Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6309 vulnerabilities reference this CWE, most recent first.

GHSA-589J-8G5M-4CXH

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: designware: Fix handling of real but unexpected device interrupts

Commit c7b79a752871 ("mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI IDs") caused a regression on certain Gigabyte motherboards for Intel Alder Lake-S where system crashes to NULL pointer dereference in i2c_dw_xfer_msg() when system resumes from S3 sleep state ("deep").

I was able to debug the issue on Gigabyte Z690 AORUS ELITE and made following notes:

  • Issue happens when resuming from S3 but not when resuming from "s2idle"
  • PCI device 00:15.0 == i2c_designware.0 is already in D0 state when system enters into pci_pm_resume_noirq() while all other i2c_designware PCI devices are in D3. Devices were runtime suspended and in D3 prior entering into suspend
  • Interrupt comes after pci_pm_resume_noirq() when device interrupts are re-enabled
  • According to register dump the interrupt really comes from the i2c_designware.0. Controller is enabled, I2C target address register points to a one detectable I2C device address 0x60 and the DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and TX_EMPTY bits are set indicating completed I2C transaction.

My guess is that the firmware uses this controller to communicate with an on-board I2C device during resume but does not disable the controller before giving control to an operating system.

I was told the UEFI update fixes this but never the less it revealed the driver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device is supposed to be idle and state variables are not set (especially the dev->msgs pointer which may point to NULL or stale old data).

Introduce a new software status flag STATUS_ACTIVE indicating when the controller is active in driver point of view. Now treat all interrupts that occur when is not set as unexpected and mask all interrupts from the controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: Fix handling of real but unexpected device interrupts\n\nCommit c7b79a752871 (\"mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI\nIDs\") caused a regression on certain Gigabyte motherboards for Intel\nAlder Lake-S where system crashes to NULL pointer dereference in\ni2c_dw_xfer_msg() when system resumes from S3 sleep state (\"deep\").\n\nI was able to debug the issue on Gigabyte Z690 AORUS ELITE and made\nfollowing notes:\n\n- Issue happens when resuming from S3 but not when resuming from\n  \"s2idle\"\n- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when\n  system enters into pci_pm_resume_noirq() while all other i2c_designware\n  PCI devices are in D3. Devices were runtime suspended and in D3 prior\n  entering into suspend\n- Interrupt comes after pci_pm_resume_noirq() when device interrupts are\n  re-enabled\n- According to register dump the interrupt really comes from the\n  i2c_designware.0. Controller is enabled, I2C target address register\n  points to a one detectable I2C device address 0x60 and the\n  DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and\n  TX_EMPTY bits are set indicating completed I2C transaction.\n\nMy guess is that the firmware uses this controller to communicate with\nan on-board I2C device during resume but does not disable the controller\nbefore giving control to an operating system.\n\nI was told the UEFI update fixes this but never the less it revealed the\ndriver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device\nis supposed to be idle and state variables are not set (especially the\ndev-\u003emsgs pointer which may point to NULL or stale old data).\n\nIntroduce a new software status flag STATUS_ACTIVE indicating when the\ncontroller is active in driver point of view. Now treat all interrupts\nthat occur when is not set as unexpected and mask all interrupts from\nthe controller.",
  "id": "GHSA-589j-8g5m-4cxh",
  "modified": "2025-12-11T21:31:25Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50370"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/301c8f5c32c8fb79c67539bc23972dc3ef48024c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7fa5304c4b5b425d4a0b3acf10139a7f6108a85f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a206f7fbe9589c60fafad12884628c909ecb042f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa59ac81e859006d3a1df035a19b3f2089110f93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58HW-C565-3Q2C

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-06-30 00:00
VLAI
Details

A null pointer dereference vulnerability in devices/gdevtsep.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. This is fixed in v9.51.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-13T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability in devices/gdevtsep.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. This is fixed in v9.51.",
  "id": "GHSA-58hw-c565-3q2c",
  "modified": "2022-06-30T00:00:30Z",
  "published": "2022-05-24T17:25:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16306"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=701821"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-20"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4469-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4748"
    },
    {
      "type": "WEB",
      "url": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=aadb53eb834b3def3ef68d78865ff87a68901804"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58MV-QQMV-GQGV

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-10 09:31
VLAI
Details

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present.

An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:17:07Z",
    "severity": "MODERATE"
  },
  "details": "Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
  "id": "GHSA-58mv-qqmv-gqgv",
  "modified": "2026-06-10T09:31:56Z",
  "published": "2026-06-09T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20260609.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58PP-88X2-WF7F

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected.",
  "id": "GHSA-58pp-88x2-wf7f",
  "modified": "2022-05-24T17:36:34Z",
  "published": "2022-05-24T17:36:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29484"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4812"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-324.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-58Q5-9X94-W4FC

Vulnerability from github – Published: 2025-04-03 09:32 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix error code in chan_alloc_skb_cb()

The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T08:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix error code in chan_alloc_skb_cb()\n\nThe chan_alloc_skb_cb() function is supposed to return error pointers on\nerror.  Returning NULL will lead to a NULL dereference.",
  "id": "GHSA-58q5-9x94-w4fc",
  "modified": "2025-11-03T21:33:30Z",
  "published": "2025-04-03T09:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22007"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bd68db7beb426ab5a45d81516ed9611284affc8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72d061ee630d0dbb45c2920d8d19b3861c413e54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/761b7c36addd22c7e6ceb05caaadc3b062d99faa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76304cba8cba12bb10d89d016c28403a2dd89a29"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/788ae2ae4cf484e248b5bc29211c7ac6510e3e92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a78692ec0d1e17a96b09f2349a028878f5b305e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3d607e36fef4bd05fb938a8a868ff70e9fedbe2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ecd06ad0823a90b4420c377ef8917e44e23ee841"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58Q5-G3VC-4RGH

Vulnerability from github – Published: 2024-08-17 12:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

remoteproc: imx_rproc: Skip over memory region when node value is NULL

In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts number of phandles. But phandles may be empty. So of_parse_phandle() in the parsing loop (0 < a < nph) may return NULL which is later dereferenced. Adjust this issue by adding NULL-return check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

[Fixed title to fit within the prescribed 70-75 charcters]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T10:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: imx_rproc: Skip over memory region when node value is NULL\n\nIn imx_rproc_addr_init() \"nph = of_count_phandle_with_args()\" just counts\nnumber of phandles. But phandles may be empty. So of_parse_phandle() in\nthe parsing loop (0 \u003c a \u003c nph) may return NULL which is later dereferenced.\nAdjust this issue by adding NULL-return check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[Fixed title to fit within the prescribed 70-75 charcters]",
  "id": "GHSA-58q5-g3vc-4rgh",
  "modified": "2025-11-04T00:31:16Z",
  "published": "2024-08-17T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43860"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2fa26ca8b786888673689ccc9da6094150939982"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e13b7c23988c0a13fdca92e94296a3bc2ff9f21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6884fd0283e0831be153fb8d82d9eda8a55acaaa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b50462b473fdccdc0dfad73001147e40ff19a66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c9ea3547fad252fe9ae5d3ed7e066e2085bf3a2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84beb7738459cac0ff9f8a7c4654b8ff82a702c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a17cf8b2ce483fa75258bc2cdcf628f24bcf5f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c877a5f5268d4ab8224b9c9fbce3d746e4e72bc9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-592Q-R679-2JPC

Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-04-15 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

squashfs: harden sanity check in squashfs_read_xattr_id_table

While mounting a corrupted filesystem, a signed integer '*xattr_ids' can become less than zero. This leads to the incorrect computation of 'len' and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() or out-of-bounds accesses in the next sanity checks inside squashfs_read_xattr_id_table().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T17:15:45Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsquashfs: harden sanity check in squashfs_read_xattr_id_table\n\nWhile mounting a corrupted filesystem, a signed integer \u0027*xattr_ids\u0027 can\nbecome less than zero.  This leads to the incorrect computation of \u0027len\u0027\nand \u0027indexes\u0027 values which can cause null-ptr-deref in copy_bio_to_actor()\nor out-of-bounds accesses in the next sanity checks inside\nsquashfs_read_xattr_id_table().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
  "id": "GHSA-592q-r679-2jpc",
  "modified": "2025-04-15T15:30:48Z",
  "published": "2025-03-27T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52979"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29e774dcb27116c06b9c57b1f1f14a1623738989"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72e544b1b28325fe78a4687b980871a7e4101f76"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b30a74f83265c24d1d0842c6c3928cd2e775a3fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7398efe24a965cf3937b716c0b1011c201c5d6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf5d6612092408157db6bb500c70bf6d67c40fbc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db76fc535fbdfbf29fd0b93e49627537ad794c8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de2785aa3448d1ee7be3ab47fd4a873025f1b3d7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5935-5RV9-4V2P

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: don't allow journal inode to have encrypt flag

Mounting a filesystem whose journal inode has the encrypt flag causes a NULL dereference in fscrypt_limit_io_blocks() when the 'inlinecrypt' mount option is used.

The problem is that when jbd2_journal_init_inode() calls bmap(), it eventually finds its way into ext4_iomap_begin(), which calls fscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() requires that if the inode is encrypted, then its encryption key must already be set up. That's not the case here, since the journal inode is never "opened" like a normal file would be. Hence the crash.

A reproducer is:

mkfs.ext4 -F /dev/vdb
debugfs -w /dev/vdb -R "set_inode_field <8> flags 0x80808"
mount /dev/vdb /mnt -o inlinecrypt

To fix this, make ext4 consider journal inodes with the encrypt flag to be invalid. (Note, maybe other flags should be rejected on the journal inode too. For now, this is just the minimal fix for the above issue.)

I've marked this as fixing the commit that introduced the call to fscrypt_limit_io_blocks(), since that's what made an actual crash start being possible. But this fix could be applied to any version of ext4 that supports the encrypt feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don\u0027t allow journal inode to have encrypt flag\n\nMounting a filesystem whose journal inode has the encrypt flag causes a\nNULL dereference in fscrypt_limit_io_blocks() when the \u0027inlinecrypt\u0027\nmount option is used.\n\nThe problem is that when jbd2_journal_init_inode() calls bmap(), it\neventually finds its way into ext4_iomap_begin(), which calls\nfscrypt_limit_io_blocks().  fscrypt_limit_io_blocks() requires that if\nthe inode is encrypted, then its encryption key must already be set up.\nThat\u0027s not the case here, since the journal inode is never \"opened\" like\na normal file would be.  Hence the crash.\n\nA reproducer is:\n\n    mkfs.ext4 -F /dev/vdb\n    debugfs -w /dev/vdb -R \"set_inode_field \u003c8\u003e flags 0x80808\"\n    mount /dev/vdb /mnt -o inlinecrypt\n\nTo fix this, make ext4 consider journal inodes with the encrypt flag to\nbe invalid.  (Note, maybe other flags should be rejected on the journal\ninode too.  For now, this is just the minimal fix for the above issue.)\n\nI\u0027ve marked this as fixing the commit that introduced the call to\nfscrypt_limit_io_blocks(), since that\u0027s what made an actual crash start\nbeing possible.  But this fix could be applied to any version of ext4\nthat supports the encrypt feature.",
  "id": "GHSA-5935-5rv9-4v2p",
  "modified": "2025-12-03T21:30:58Z",
  "published": "2025-09-15T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50277"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/105c78e12468413e426625831faa7db4284e1fec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f7a6626f611aa06d7907aa45b484708dd5ac8bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcc5057e1781a3ee889225480d995c3b5cbde555"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-595W-V3FV-XPWF

Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-10-31 15:30
VLAI
Details

Multiple versions of Central Monitor CNS-6201 contain a NULL pointer dereference vulnerability. When processing a crafted certain UDP packet, the affected device may abnormally terminate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-30T11:37:41Z",
    "severity": "HIGH"
  },
  "details": "Multiple versions of Central Monitor CNS-6201 contain a NULL pointer dereference vulnerability. When processing a crafted certain UDP packet, the affected device may abnormally terminate.",
  "id": "GHSA-595w-v3fv-xpwf",
  "modified": "2025-10-31T15:30:30Z",
  "published": "2025-09-30T12:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59668"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU96989989"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-296-01"
    },
    {
      "type": "WEB",
      "url": "https://www.nihonkohden.com/security.html"
    },
    {
      "type": "WEB",
      "url": "https://www.nihonkohden.com/security/main/01112/teaserItems3/0/linkList/0/link/NKcorporateResponse-CNS-6201_CentralMonitor_Vulnerability(CVE-2025-59668)_en_Rev2.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-596W-G2CR-X93Q

Vulnerability from github – Published: 2023-11-17 06:31 – Updated: 2024-06-20 18:34
VLAI
Details

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a do_binauth NULL pointer dereference that be triggered with a crafted GET HTTP request with a missing User-Agent HTTP header. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-17T06:15:33Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a do_binauth NULL pointer dereference that be triggered with a crafted GET HTTP request with a missing User-Agent HTTP header. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.",
  "id": "GHSA-596w-g2cr-x93q",
  "modified": "2024-06-20T18:34:07Z",
  "published": "2023-11-17T06:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openNDS/openNDS/releases/tag/v10.1.2"
    },
    {
      "type": "WEB",
      "url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.