CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-53CV-6GXV-7335
Vulnerability from github – Published: 2024-09-04 21:30 – Updated: 2024-09-06 18:31In the Linux kernel, the following vulnerability has been resolved:
smb/client: avoid possible NULL dereference in cifs_free_subrequest()
Clang static checker (scan-build) warning: cifsglob.h:line 890, column 3 Access to field 'ops' results in a dereference of a null pointer.
Commit 519be989717c ("cifs: Add a tracepoint to track credits involved in R/W requests") adds a check for 'rdata->server', and let clang throw this warning about NULL dereference.
When 'rdata->credits.value != 0 && rdata->server == NULL' happens, add_credits_and_wake_if() will call rdata->server->ops->add_credits(). This will cause NULL dereference problem. Add a check for 'rdata->server' to avoid NULL dereference.
{
"affected": [],
"aliases": [
"CVE-2024-44992"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-04T20:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb/client: avoid possible NULL dereference in cifs_free_subrequest()\n\nClang static checker (scan-build) warning:\n\tcifsglob.h:line 890, column 3\n\tAccess to field \u0027ops\u0027 results in a dereference of a null pointer.\n\nCommit 519be989717c (\"cifs: Add a tracepoint to track credits involved in\nR/W requests\") adds a check for \u0027rdata-\u003eserver\u0027, and let clang throw this\nwarning about NULL dereference.\n\nWhen \u0027rdata-\u003ecredits.value != 0 \u0026\u0026 rdata-\u003eserver == NULL\u0027 happens,\nadd_credits_and_wake_if() will call rdata-\u003eserver-\u003eops-\u003eadd_credits().\nThis will cause NULL dereference problem. Add a check for \u0027rdata-\u003eserver\u0027\nto avoid NULL dereference.",
"id": "GHSA-53cv-6gxv-7335",
"modified": "2024-09-06T18:31:29Z",
"published": "2024-09-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44992"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74c2ab6d653b4c2354df65a7f7f2df1925a40a51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fead60a6d5f84b472b928502a42c419253afe6c1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53F2-X8G3-2V76
Vulnerability from github – Published: 2024-08-21 09:31 – Updated: 2024-09-13 15:31In the Linux kernel, the following vulnerability has been resolved:
xhci: Fix null pointer dereference when host dies
Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race and cause null pointer dereference when host suddenly dies.
Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id] virt device at the same time that xhci_kill_endpoint_urbs() tries to loop through all the device's endpoints, checking if there are any cancelled urbs left to give back.
hold the xhci spinlock while freeing the virt device
{
"affected": [],
"aliases": [
"CVE-2023-52898"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T07:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix null pointer dereference when host dies\n\nMake sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race\nand cause null pointer dereference when host suddenly dies.\n\nUsb core may call xhci_free_dev() which frees the xhci-\u003edevs[slot_id]\nvirt device at the same time that xhci_kill_endpoint_urbs() tries to\nloop through all the device\u0027s endpoints, checking if there are any\ncancelled urbs left to give back.\n\nhold the xhci spinlock while freeing the virt device",
"id": "GHSA-53f2-x8g3-2v76",
"modified": "2024-09-13T15:31:31Z",
"published": "2024-08-21T09:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52898"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/081105213ff6f661c114781d469233c7d0e09c2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/133b902378e4acbd824c29dd0d48570ad596e368"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6fac4b5cecb3928a0a81069aaa815a2edc8dd5a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2bc47c43e70cf904b1af49f76d572326c08bca7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c462ac871f49753eca86bb960f573b993976a5ea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea2ee5e9991caf74e0604f994c1831a5867055b2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53HC-RHP5-VGX7
Vulnerability from github – Published: 2026-06-10 06:30 – Updated: 2026-06-15 18:31A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later
{
"affected": [],
"aliases": [
"CVE-2025-62850"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T04:17:07Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQuTS hero h5.2.9.3410 build 20260214 and later\nQuTS hero h5.3.4.3500 build 20260520 and later\nQuTS hero h6.0.0.3459 build 20260409 and later",
"id": "GHSA-53hc-rhp5-vgx7",
"modified": "2026-06-15T18:31:15Z",
"published": "2026-06-10T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62850"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-53JC-CWPR-M8XH
Vulnerability from github – Published: 2022-05-14 01:09 – Updated: 2022-05-14 01:09NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSubmitCommandVirtual in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to denial of service or escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2019-5668"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-27T23:29:00Z",
"severity": "HIGH"
},
"details": "NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSubmitCommandVirtual in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to denial of service or escalation of privileges.",
"id": "GHSA-53jc-cwpr-m8xh",
"modified": "2022-05-14T01:09:19Z",
"published": "2022-05-14T01:09:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5668"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/4772"
},
{
"type": "WEB",
"url": "http://support.lenovo.com/us/en/solutions/LEN-26250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53M8-XVH9-F42P
Vulnerability from github – Published: 2022-12-23 00:30 – Updated: 2022-12-28 18:30A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-41999"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T22:15:00Z",
"severity": "HIGH"
},
"details": "A denial of service vulnerability exists in the DDS native tile reading functionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. A specially-crafted .dds can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-53m8-xvh9-f42p",
"modified": "2022-12-28T18:30:21Z",
"published": "2022-12-23T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41999"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3LET4MEPBSBJZK4EMLEBY4FUXKU5BMN"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-33"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1635"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5384"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53P3-F48X-W9J5
Vulnerability from github – Published: 2022-05-01 02:16 – Updated: 2025-04-03 04:18Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired.
{
"affected": [],
"aliases": [
"CVE-2005-3274"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-10-21T01:02:00Z",
"severity": "LOW"
},
"details": "Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 before 2.4.32-pre2, when running on SMP systems, allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired.",
"id": "GHSA-53p3-f48x-w9j5",
"modified": "2025-04-03T04:18:39Z",
"published": "2022-05-01T02:16:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-3274"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11723"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/219-1"
},
{
"type": "WEB",
"url": "http://lkml.org/lkml/2005/6/23/249"
},
{
"type": "WEB",
"url": "http://lkml.org/lkml/2005/6/24/173"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/17826"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/18056"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/18684"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/18977"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2005/dsa-922"
},
{
"type": "WEB",
"url": "http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git%3Ba=commit%3Bh=e684f066dff5628bb61ad1912de6e8058b5b4c7d"
},
{
"type": "WEB",
"url": "http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=e684f066dff5628bb61ad1912de6e8058b5b4c7d"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:218"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:219"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:220"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:235"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2005-663.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0190.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/427980/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/427981/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/15528"
},
{
"type": "WEB",
"url": "http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:044"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53Q5-CXHH-W27R
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the "any" remote (0.0.0.0 / ::).
The code currently assumes that the FDB entry for the neighbor's MAC address points to a valid remote destination, but this is incorrect if the entry is associated with an FDB nexthop group. This can result in a NPD [1][3] which can be reproduced using [2][4].
Fix by checking that the remote destination exists before dereferencing it.
[1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:vxlan_xmit+0xb58/0x15f0 [...] Call Trace: dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 packet_sendmsg+0x113a/0x1850 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2] #!/bin/bash
ip address add 192.0.2.1/32 dev lo
ip nexthop add id 1 via 192.0.2.2 fdb ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy
ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3
[3] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014 RIP: 0010:vxlan_xmit+0x803/0x1600 [...] Call Trace: dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 ip6_finish_output2+0x210/0x6c0 ip6_finish_output+0x1af/0x2b0 ip6_mr_output+0x92/0x3e0 ip6_send_skb+0x30/0x90 rawv6_sendmsg+0xe6e/0x12e0 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f383422ec77
[4] #!/bin/bash
ip address add 2001:db8:1::1/128 dev lo
ip nexthop add id 1 via 2001:db8:1::1 fdb ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy
ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0
bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10
ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0
{
"affected": [],
"aliases": [
"CVE-2025-39850"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T16:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects\n\nWhen the \"proxy\" option is enabled on a VXLAN device, the device will\nsuppress ARP requests and IPv6 Neighbor Solicitation messages if it is\nable to reply on behalf of the remote host. That is, if a matching and\nvalid neighbor entry is configured on the VXLAN device whose MAC address\nis not behind the \"any\" remote (0.0.0.0 / ::).\n\nThe code currently assumes that the FDB entry for the neighbor\u0027s MAC\naddress points to a valid remote destination, but this is incorrect if\nthe entry is associated with an FDB nexthop group. This can result in a\nNPD [1][3] which can be reproduced using [2][4].\n\nFix by checking that the remote destination exists before dereferencing\nit.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_xmit+0xb58/0x15f0\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.2 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy\n\n ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3\n\n[3]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014\nRIP: 0010:vxlan_xmit+0x803/0x1600\n[...]\nCall Trace:\n \u003cTASK\u003e\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n ip6_finish_output2+0x210/0x6c0\n ip6_finish_output+0x1af/0x2b0\n ip6_mr_output+0x92/0x3e0\n ip6_send_skb+0x30/0x90\n rawv6_sendmsg+0xe6e/0x12e0\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f383422ec77\n\n[4]\n #!/bin/bash\n\n ip address add 2001:db8:1::1/128 dev lo\n\n ip nexthop add id 1 via 2001:db8:1::1 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy\n\n ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10\n\n ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0",
"id": "GHSA-53q5-cxhh-w27r",
"modified": "2025-12-12T21:31:32Z",
"published": "2025-09-22T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39850"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f5d2fd1ca04a23c18b1bde9a43ce2fa2ffa1bce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8cfa0f076842f9b3b4eb52ae0e41d16e25cbf8fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e211e3f4199ac829bd493632efcd131d337cba9d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5427-CFR3-V9JM
Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()
The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior.
On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented.
{
"affected": [],
"aliases": [
"CVE-2025-37820"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-08T07:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: handle NULL returned by xdp_convert_buff_to_frame()\n\nThe function xdp_convert_buff_to_frame() may return NULL if it fails\nto correctly convert the XDP buffer into an XDP frame due to memory\nconstraints, internal errors, or invalid data. Failing to check for NULL\nmay lead to a NULL pointer dereference if the result is used later in\nprocessing, potentially causing crashes, data corruption, or undefined\nbehavior.\n\nOn XDP redirect failure, the associated page must be released explicitly\nif it was previously retained via get_page(). Failing to do so may result\nin a memory leak, as the pages reference count is not decremented.",
"id": "GHSA-5427-cfr3-v9jm",
"modified": "2025-11-12T21:31:01Z",
"published": "2025-05-08T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37820"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b83d30c63f9964acb1bc63eb8e670b9e0d2c240"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc3628dcd851ddd8d418bf0c897024b4621ddc92"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cefd8a2e2de46209ce66e6d30c237eb59b6c5bfa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6a9c4e6f9b3ec3ad98468c950ad214af8a2efb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eefccd889df3b49d92e7349d94c4aa7e1ba19f6c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-542G-6JP4-66MQ
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-10 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL. In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to >->uc.gsc being evaluated as an invalid memory address.
Fix that by introducing a NULL check on media_gt and bailing out early if so.
While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.
v2: - Get address for gsc only after checking that gt is not NULL. (Shuicheng) - Drop the NULL check for gsc. (Shuicheng) v3: - Add "Fixes" and "Cc: " tags. (Matt)
(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)
{
"affected": [],
"aliases": [
"CVE-2026-46216"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()\n\nWhen media GT is disabled via configfs, there is no allocation for\nmedia_gt, which is kept as NULL. In such scenario,\nintel_hdcp_gsc_check_status() results in a kernel pagefault error due to\n\u0026gt-\u003euc.gsc being evaluated as an invalid memory address.\n\nFix that by introducing a NULL check on media_gt and bailing out early\nif so.\n\nWhile at it, also drop the NULL check for gsc, since it can\u0027t be NULL if\nmedia_gt is not NULL.\n\nv2:\n - Get address for gsc only after checking that gt is not NULL.\n (Shuicheng)\n - Drop the NULL check for gsc. (Shuicheng)\nv3:\n - Add \"Fixes\" and \"Cc: \u003cstable...\u003e\" tags. (Matt)\n\n(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
"id": "GHSA-542g-6jp4-66mq",
"modified": "2026-06-10T21:31:25Z",
"published": "2026-05-28T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46216"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/814326e86e929b865020ff44f4576dbdfe3f7ff3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cad210d2851f3a7d9573bdfc02aa61d9287bbe8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-542M-H257-C5WG
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 18:30In the Linux kernel, the following vulnerability has been resolved:
mmc: rtsx_pci: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path.
So fix this by checking the return value and calling mmc_free_host() in the error path, beside, runtime PM also needs be disabled.
{
"affected": [],
"aliases": [
"CVE-2022-50267"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: rtsx_pci: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and calling mmc_free_host() in the\nerror path, beside, runtime PM also needs be disabled.",
"id": "GHSA-542m-h257-c5wg",
"modified": "2025-12-03T18:30:19Z",
"published": "2025-09-15T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50267"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c87db77423a282b3b38b8a6daf057b822680516"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30dc645461dfc63e52b3af8ee4a98e17bf14bacf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5cd4e04eccaec140da6fa04db056a76282ee6852"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffa9b2a79e3e959683efbad3f6db937eca9d38f5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.