CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-557G-5W49-23J4
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-19 21:31In the Linux kernel, the following vulnerability has been resolved:
nvmem: zynqmp_nvmem: unbreak driver after cleanup
Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") changed the driver to expect the device pointer to be passed as the "context", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed.
{
"affected": [],
"aliases": [
"CVE-2025-38301"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T08:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: zynqmp_nvmem: unbreak driver after cleanup\n\nCommit 29be47fcd6a0 (\"nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup\")\nchanged the driver to expect the device pointer to be passed as the\n\"context\", but in nvmem the context parameter comes from nvmem_config.priv\nwhich is never set - Leading to null pointer exceptions when the device is\naccessed.",
"id": "GHSA-557g-5w49-23j4",
"modified": "2025-11-19T21:31:16Z",
"published": "2025-07-10T09:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38301"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3728101f56ef54425a11027a3ddc2c3941d60b71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c8bb1bcea877446f86922a8fd1661b8c07d90e5c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe8abdd175d7b547ae1a612757e7902bcd62e9cf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-558H-5PV9-XXG9
Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2025-11-03 21:30DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.
{
"affected": [],
"aliases": [
"CVE-2021-41689"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-28T13:15:00Z",
"severity": "HIGH"
},
"details": "DCMTK through 3.6.6 does not handle string copy properly. Sending specific requests to the dcmqrdb program, it would query its database and copy the result even if the result is null, which can incur a head-based overflow. An attacker can use it to launch a DoS attack.",
"id": "GHSA-558h-5pv9-xxg9",
"modified": "2025-11-03T21:30:42Z",
"published": "2022-06-29T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41689"
},
{
"type": "WEB",
"url": "https://github.com/DCMTK/dcmtk/commit/5c14bf53fb42ceca12bbcc0016e8704b1580920d"
},
{
"type": "WEB",
"url": "https://github.com/DCMTK/dcmtk"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-558H-MQ8X-7Q9G
Vulnerability from github – Published: 2023-03-24 21:57 – Updated: 2023-03-27 22:00Impact
When SparseSparseMaximum is given invalid sparse tensors as inputs, it can give an NPE.
import tensorflow as tf
tf.raw_ops.SparseSparseMaximum(
a_indices=[[1]],
a_values =[ 0.1 ],
a_shape = [2],
b_indices=[[]],
b_values =[2 ],
b_shape = [2],
)
Patches
We have patched the issue in GitHub commit 5e0ecfb42f5f65629fd7a4edd6c4afe7ff0feb04.
The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25665"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-24T21:57:25Z",
"nvd_published_at": "2023-03-25T00:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen `SparseSparseMaximum` is given invalid sparse tensors as inputs, it can give an NPE. \n\n```python\nimport tensorflow as tf\ntf.raw_ops.SparseSparseMaximum(\n a_indices=[[1]],\n a_values =[ 0.1 ],\n a_shape = [2],\n b_indices=[[]],\n b_values =[2 ],\n b_shape = [2],\n)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [5e0ecfb42f5f65629fd7a4edd6c4afe7ff0feb04](https://github.com/tensorflow/tensorflow/commit/5e0ecfb42f5f65629fd7a4edd6c4afe7ff0feb04).\n\nThe fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team",
"id": "GHSA-558h-mq8x-7q9g",
"modified": "2023-03-27T22:00:49Z",
"published": "2023-03-24T21:57:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-558h-mq8x-7q9g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25665"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/5e0ecfb42f5f65629fd7a4edd6c4afe7ff0feb04"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "TensorFlow has Null Pointer Error in SparseSparseMaximum"
}
GHSA-5595-3X49-32P2
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS GT.M through V7.0-000. Using crafted input, attackers can cause a type to be incorrectly initialized in the function f_incr in sr_port/f_incr.c and cause a crash due to a NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2021-44492"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS GT.M through V7.0-000. Using crafted input, attackers can cause a type to be incorrectly initialized in the function f_incr in sr_port/f_incr.c and cause a crash due to a NULL pointer dereference.",
"id": "GHSA-5595-3x49-32p2",
"modified": "2022-04-23T00:03:17Z",
"published": "2022-04-16T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44492"
},
{
"type": "WEB",
"url": "https://gitlab.com/YottaDB/DB/YDB/-/issues/828"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/fis-gtm/files"
},
{
"type": "WEB",
"url": "http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-559C-J26R-95QC
Vulnerability from github – Published: 2024-04-28 15:30 – Updated: 2025-01-14 15:30In the Linux kernel, the following vulnerability has been resolved:
sfc: fix null pointer dereference in efx_hard_start_xmit
Trying to get the channel from the tx_queue variable here is wrong because we can only be here if tx_queue is NULL, so we shouldn't dereference it. As the above comment in the code says, this is very unlikely to happen, but it's wrong anyway so let's fix it.
I hit this issue because of a different bug that caused tx_queue to be NULL. If that happens, this is the error message that we get here: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 [...] RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]
{
"affected": [],
"aliases": [
"CVE-2022-48648"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-28T13:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix null pointer dereference in efx_hard_start_xmit\n\nTrying to get the channel from the tx_queue variable here is wrong\nbecause we can only be here if tx_queue is NULL, so we shouldn\u0027t\ndereference it. As the above comment in the code says, this is very\nunlikely to happen, but it\u0027s wrong anyway so let\u0027s fix it.\n\nI hit this issue because of a different bug that caused tx_queue to be\nNULL. If that happens, this is the error message that we get here:\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000020\n [...]\n RIP: 0010:efx_hard_start_xmit+0x153/0x170 [sfc]",
"id": "GHSA-559c-j26r-95qc",
"modified": "2025-01-14T15:30:49Z",
"published": "2024-04-28T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48648"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a242eb2913a4aa3d6fbdb86559f27628e9466f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8547c7bfc0617e7184e4da65b9b96681fcfe9998"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3b41d4d95d3822b2e459ecbc80d030ea6aec5e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3b952168ee1f220ba729fa100fd9d5aa752eb03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55J6-RJHX-HWFH
Vulnerability from github – Published: 2026-07-01 17:41 – Updated: 2026-07-01 17:41Summary
A memory-safety vulnerability in Open Babel's CACAO parser caused a NULL pointer dereference when reading a crafted input file.
Details
The flaw was in CacaoFormat::SetHilderbrandt. A malformed input
caused the parser to dereference a NULL pointer while applying the
Hilderbrandt transformation.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious CACAO file with the obabel
tool, the OBConversion API, or any of the language bindings (Python,
Ruby, Java, R, Perl, C#, PHP).
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: https://github.com/openbabel/openbabel/commit/ecaed96f Originally reported as #2827; fixes consolidated in #2913.
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.
Credit
Reported via OSS-Fuzz.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openbabel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10999"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T17:41:33Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s CACAO parser caused a\nNULL pointer dereference when reading a crafted input file.\n\n### Details\n\nThe flaw was in `CacaoFormat::SetHilderbrandt`. A malformed input\ncaused the parser to dereference a NULL pointer while applying the\nHilderbrandt transformation.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious CACAO file with the `obabel`\ntool, the `OBConversion` API, or any of the language bindings (Python,\nRuby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/ecaed96f\nOriginally reported as #2827; fixes consolidated in #2913.\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported via OSS-Fuzz.",
"id": "GHSA-55j6-rjhx-hwfh",
"modified": "2026-07-01T17:41:33Z",
"published": "2026-07-01T17:41:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-55j6-rjhx-hwfh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10999"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/issues/2827"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/commit/ecaed96f"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbabel/openbabel"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/files/22318503/poc.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325927"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325927"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.654064"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open Babel has NULL pointer dereference in CACAO CacaoFormat::SetHilderbrandt"
}
GHSA-55JJ-QFP9-6XV9
Vulnerability from github – Published: 2026-01-23 06:31 – Updated: 2026-01-23 06:31A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability.
{
"affected": [],
"aliases": [
"CVE-2026-0710"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T04:16:01Z",
"severity": "HIGH"
},
"details": "A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system\u0027s integrity and availability.",
"id": "GHSA-55jj-qfp9-6xv9",
"modified": "2026-01-23T06:31:23Z",
"published": "2026-01-23T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0710"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-0710"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427788"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55JM-H8M6-5GPQ
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-13 00:00On F5 BIG-IP LTM, Advanced WAF, ASM, or APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a virtual server is configured with HTTP, TCP on one side (client/server), and DTLS on the other (server/client), undisclosed requests can cause the TMM process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
{
"affected": [],
"aliases": [
"CVE-2022-29491"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T17:15:00Z",
"severity": "HIGH"
},
"details": "On F5 BIG-IP LTM, Advanced WAF, ASM, or APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a virtual server is configured with HTTP, TCP on one side (client/server), and DTLS on the other (server/client), undisclosed requests can cause the TMM process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
"id": "GHSA-55jm-h8m6-5gpq",
"modified": "2022-05-13T00:00:22Z",
"published": "2022-05-06T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29491"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K14229426"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55MC-5J7J-CJ82
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-04 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: megachips: Fix a null pointer dereference bug
When removing the module we will get the following warning:
[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered [ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI [ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130 [ 31.921825] Call Trace: [ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw] [ 31.923139] i2c_device_remove+0x181/0x1f0
The two bridges (stdp2690, stdp4028) do not probe at the same time, so the driver does not call ge_b850v3_resgiter() when probing, causing the driver to try to remove the object that has not been initialized.
Fix this by checking whether both the bridges are probed.
{
"affected": [],
"aliases": [
"CVE-2022-50317"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: megachips: Fix a null pointer dereference bug\n\nWhen removing the module we will get the following warning:\n\n[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered\n[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130\n[ 31.921825] Call Trace:\n[ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw]\n[ 31.923139] i2c_device_remove+0x181/0x1f0\n\nThe two bridges (stdp2690, stdp4028) do not probe at the same time, so\nthe driver does not call ge_b850v3_resgiter() when probing, causing the\ndriver to try to remove the object that has not been initialized.\n\nFix this by checking whether both the bridges are probed.",
"id": "GHSA-55mc-5j7j-cj82",
"modified": "2025-12-04T15:30:30Z",
"published": "2025-09-15T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50317"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1daf69228e310938177119c4eadcd30fc75c81e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ff673333d46d2c1b053ebd0c1c7c7c79e36943e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21764467ab396d9f08921e0a5ffa1214244e1ad9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4610e7a4111fa3f3ce27c09d6d94008c55f1cd31"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5bc20bafcd87ba0858ab772cefc7047cb51bc249"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7371fad5cfe6eada6bb5523c895fd6074b15c2b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/877e92e9b1bdeb580b31a46061005936be902cd4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aaa512ad1e59f2edf8a9e4f2b167a44b24670679"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55Q8-2GWX-29PC
Vulnerability from github – Published: 2026-03-26 22:15 – Updated: 2026-03-27 21:51Summary
Ella Core panics when processing Authentication Response and Authentication Failure NAS message missing IEs.
Impact
An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.
Fix
Added IE presence verification to NAS message handling.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ellanetworks/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33907"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:15:54Z",
"nvd_published_at": "2026-03-27T21:17:27Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nElla Core panics when processing Authentication Response and Authentication Failure NAS message missing IEs. \n\n## Impact\n\nAn attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required.\n\n## Fix\n\nAdded IE presence verification to NAS message handling.",
"id": "GHSA-55q8-2gwx-29pc",
"modified": "2026-03-27T21:51:52Z",
"published": "2026-03-26T22:15:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-55q8-2gwx-29pc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33907"
},
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/commit/52962660e3bd3e23c7e96b0da270ac1e0e705273"
},
{
"type": "PACKAGE",
"url": "https://github.com/ellanetworks/core"
},
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/releases/tag/v1.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ella Core Panics during NAS Authentication Response/Failure with missing IEs"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.