\u003elen\n\nThen the following sets gso_segs to 0 :\n\ngso_segs = DIV_ROUND_UP(skb-\u003elen - hdr_len,\n                        shinfo-\u003egso_size);\n\nThen later we set qdisc_skb_cb(skb)-\u003epkt_len to back to zero :/\n\nqdisc_skb_cb(skb)-\u003epkt_len += (gso_segs - 1) * hdr_len;\n\nThis leads to the following crash in fq_codel [1]\n\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\n\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n\n[1]\n[   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[   70.724561] #PF: supervisor read access in kernel mode\n[   70.724561] #PF: error_code(0x0000) - not-present page\n[   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 \u003c49\u003e 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n   0:\t24 08                \tand    $0x8,%al\n   2:\t49 c1 e1 06          \tshl    $0x6,%r9\n   6:\t44 89 7c 24 18       \tmov    %r15d,0x18(%rsp)\n   b:\t45 31 ed             \txor    %r13d,%r13d\n   e:\t45 31 c0             \txor    %r8d,%r8d\n  11:\t31 ff                \txor    %edi,%edi\n  13:\t89 44 24 14          \tmov    %eax,0x14(%rsp)\n  17:\t4c 03 8b 90 01 00 00 \tadd    0x190(%rbx),%r9\n  1e:\teb 04                \tjmp    0x24\n  20:\t39 ca                \tcmp    %ecx,%edx\n  22:\t73 37                \tjae    0x5b\n  24:\t4d 8b 39             \tmov    (%r9),%r15\n  27:\t83 c7 01             \tadd    $0x1,%edi\n  2a:*\t49 8b 17             \tmov    (%r15),%rdx\t\t\u003c-- trapping instruction\n  2d:\t49 89 11             \tmov    %rdx,(%r9)\n  30:\t41 8b 57 28          \tmov    0x28(%r15),%edx\n  34:\t45 8b 5f 34          \tmov    0x34(%r15),%r11d\n  38:\t49 c7 07 00 00 00 00 \tmovq   $0x0,(%r15)\n  3f:\t49                   \trex.WB\n\nCode starting with the faulting instruction\n===========================================\n   0:\t49 8b 17             \tmov    (%r15),%rdx\n   3:\t49 89 11             \tmov    %rdx,(%r9)\n   6:\t41 8b 57 28          \tmov    0x28(%r15),%edx\n   a:\t45 8b 5f 34          \tmov    0x34(%r15),%r11d\n   e:\t49 c7 07 00 00 00 00 \tmovq   $0x0,(%r15)\n  15:\t49                   \trex.WB\n[   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[   70.724561] CS:  0010 DS: 0000 ES: 0000 C\n---truncated---",
  "id": "GHSA-4x74-8q36-fc3h",
  "modified": "2026-05-12T12:32:11Z",
  "published": "2024-10-21T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49949"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4X8R-3G8V-VVCH

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2021-12-28 00:01
VLAI
Details

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.",
  "id": "GHSA-4x8r-3g8v-vvch",
  "modified": "2021-12-28T00:01:05Z",
  "published": "2021-12-22T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44923"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1962"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4X92-R8V7-J2M9

Vulnerability from github – Published: 2023-03-17 09:30 – Updated: 2023-03-23 18:30
VLAI
Details

A vulnerability classified as problematic was found in Watchdog Anti-Virus 1.4.214.0. Affected by this vulnerability is an unknown functionality in the library wsdk-driver.sys of the component IoControlCode Handler. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223291.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-17T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in Watchdog Anti-Virus 1.4.214.0. Affected by this vulnerability is an unknown functionality in the library wsdk-driver.sys of the component IoControlCode Handler. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223291.",
  "id": "GHSA-4x92-r8v7-j2m9",
  "modified": "2023-03-23T18:30:20Z",
  "published": "2023-03-17T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1446"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1zjK_DMjHz41RMpfa0iLQ4GXKQwEr4z2T/view"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/CVE-2023-1446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned13"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.223291"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.223291"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4X9Q-VPRP-3QVR

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/ras: Move ras data alloc before bad page check

In the rare event if eeprom has only invalid address entries, allocation is skipped, this causes following NULL pointer issue [ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 547.118897] #PF: supervisor read access in kernel mode [ 547.130292] #PF: error_code(0x0000) - not-present page [ 547.141689] PGD 124757067 P4D 0 [ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu [ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025 [ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76 [ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246 [ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000 [ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800 [ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000 [ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092 [ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000 [ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0 [ 547.389321] PKRU: 55555554 [ 547.395316] Call Trace: [ 547.400737] [ 547.405386] ? show_regs+0x6d/0x80 [ 547.412929] ? __die+0x24/0x80 [ 547.419697] ? page_fault_oops+0x99/0x1b0 [ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0 [ 547.438249] ? exc_page_fault+0x83/0x1b0 [ 547.446949] ? asm_exc_page_fault+0x27/0x30 [ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.470040] ? mas_wr_modify+0xcd/0x140 [ 547.478548] sysfs_kf_bin_read+0x63/0xb0 [ 547.487248] kernfs_file_read_iter+0xa1/0x190 [ 547.496909] kernfs_fop_read_iter+0x25/0x40 [ 547.506182] vfs_read+0x255/0x390

This also result in space left assigned to negative values. Moving data alloc call before bad page check resolves both the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/ras: Move ras data alloc before bad page check\n\nIn the rare event if eeprom has only invalid address entries,\nallocation is skipped, this causes following NULL pointer issue\n[  547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[  547.118897] #PF: supervisor read access in kernel mode\n[  547.130292] #PF: error_code(0x0000) - not-present page\n[  547.141689] PGD 124757067 P4D 0\n[  547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G           OE      6.8.0-38-generic #38-Ubuntu\n[  547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025\n[  547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[  547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 \u003c48\u003e 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76\n[  547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246\n[  547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000\n[  547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800\n[  547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000\n[  547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n[  547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092\n[  547.342790] FS:  0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000\n[  547.360744] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0\n[  547.389321] PKRU: 55555554\n[  547.395316] Call Trace:\n[  547.400737]  \u003cTASK\u003e\n[  547.405386]  ? show_regs+0x6d/0x80\n[  547.412929]  ? __die+0x24/0x80\n[  547.419697]  ? page_fault_oops+0x99/0x1b0\n[  547.428588]  ? do_user_addr_fault+0x2ee/0x6b0\n[  547.438249]  ? exc_page_fault+0x83/0x1b0\n[  547.446949]  ? asm_exc_page_fault+0x27/0x30\n[  547.456225]  ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[  547.470040]  ? mas_wr_modify+0xcd/0x140\n[  547.478548]  sysfs_kf_bin_read+0x63/0xb0\n[  547.487248]  kernfs_file_read_iter+0xa1/0x190\n[  547.496909]  kernfs_fop_read_iter+0x25/0x40\n[  547.506182]  vfs_read+0x255/0x390\n\nThis also result in space left assigned to negative values.\nMoving data alloc call before bad page check resolves both the issue.",
  "id": "GHSA-4x9q-vprp-3qvr",
  "modified": "2026-05-13T21:31:57Z",
  "published": "2026-05-06T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71293"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4X9W-MR6V-443W

Vulnerability from github – Published: 2022-05-17 03:38 – Updated: 2022-05-17 03:38
VLAI
Details

fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via standard filesystem operations, as demonstrated by scp from an AUFS filesystem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-31T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "fs/fcntl.c in the \"aufs 3.2.x+setfl-debian\" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via standard filesystem operations, as demonstrated by scp from an AUFS filesystem.",
  "id": "GHSA-4x9w-mr6v-443w",
  "modified": "2022-05-17T03:38:53Z",
  "published": "2022-05-17T03:38:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7118"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2016/q3/395"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/08/31/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4XC7-4Q59-WFX3

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-02 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Add error handling for old state CRTC in atomic_disable

Introduce error handling to address an issue where, after a hotplug event, the cursor continues to update. This situation can lead to a kernel panic due to accessing the NULL old_state->crtc.

E,g. Unable to handle kernel NULL pointer dereference at virtual address Call trace: mtk_crtc_plane_disable+0x24/0x140 mtk_plane_atomic_update+0x8c/0xa8 drm_atomic_helper_commit_planes+0x114/0x2c8 drm_atomic_helper_commit_tail_rpm+0x4c/0x158 commit_tail+0xa0/0x168 drm_atomic_helper_commit+0x110/0x120 drm_atomic_commit+0x8c/0xe0 drm_atomic_helper_update_plane+0xd4/0x128 __setplane_atomic+0xcc/0x110 drm_mode_cursor_common+0x250/0x440 drm_mode_cursor_ioctl+0x44/0x70 drm_ioctl+0x264/0x5d8 __arm64_sys_ioctl+0xd8/0x510 invoke_syscall+0x6c/0xe0 do_el0_svc+0x68/0xe8 el0_svc+0x34/0x60 el0t_64_sync_handler+0x1c/0xf8 el0t_64_sync+0x180/0x188

Adding NULL pointer checks to ensure stability by preventing operations on an invalid CRTC state.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add error handling for old state CRTC in atomic_disable\n\nIntroduce error handling to address an issue where, after a hotplug\nevent, the cursor continues to update. This situation can lead to a\nkernel panic due to accessing the NULL `old_state-\u003ecrtc`.\n\nE,g.\nUnable to handle kernel NULL pointer dereference at virtual address\nCall trace:\n mtk_crtc_plane_disable+0x24/0x140\n mtk_plane_atomic_update+0x8c/0xa8\n drm_atomic_helper_commit_planes+0x114/0x2c8\n drm_atomic_helper_commit_tail_rpm+0x4c/0x158\n commit_tail+0xa0/0x168\n drm_atomic_helper_commit+0x110/0x120\n drm_atomic_commit+0x8c/0xe0\n drm_atomic_helper_update_plane+0xd4/0x128\n __setplane_atomic+0xcc/0x110\n drm_mode_cursor_common+0x250/0x440\n drm_mode_cursor_ioctl+0x44/0x70\n drm_ioctl+0x264/0x5d8\n __arm64_sys_ioctl+0xd8/0x510\n invoke_syscall+0x6c/0xe0\n do_el0_svc+0x68/0xe8\n el0_svc+0x34/0x60\n el0t_64_sync_handler+0x1c/0xf8\n el0t_64_sync+0x180/0x188\n\nAdding NULL pointer checks to ensure stability by preventing operations\non an invalid CRTC state.",
  "id": "GHSA-4xc7-4q59-wfx3",
  "modified": "2025-12-02T21:31:27Z",
  "published": "2025-09-16T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39807"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c6b24d70da21201ed009a2aca740d2dfddc7ab5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d5cc22efa44e0fe321ce195c71c3d7da211fbb2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a94e9d8b50bcfe89693bc899a54d3866d86e973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4XG6-52MH-FPW8

Vulnerability from github – Published: 2026-06-26 18:52 – Updated: 2026-06-26 18:52
VLAI
Summary
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Details

Summary

(*backend).createDependentVolumesFromBackup in internal/server/storage/backend.go contains a cluster of unguarded pointer derefs on every dependent-volume entry's VolumeSnapshots[i], Volume, and Pool sub-fields. An authenticated user with can_create_instances permission on any project can crash the incusd daemon by uploading an instance backup tarball whose dependent_volumes[*] block contains a nil snapshot pointer (or omits volume: / pool:).

This is a sibling-field variant of the 2026-05-04 batch fix d768f81c0a1d985f35ae56219519822b080bf5e3 ("Properly check dependent volumes on import"). That commit added if disk == nil at the top of the outer loop, but did not guard the four sub-pointer fields the loop body dereferences naked.

Vulnerable code

internal/server/storage/backend.go:9352-9412:

func (b *backend) createDependentVolumesFromBackup(srcBackup backup.Info, ...) error {
    ...
    for _, disk := range srcBackup.Config.DependentVolumes {
        if disk == nil {                                  // ← d768f81 parent fix
            return errors.New("Bad dependent volume definition found in index")
        }
        ...
        snapshots := []string{}
        for _, snap := range disk.VolumeSnapshots {
            snapshots = append(snapshots, snap.Name)      // ← I-2 trigger: snap may be nil
        }

        bInfo := backup.Info{
            Project:          disk.Volume.Project,        // ← disk.Volume may be nil
            Name:             disk.Volume.Name,
            Backend:          disk.Pool.Driver,           // ← disk.Pool may be nil
            Pool:             disk.Pool.Name,
            ...
        }
        ...
        devKey := fmt.Sprintf("%s/%s", disk.Pool.Name, disk.Volume.Name)
        ...
    }
}

disk has type *config.Config (declared in internal/server/backup/config/backup_config.go:8). Its Volume field is *api.StorageVolume, Pool is *api.StoragePool, VolumeSnapshots is []*api.StorageVolumeSnapshot — all yaml omitempty. YAML omission decodes to nil for each.

The parent fix mental-modeled "outer-iteration variable nil"; it did not walk every sub-field deref inside the loop body. Direct asymmetric-guard variant.

Reach

  1. Attacker is an authenticated client with can_create_instances on any project. Same auth gate as GHSA-8g7m-96c8-8wwc / CVE-2026-47753.
  2. POST /1.0/instances with Content-Type: application/octet-stream and X-Incus-name: <name>.
  3. Body is a tar containing backup/index.yaml whose config: block has a non-nil container: (passes instances_post.go:854 if bInfo.Config == nil || bInfo.Config.Container == nil) and a dependent_volumes: list with a malformed entry.
  4. Chain: instancesPost -> createFromBackup:854 (Container guard passes) -> pool.CreateInstanceFromBackup -> backend.go:782 b.createDependentVolumesFromBackup -> backend.go:9374 snap.Name panics on the nil *api.StorageVolumeSnapshot element.
  5. incusd dies. Persistent DoS on repeat.

Minimal backup/index.yaml (used in the bundled PoC):

name: poc-inst
backend: dir
pool: default
type: container
optimized: false
optimized_header: false
snapshots: []
config:
  container:
    name: poc-inst
    architecture: x86_64
    type: container
    profiles: ["default"]
    config: {}
    devices: {}
    expanded_devices:
      depdisk: {type: disk, dependent: "true", pool: default, source: depvol, path: /data}
    expanded_config: {}
  dependent_volumes:
    - volume: {name: depvol, type: custom, content_type: filesystem, config: {}}
      pool:   {name: default, driver: dir, config: {}}
      volume_snapshots:
        - ~    # explicit null entry → snap.Name at 9374 panics

(The container block must declare at least one device with type: disk, dependent: "true", pool != "", path != "/" to populate devicesMap and reach the second loop. Trivially satisfiable.)

An equivalent triggering YAML omits volume: or pool: from the dependent_volumes entry; in that case disk.Volume.Project at 9378 panics instead.

Proof of concept (end-to-end against running daemon)

Bundled in the report: make_backup.sh + 666-byte poc-inst.tar.gz.

Tested against incus 7.0.0 (zabbly latest GA, build 1:0~ubuntu24.04~202605201355) inside a privileged Ubuntu 24.04 container with default dir pool.

$ curl -s --unix-socket /var/lib/incus/unix.socket -X POST \
    --data-binary @/tmp/poc-inst.tar.gz \
    -H 'Content-Type: application/octet-stream' \
    -H 'X-Incus-name: poc-inst' \
    http://incus/1.0/instances
{"type":"async","status":"Operation created","status_code":100,...}

$ ps -ef | grep incusd | grep -v grep    # process gone

Daemon panic:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x163b7bc]

goroutine 257 [running]:
github.com/lxc/incus/v7/internal/server/storage.(*backend).createDependentVolumesFromBackup(...)
    /build/incus/internal/server/storage/backend.go:9374 +0x42c
github.com/lxc/incus/v7/internal/server/storage.(*backend).CreateInstanceFromBackup(...)
    /build/incus/internal/server/storage/backend.go:782 +0x660
main.createFromBackup.func8(...)
    /build/incus/cmd/incusd/instances_post.go:989 +0x2ac
github.com/lxc/incus/v7/internal/server/operations.(*Operation).Start.func1(...)
    /build/incus/internal/server/operations/operations.go:307 +0x2c

Stack frame backend.go:9374 is the literal snap.Name line.

Impact

  • Severity: denial of service against the entire incusd process. Every container / VM / storage operation on the host (and on the cluster member, if clustered) is aborted; subsequent requests fail until an operator restarts the process.
  • Privileges required: any authenticated user with can_create_instances on any project. Not behind the admin tier.
  • Network attack surface: the Incus REST API on :8443 or the unix socket.
  • CWE-476 — Nil-Pointer Dereference. CVSS estimate: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
  • Versions: v7.0.0 confirmed. The dependent_volumes feature did not exist in v6.x, so the vulnerable code is v7-only.

Suggested fix

--- a/internal/server/storage/backend.go
+++ b/internal/server/storage/backend.go
@@ -9362,6 +9362,18 @@ func (b *backend) createDependentVolumesFromBackup(...) error {
     for _, disk := range srcBackup.Config.DependentVolumes {
         if disk == nil {
             return errors.New("Bad dependent volume definition found in index")
         }
+
+        if disk.Volume == nil || disk.Pool == nil {
+            return errors.New("Bad dependent volume definition: missing volume or pool")
+        }
+
+        for _, snap := range disk.VolumeSnapshots {
+            if snap == nil {
+                return errors.New("Bad dependent volume snapshot definition")
+            }
+        }
+
         optimizedStorage := srcBackup.OptimizedStorage
         optimizedHeader := srcBackup.OptimizedHeader

         snapshots := []string{}
         for _, snap := range disk.VolumeSnapshots {
             snapshots = append(snapshots, snap.Name)
         }

Reporter notes

Reported via Privately-Reported Vulnerability against lxc/incus by tonghuaroot.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/incus/v7/cmd/incusd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T18:52:46Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\n`(*backend).createDependentVolumesFromBackup` in [`internal/server/storage/backend.go`](https://github.com/lxc/incus/blob/d768f81c0a1d985f35ae56219519822b080bf5e3/internal/server/storage/backend.go) contains a cluster of unguarded pointer derefs on every dependent-volume entry\u0027s `VolumeSnapshots[i]`, `Volume`, and `Pool` sub-fields. An authenticated user with `can_create_instances` permission on any project can crash the `incusd` daemon by uploading an instance backup tarball whose `dependent_volumes[*]` block contains a nil snapshot pointer (or omits `volume:` / `pool:`).\n\nThis is a sibling-field variant of the 2026-05-04 batch fix `d768f81c0a1d985f35ae56219519822b080bf5e3` (\"Properly check dependent volumes on import\"). That commit added `if disk == nil` at the top of the outer loop, but did not guard the four sub-pointer fields the loop body dereferences naked.\n\n## Vulnerable code\n\n[`internal/server/storage/backend.go:9352-9412`](https://github.com/lxc/incus/blob/d768f81c0a1d985f35ae56219519822b080bf5e3/internal/server/storage/backend.go#L9352-L9412):\n\n```go\nfunc (b *backend) createDependentVolumesFromBackup(srcBackup backup.Info, ...) error {\n    ...\n    for _, disk := range srcBackup.Config.DependentVolumes {\n        if disk == nil {                                  // \u2190 d768f81 parent fix\n            return errors.New(\"Bad dependent volume definition found in index\")\n        }\n        ...\n        snapshots := []string{}\n        for _, snap := range disk.VolumeSnapshots {\n            snapshots = append(snapshots, snap.Name)      // \u2190 I-2 trigger: snap may be nil\n        }\n\n        bInfo := backup.Info{\n            Project:          disk.Volume.Project,        // \u2190 disk.Volume may be nil\n            Name:             disk.Volume.Name,\n            Backend:          disk.Pool.Driver,           // \u2190 disk.Pool may be nil\n            Pool:             disk.Pool.Name,\n            ...\n        }\n        ...\n        devKey := fmt.Sprintf(\"%s/%s\", disk.Pool.Name, disk.Volume.Name)\n        ...\n    }\n}\n```\n\n`disk` has type `*config.Config` (declared in [`internal/server/backup/config/backup_config.go:8`](https://github.com/lxc/incus/blob/d768f81c0a1d985f35ae56219519822b080bf5e3/internal/server/backup/config/backup_config.go#L8)). Its `Volume` field is `*api.StorageVolume`, `Pool` is `*api.StoragePool`, `VolumeSnapshots` is `[]*api.StorageVolumeSnapshot` \u2014 all yaml `omitempty`. YAML omission decodes to nil for each.\n\nThe parent fix mental-modeled \"outer-iteration variable nil\"; it did not walk every sub-field deref inside the loop body. Direct asymmetric-guard variant.\n\n## Reach\n\n1. Attacker is an authenticated client with `can_create_instances` on any project. Same auth gate as GHSA-8g7m-96c8-8wwc / CVE-2026-47753.\n2. `POST /1.0/instances` with `Content-Type: application/octet-stream` and `X-Incus-name: \u003cname\u003e`.\n3. Body is a tar containing [`backup/index.yaml`](https://github.com/lxc/incus/blob/d768f81c0a1d985f35ae56219519822b080bf5e3/backup/index.yaml) whose `config:` block has a non-nil `container:` (passes `instances_post.go:854 if bInfo.Config == nil || bInfo.Config.Container == nil`) and a `dependent_volumes:` list with a malformed entry.\n4. Chain: `instancesPost` -\u003e `createFromBackup:854` (Container guard passes) -\u003e `pool.CreateInstanceFromBackup` -\u003e `backend.go:782 b.createDependentVolumesFromBackup` -\u003e `backend.go:9374 snap.Name` panics on the nil `*api.StorageVolumeSnapshot` element.\n5. `incusd` dies. Persistent DoS on repeat.\n\nMinimal [`backup/index.yaml`](https://github.com/lxc/incus/blob/d768f81c0a1d985f35ae56219519822b080bf5e3/backup/index.yaml) (used in the bundled PoC):\n\n```yaml\nname: poc-inst\nbackend: dir\npool: default\ntype: container\noptimized: false\noptimized_header: false\nsnapshots: []\nconfig:\n  container:\n    name: poc-inst\n    architecture: x86_64\n    type: container\n    profiles: [\"default\"]\n    config: {}\n    devices: {}\n    expanded_devices:\n      depdisk: {type: disk, dependent: \"true\", pool: default, source: depvol, path: /data}\n    expanded_config: {}\n  dependent_volumes:\n    - volume: {name: depvol, type: custom, content_type: filesystem, config: {}}\n      pool:   {name: default, driver: dir, config: {}}\n      volume_snapshots:\n        - ~    # explicit null entry \u2192 snap.Name at 9374 panics\n```\n\n(The container block must declare at least one device with `type: disk`, `dependent: \"true\"`, `pool != \"\"`, `path != \"/\"` to populate `devicesMap` and reach the second loop. Trivially satisfiable.)\n\nAn equivalent triggering YAML omits `volume:` or `pool:` from the dependent_volumes entry; in that case `disk.Volume.Project` at 9378 panics instead.\n\n## Proof of concept (end-to-end against running daemon)\n\nBundled in the report: `make_backup.sh` + 666-byte `poc-inst.tar.gz`.\n\nTested against `incus 7.0.0` (zabbly latest GA, build `1:0~ubuntu24.04~202605201355`) inside a privileged Ubuntu 24.04 container with default `dir` pool.\n\n```bash\n$ curl -s --unix-socket /var/lib/incus/unix.socket -X POST \\\n    --data-binary @/tmp/poc-inst.tar.gz \\\n    -H \u0027Content-Type: application/octet-stream\u0027 \\\n    -H \u0027X-Incus-name: poc-inst\u0027 \\\n    http://incus/1.0/instances\n{\"type\":\"async\",\"status\":\"Operation created\",\"status_code\":100,...}\n\n$ ps -ef | grep incusd | grep -v grep    # process gone\n```\n\nDaemon panic:\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x163b7bc]\n\ngoroutine 257 [running]:\ngithub.com/lxc/incus/v7/internal/server/storage.(*backend).createDependentVolumesFromBackup(...)\n    /build/incus/internal/server/storage/backend.go:9374 +0x42c\ngithub.com/lxc/incus/v7/internal/server/storage.(*backend).CreateInstanceFromBackup(...)\n    /build/incus/internal/server/storage/backend.go:782 +0x660\nmain.createFromBackup.func8(...)\n    /build/incus/cmd/incusd/instances_post.go:989 +0x2ac\ngithub.com/lxc/incus/v7/internal/server/operations.(*Operation).Start.func1(...)\n    /build/incus/internal/server/operations/operations.go:307 +0x2c\n```\n\nStack frame [`backend.go:9374`](https://github.com/lxc/incus/blob/d768f81c0a1d985f35ae56219519822b080bf5e3/backend.go#L9374) is the literal `snap.Name` line.\n\n## Impact\n\n- **Severity:** denial of service against the entire `incusd` process. Every container / VM / storage operation on the host (and on the cluster member, if clustered) is aborted; subsequent requests fail until an operator restarts the process.\n- **Privileges required:** any authenticated user with `can_create_instances` on any project. Not behind the admin tier.\n- **Network attack surface:** the Incus REST API on `:8443` or the unix socket.\n- **CWE-476** \u2014 Nil-Pointer Dereference. **CVSS estimate:** 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).\n- **Versions:** v7.0.0 confirmed. The `dependent_volumes` feature did not exist in v6.x, so the vulnerable code is v7-only.\n\n## Suggested fix\n\n```diff\n--- a/internal/server/storage/backend.go\n+++ b/internal/server/storage/backend.go\n@@ -9362,6 +9362,18 @@ func (b *backend) createDependentVolumesFromBackup(...) error {\n     for _, disk := range srcBackup.Config.DependentVolumes {\n         if disk == nil {\n             return errors.New(\"Bad dependent volume definition found in index\")\n         }\n+\n+        if disk.Volume == nil || disk.Pool == nil {\n+            return errors.New(\"Bad dependent volume definition: missing volume or pool\")\n+        }\n+\n+        for _, snap := range disk.VolumeSnapshots {\n+            if snap == nil {\n+                return errors.New(\"Bad dependent volume snapshot definition\")\n+            }\n+        }\n+\n         optimizedStorage := srcBackup.OptimizedStorage\n         optimizedHeader := srcBackup.OptimizedHeader\n\n         snapshots := []string{}\n         for _, snap := range disk.VolumeSnapshots {\n             snapshots = append(snapshots, snap.Name)\n         }\n```\n\n## Reporter notes\n\nReported via Privately-Reported Vulnerability against `lxc/incus` by tonghuaroot.",
  "id": "GHSA-4xg6-52mh-fpw8",
  "modified": "2026-06-26T18:52:46Z",
  "published": "2026-06-26T18:52:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-4xg6-52mh-fpw8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxc/incus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Incus: Nil-pointer dereference in createDependentVolumesFromBackup\u00a0on disk.{Volume,VolumeSnapshots,Pool}"
}

GHSA-4XHX-535Q-82V7

Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-10-08 21:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.6.3195 build 20250715 and later\nQuTS hero h5.2.6.3195 build 20250715 and later",
  "id": "GHSA-4xhx-535q-82v7",
  "modified": "2025-10-08T21:30:24Z",
  "published": "2025-10-03T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52860"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4XJW-JFQH-JJGH

Vulnerability from github – Published: 2022-05-17 01:18 – Updated: 2025-04-20 03:43
VLAI
Details

PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted fpx image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-28T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted fpx image.",
  "id": "GHSA-4xjw-jfqh-jjgh",
  "modified": "2025-04-20T03:43:57Z",
  "published": "2022-05-17T01:18:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12921"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/08/09/libfpx-null-pointer-dereference-in-pfileflashpixviewgetglobalinfoproperty-f_fpxvw-cpp"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/08/17/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.