CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-5M73-3PCH-86M2
Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
memcg_write_event_control(): fix a user-triggerable oops
we are not guaranteed that anything past the terminating NUL is mapped (let alone initialized with anything sane).
{
"affected": [],
"aliases": [
"CVE-2024-45021"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T16:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg_write_event_control(): fix a user-triggerable oops\n\nwe are *not* guaranteed that anything past the terminating NUL\nis mapped (let alone initialized with anything sane).",
"id": "GHSA-5m73-3pch-86m2",
"modified": "2025-11-04T00:31:23Z",
"published": "2024-09-11T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45021"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/046667c4d3196938e992fba0dfcde570aa85cd0e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fbe2a72e853a1052abe9bc2b7df8ddb102da227"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b37ec85ad95b612307627758c6018cd9d92cca8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21b578f1d599edb87462f11113c5b0fc7a04ac61"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/43768fa80fd192558737e24ed6548f74554611d7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad149f5585345e383baa65f1539d816cd715fd3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1aa7c509aa766080db7ab3aec2e31b1df09e57c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa5bfdf6cb5846a00e712d630a43e3cf55ccb411"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5M8F-CHRV-7RW5
Vulnerability from github – Published: 2021-11-23 18:04 – Updated: 2023-09-18 19:45Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ethereum/go-ethereum"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43668"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-19T13:19:43Z",
"nvd_published_at": "2021-11-18T16:15:00Z",
"severity": "MODERATE"
},
"details": "Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with \"runtime error: invalid memory address or nil pointer dereference\" and arise a SEGV signal.",
"id": "GHSA-5m8f-chrv-7rw5",
"modified": "2023-09-18T19:45:26Z",
"published": "2021-11-23T18:04:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43668"
},
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/issues/23866"
},
{
"type": "WEB",
"url": "https://github.com/syndtr/goleveldb/issues/373"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethereum/go-ethereum"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in Go-Ethereum"
}
GHSA-5MC8-Q53P-H4PR
Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2024-11-08 18:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject ro->rw reconfiguration if there are hard ro requirements
[BUG] Syzbot reports the following crash:
BTRFS info (device loop0 state MCS): disabling free space tree BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1) BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2) Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline] RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041 Call Trace: btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530 btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312 btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012 btrfs_remount_rw fs/btrfs/super.c:1309 [inline] btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534 btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline] btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline] btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115 vfs_get_tree+0x90/0x2b0 fs/super.c:1800 do_new_mount+0x2be/0xb40 fs/namespace.c:3472 do_mount fs/namespace.c:3812 [inline] __do_sys_mount fs/namespace.c:4020 [inline] __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
[CAUSE] To support mounting different subvolume with different RO/RW flags for the new mount APIs, btrfs introduced two workaround to support this feature:
-
Skip mount option/feature checks if we are mounting a different subvolume
-
Reconfigure the fs to RW if the initial mount is RO
Combining these two, we can have the following sequence:
-
Mount the fs ro,rescue=all,clear_cache,space_cache=v1 rescue=all will mark the fs as hard read-only, so no v2 cache clearing will happen.
-
Mount a subvolume rw of the same fs. We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY because our new fc is RW, different from the original fs.
Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag first so that we can grab the existing fs_info. Then we reconfigure the fs to RW.
- During reconfiguration, option/features check is skipped This means we will restart the v2 cache clearing, and convert back to v1 cache. This will trigger fs writes, and since the original fs has "rescue=all" option, it skips the csum tree read.
And eventually causing NULL pointer dereference in super block writeback.
[FIX] For reconfiguration caused by different subvolume RO/RW flags, ensure we always run btrfs_check_options() to ensure we have proper hard RO requirements met.
In fact the function btrfs_check_options() doesn't really do many complex checks, but hard RO requirement and some feature dependency checks, thus there is no special reason not to do the check for mount reconfiguration.
{
"affected": [],
"aliases": [
"CVE-2024-50118"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T18:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject ro-\u003erw reconfiguration if there are hard ro requirements\n\n[BUG]\nSyzbot reports the following crash:\n\n BTRFS info (device loop0 state MCS): disabling free space tree\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE (0x1)\n BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREE_SPACE_TREE_VALID (0x2)\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:backup_super_roots fs/btrfs/disk-io.c:1691 [inline]\n RIP: 0010:write_all_supers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041\n Call Trace:\n \u003cTASK\u003e\n btrfs_commit_transaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530\n btrfs_delete_free_space_tree+0x383/0x730 fs/btrfs/free-space-tree.c:1312\n btrfs_start_pre_rw_mount+0xf28/0x1300 fs/btrfs/disk-io.c:3012\n btrfs_remount_rw fs/btrfs/super.c:1309 [inline]\n btrfs_reconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534\n btrfs_reconfigure_for_mount fs/btrfs/super.c:2020 [inline]\n btrfs_get_tree_subvol fs/btrfs/super.c:2079 [inline]\n btrfs_get_tree+0x918/0x1920 fs/btrfs/super.c:2115\n vfs_get_tree+0x90/0x2b0 fs/super.c:1800\n do_new_mount+0x2be/0xb40 fs/namespace.c:3472\n do_mount fs/namespace.c:3812 [inline]\n __do_sys_mount fs/namespace.c:4020 [inline]\n __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nTo support mounting different subvolume with different RO/RW flags for\nthe new mount APIs, btrfs introduced two workaround to support this feature:\n\n- Skip mount option/feature checks if we are mounting a different\n subvolume\n\n- Reconfigure the fs to RW if the initial mount is RO\n\nCombining these two, we can have the following sequence:\n\n- Mount the fs ro,rescue=all,clear_cache,space_cache=v1\n rescue=all will mark the fs as hard read-only, so no v2 cache clearing\n will happen.\n\n- Mount a subvolume rw of the same fs.\n We go into btrfs_get_tree_subvol(), but fc_mount() returns EBUSY\n because our new fc is RW, different from the original fs.\n\n Now we enter btrfs_reconfigure_for_mount(), which switches the RO flag\n first so that we can grab the existing fs_info.\n Then we reconfigure the fs to RW.\n\n- During reconfiguration, option/features check is skipped\n This means we will restart the v2 cache clearing, and convert back to\n v1 cache.\n This will trigger fs writes, and since the original fs has \"rescue=all\"\n option, it skips the csum tree read.\n\n And eventually causing NULL pointer dereference in super block\n writeback.\n\n[FIX]\nFor reconfiguration caused by different subvolume RO/RW flags, ensure we\nalways run btrfs_check_options() to ensure we have proper hard RO\nrequirements met.\n\nIn fact the function btrfs_check_options() doesn\u0027t really do many\ncomplex checks, but hard RO requirement and some feature dependency\nchecks, thus there is no special reason not to do the check for mount\nreconfiguration.",
"id": "GHSA-5mc8-q53p-h4pr",
"modified": "2024-11-08T18:30:48Z",
"published": "2024-11-05T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50118"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23724398b55d9570f6ae79dd2ea026fff8896bf1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3c36a72c1d27de6618c1c480c793d9924640f5bb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MGQ-44P6-X2PR
Vulnerability from github – Published: 2024-08-25 00:30 – Updated: 2025-11-03 21:31An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.
{
"affected": [],
"aliases": [
"CVE-2024-45238"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-24T23:15:04Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn\u0027t properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.",
"id": "GHSA-5mgq-44p6-x2pr",
"modified": "2025-11-03T21:31:11Z",
"published": "2024-08-25T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45238"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00030.html"
},
{
"type": "WEB",
"url": "https://nicmx.github.io/FORT-validator/CVE.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MH8-JP8G-GM6G
Vulnerability from github – Published: 2025-11-04 18:31 – Updated: 2025-11-04 21:31An issue was discovered in NPU in Samsung Mobile Processor Exynos through July 2025. There is a NULL Pointer Dereference of profiler.node in the npu_vertex_profileoff function.
{
"affected": [],
"aliases": [
"CVE-2025-54332"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T17:16:22Z",
"severity": "HIGH"
},
"details": "An issue was discovered in NPU in Samsung Mobile Processor Exynos through July 2025. There is a NULL Pointer Dereference of profiler.node in the npu_vertex_profileoff function.",
"id": "GHSA-5mh8-jp8g-gm6g",
"modified": "2025-11-04T21:31:34Z",
"published": "2025-11-04T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54332"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54332"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MJM-RG7P-Q2RG
Vulnerability from github – Published: 2023-03-10 12:30 – Updated: 2023-03-14 18:30Communication Wi-Fi subsystem within OpenHarmony-v3.1.4 and prior versions, OpenHarmony-v3.0.7 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause the current application to crash.
{
"affected": [],
"aliases": [
"CVE-2023-24465"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-10T11:15:00Z",
"severity": "MODERATE"
},
"details": "Communication Wi-Fi subsystem within OpenHarmony-v3.1.4 and prior versions, OpenHarmony-v3.0.7 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause the current application to crash.",
"id": "GHSA-5mjm-rg7p-q2rg",
"modified": "2023-03-14T18:30:21Z",
"published": "2023-03-10T12:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24465"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MMJ-6X72-CG2X
Vulnerability from github – Published: 2022-05-14 02:05 – Updated: 2022-05-14 02:05GraphicsMagick 1.3.23 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted SVG file, related to the (1) DrawImage function in magick/render.c, (2) SVGStartElement function in coders/svg.c, and (3) TraceArcPath function in magick/render.c.
{
"affected": [],
"aliases": [
"CVE-2016-2318"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-03T15:59:00Z",
"severity": "MODERATE"
},
"details": "GraphicsMagick 1.3.23 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted SVG file, related to the (1) DrawImage function in magick/render.c, (2) SVGStartElement function in coders/svg.c, and (3) TraceArcPath function in magick/render.c.",
"id": "GHSA-5mmj-6x72-cg2x",
"modified": "2022-05-14T02:05:03Z",
"published": "2022-05-14T02:05:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2318"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1306148"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00037.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3746"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/11/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/05/27/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/05/31/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/09/07/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/09/18/8"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/83241"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MRV-659C-HRM7
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
Do not call snd_dma_free_pages() when snd_dma_alloc_pages() returns -ENOMEM because it leads to a NULL pointer dereference bug.
The dmesg says:
[ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12 [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ T1387] #PF: supervisor read access in kernel mode [ T1387] #PF: error_code(0x0000) - not-present page [ T1387] PGD 0 P4D 0 [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3 [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021 [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80 [ T1387] Code: [... snip ...] [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246 [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0 [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000 [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001 [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828 [ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000 [ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0 [ T1387] PKRU: 55555554 [ T1387] Call Trace: [ T1387] [ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1] [... snip ...] [ T1387]
{
"affected": [],
"aliases": [
"CVE-2022-49268"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM\n\nDo not call snd_dma_free_pages() when snd_dma_alloc_pages() returns\n-ENOMEM because it leads to a NULL pointer dereference bug.\n\nThe dmesg says:\n\n [ T1387] sof-audio-pci-intel-tgl 0000:00:1f.3: error: memory alloc failed: -12\n [ T1387] BUG: kernel NULL pointer dereference, address: 0000000000000000\n [ T1387] #PF: supervisor read access in kernel mode\n [ T1387] #PF: error_code(0x0000) - not-present page\n [ T1387] PGD 0 P4D 0\n [ T1387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n [ T1387] CPU: 6 PID: 1387 Comm: alsa-sink-HDA A Tainted: G W 5.17.0-rc4-superb-owl-00055-g80d47f5de5e3\n [ T1387] Hardware name: HP HP Laptop 14s-dq2xxx/87FD, BIOS F.15 09/15/2021\n [ T1387] RIP: 0010:dma_free_noncontiguous+0x37/0x80\n [ T1387] Code: [... snip ...]\n [ T1387] RSP: 0000:ffffc90002b87770 EFLAGS: 00010246\n [ T1387] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n [ T1387] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888101db30d0\n [ T1387] RBP: 00000000fffffff4 R08: 0000000000000000 R09: 0000000000000000\n [ T1387] R10: 0000000000000000 R11: ffffc90002b874d0 R12: 0000000000000001\n [ T1387] R13: 0000000000058000 R14: ffff888105260c68 R15: ffff888105260828\n [ T1387] FS: 00007f42e2ffd640(0000) GS:ffff888466b80000(0000) knlGS:0000000000000000\n [ T1387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ T1387] CR2: 0000000000000000 CR3: 000000014acf0003 CR4: 0000000000770ee0\n [ T1387] PKRU: 55555554\n [ T1387] Call Trace:\n [ T1387] \u003cTASK\u003e\n [ T1387] cl_stream_prepare+0x10a/0x120 [snd_sof_intel_hda_common 146addf995b9279ae7f509621078cccbe4f875e1]\n [... snip ...]\n [ T1387] \u003c/TASK\u003e",
"id": "GHSA-5mrv-659c-hrm7",
"modified": "2025-09-22T21:30:16Z",
"published": "2025-09-22T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49268"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01df5f7627f1624d6bb0b8c0870a569b32adfbf8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09eca322d4118dc26570ca6100fa34e59e5a5143"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c307349fe060971625b856c92f0361b8ea9a120"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67f7bd9ff9079c1ee2de58e024fb582905c74c16"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6094744e261083d3790c3def770ebf5060d383b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7fb0ae09009d076964afe4c1a2bde1ee2bd88a9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5P4H-3377-7W67
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2024-05-20 19:54The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of , , or . This is related to HTMLTreeBuilder.cpp in WebKit.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20180816102801-aaf60122140d"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-17075"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T00:38:17Z",
"nvd_published_at": "2018-09-16T02:29:00Z",
"severity": "HIGH"
},
"details": "The html package (aka x/net/html) before 2018-07-13 in Go mishandles \"in frameset\" insertion mode, leading to a \"panic: runtime error\" for html.Parse of \u003ctemplate\u003e\u003cobject\u003e, \u003ctemplate\u003e\u003capplet\u003e, or \u003ctemplate\u003e\u003cmarquee\u003e. This is related to HTMLTreeBuilder.cpp in WebKit.",
"id": "GHSA-5p4h-3377-7w67",
"modified": "2024-05-20T19:54:47Z",
"published": "2022-05-13T01:19:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17075"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/27016"
},
{
"type": "WEB",
"url": "https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/chromium/issues/detail?id=829668"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang/go"
},
{
"type": "WEB",
"url": "https://go-review.googlesource.com/c/net/+/94838/9/html/parse.go#1906"
},
{
"type": "WEB",
"url": "https://go.dev/cl/123776"
},
{
"type": "WEB",
"url": "https://go.dev/issue/27016"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/net/+/aaf60122140d3fcf75376d319f0554393160eb50"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LREEWY6KNLHRWFZ7OT4HVLMVVCGGUHON"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKRCI7WIOCOCD3H7NXWRGIRABTQOZOBK"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/net/html NULL Pointer Dereference vulnerability"
}
GHSA-5P4M-XCPC-7FXP
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:43An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.
{
"affected": [],
"aliases": [
"CVE-2019-15291"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the Linux kernel through 5.2.9. There is a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver.",
"id": "GHSA-5p4m-xcpc-7fxp",
"modified": "2024-04-04T01:43:23Z",
"published": "2022-05-24T16:54:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15291"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2020/Jan/10"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190905-0002"
},
{
"type": "WEB",
"url": "https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4254-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4254-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4258-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4284-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4287-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4287-2"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155890/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/08/20/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/08/22/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.