CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6298 vulnerabilities reference this CWE, most recent first.
GHSA-5XFF-5JR2-J357
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-05-24 16:54Adobe Acrobat and Reader versions , 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-8017"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Acrobat and Reader versions , 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-5xff-5jr2-j357",
"modified": "2022-05-24T16:54:12Z",
"published": "2022-05-24T16:54:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8017"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-41.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5XFG-8MP6-PR5F
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-12-31 21:30In the Linux kernel, the following vulnerability has been resolved:
cxl/region: Fix null pointer dereference for resetting decoder
Not all decoders have a reset callback.
The CXL specification allows a host bridge with a single root port to have no explicit HDM decoders. Currently the region driver assumes there are none. As such the CXL core creates a special pass through decoder instance without a commit/reset callback.
Prior to this patch, the ->reset() callback was called unconditionally when calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge, 1 Root Port, and one directly attached CXL type 3 device or multiple CXL type 3 devices attached to downstream ports of a switch can cause a null pointer dereference.
Before the fix, a kernel crash was observed when we destroy the region, and a pass through decoder is reset.
The issue can be reproduced as below, 1) create a region with a CXL setup which includes a HB with a single root port under which a memdev is attached directly. 2) destroy the region with cxl destroy-region regionX -f.
{
"affected": [],
"aliases": [
"CVE-2022-48707"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix null pointer dereference for resetting decoder\n\nNot all decoders have a reset callback.\n\nThe CXL specification allows a host bridge with a single root port to\nhave no explicit HDM decoders. Currently the region driver assumes there\nare none. As such the CXL core creates a special pass through decoder\ninstance without a commit/reset callback.\n\nPrior to this patch, the -\u003ereset() callback was called unconditionally when\ncalling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge,\n1 Root Port, and one directly attached CXL type 3 device or multiple CXL\ntype 3 devices attached to downstream ports of a switch can cause a null\npointer dereference.\n\nBefore the fix, a kernel crash was observed when we destroy the region, and\na pass through decoder is reset.\n\nThe issue can be reproduced as below,\n 1) create a region with a CXL setup which includes a HB with a\n single root port under which a memdev is attached directly.\n 2) destroy the region with cxl destroy-region regionX -f.",
"id": "GHSA-5xfg-8mp6-pr5f",
"modified": "2024-12-31T21:30:44Z",
"published": "2024-05-21T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48707"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XMQ-M54X-CHJM
Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
drm/client: fix null pointer dereference in drm_client_modeset_probe
In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is assigned to modeset->mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
{
"affected": [],
"aliases": [
"CVE-2024-43894"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T11:15:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: fix null pointer dereference in drm_client_modeset_probe\n\nIn drm_client_modeset_probe(), the return value of drm_mode_duplicate() is\nassigned to modeset-\u003emode, which will lead to a possible NULL pointer\ndereference on failure of drm_mode_duplicate(). Add a check to avoid npd.",
"id": "GHSA-5xmq-m54x-chjm",
"modified": "2025-11-04T00:31:17Z",
"published": "2024-08-26T12:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43894"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/113fd6372a5bb3689aba8ef5b8a265ed1529a78f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/24ddda932c43ffe156c7f3c568bed85131c63ae6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5291d4f73452c91e8a11f71207617e3e234d418e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/612cae53e99ce32a58cb821b3b67199eb6e92dff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c763dfe09425152b6bb0e348900a637c62c2ce52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d64847c383100423aecb6ac5f18be5f4316d9d62"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d64fc94f7bb24fc2be0d6bd5df8df926da461a6d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XPJ-2FFV-FR89
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27In libwpd 0.10.2, there is a NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp that will lead to a denial of service attack. This is related to WPXTable.h.
{
"affected": [],
"aliases": [
"CVE-2018-19208"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-12T19:29:00Z",
"severity": "MODERATE"
},
"details": "In libwpd 0.10.2, there is a NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp that will lead to a denial of service attack. This is related to WPXTable.h.",
"id": "GHSA-5xpj-2ffv-fr89",
"modified": "2022-05-13T01:27:21Z",
"published": "2022-05-13T01:27:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19208"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2126"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1643752"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XX2-HRC4-GFQ8
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-03-21 03:33An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).
{
"affected": [],
"aliases": [
"CVE-2019-12381"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-28T03:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).",
"id": "GHSA-5xx2-hrc4-gfq8",
"modified": "2024-03-21T03:33:40Z",
"published": "2022-05-24T16:46:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12381"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1715501"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=425aa0e1d01513437668fa3d4a971168bbaa8515"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J36BIJTKEPUOZKJNHQBUZA47RQONUKOI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLGWJKLMTBBB53D5QLS4HOY2EH246WBE"
},
{
"type": "WEB",
"url": "https://lkml.org/lkml/2019/5/25/230"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108473"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6246-V5X4-R68F
Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31In the Linux kernel, the following vulnerability has been resolved:
ice: always check VF VSI pointer values
The ice_get_vf_vsi function can return NULL in some cases, such as if handling messages during a reset where the VSI is being removed and recreated.
Several places throughout the driver do not bother to check whether this VSI pointer is valid. Static analysis tools maybe report issues because they detect paths where a potentially NULL pointer could be dereferenced.
Fix this by checking the return value of ice_get_vf_vsi everywhere.
{
"affected": [],
"aliases": [
"CVE-2022-49516"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: always check VF VSI pointer values\n\nThe ice_get_vf_vsi function can return NULL in some cases, such as if\nhandling messages during a reset where the VSI is being removed and\nrecreated.\n\nSeveral places throughout the driver do not bother to check whether this\nVSI pointer is valid. Static analysis tools maybe report issues because\nthey detect paths where a potentially NULL pointer could be dereferenced.\n\nFix this by checking the return value of ice_get_vf_vsi everywhere.",
"id": "GHSA-6246-v5x4-r68f",
"modified": "2025-03-17T18:31:51Z",
"published": "2025-03-17T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49516"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/baeb705fd6a7245cc1fa69ed991a9cffdf44a174"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7be3877589d539c52e5d1d23a625f889b541b9d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6255-H7JQ-7XCH
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31In the Linux kernel, the following vulnerability has been resolved:
ASoC: sma1307: Add NULL check in sma1307_setting_loaded()
All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added.
This issue is found by our static analysis tool
{
"affected": [],
"aliases": [
"CVE-2025-38070"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T10:15:40Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: sma1307: Add NULL check in sma1307_setting_loaded()\n\nAll varibale allocated by kzalloc and devm_kzalloc could be NULL.\nMultiple pointer checks and their cleanup are added.\n\nThis issue is found by our static analysis tool",
"id": "GHSA-6255-h7jq-7xch",
"modified": "2025-11-14T18:31:22Z",
"published": "2025-06-18T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38070"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ec6bd16705fe21d6429d6b8f7981eae2142bba8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6259-V4Q8-GHQ3
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-13 21:31In the Linux kernel, the following vulnerability has been resolved:
net: dsa: mv88e6060: prevent crash on an unused port
If the port isn't a CPU port nor a user port, 'cpu_dp' is a null pointer and a crash happened on dereferencing it in mv88e6060_setup_port():
[ 9.575872] Unable to handle kernel NULL pointer dereference at virtual address 00000014 ... [ 9.942216] mv88e6060_setup from dsa_register_switch+0x814/0xe84 [ 9.948616] dsa_register_switch from mdio_probe+0x2c/0x54 [ 9.954433] mdio_probe from really_probe.part.0+0x98/0x2a0 [ 9.960375] really_probe.part.0 from driver_probe_device+0x30/0x10c [ 9.967029] driver_probe_device from __device_attach_driver+0xb8/0x13c [ 9.973946] __device_attach_driver from bus_for_each_drv+0x90/0xe0 [ 9.980509] bus_for_each_drv from __device_attach+0x110/0x184 [ 9.986632] __device_attach from bus_probe_device+0x8c/0x94 [ 9.992577] bus_probe_device from deferred_probe_work_func+0x78/0xa8 [ 9.999311] deferred_probe_work_func from process_one_work+0x290/0x73c [ 10.006292] process_one_work from worker_thread+0x30/0x4b8 [ 10.012155] worker_thread from kthread+0xd4/0x10c [ 10.017238] kthread from ret_from_fork+0x14/0x3c
{
"affected": [],
"aliases": [
"CVE-2022-50047"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6060: prevent crash on an unused port\n\nIf the port isn\u0027t a CPU port nor a user port, \u0027cpu_dp\u0027\nis a null pointer and a crash happened on dereferencing\nit in mv88e6060_setup_port():\n\n[ 9.575872] Unable to handle kernel NULL pointer dereference at virtual address 00000014\n...\n[ 9.942216] mv88e6060_setup from dsa_register_switch+0x814/0xe84\n[ 9.948616] dsa_register_switch from mdio_probe+0x2c/0x54\n[ 9.954433] mdio_probe from really_probe.part.0+0x98/0x2a0\n[ 9.960375] really_probe.part.0 from driver_probe_device+0x30/0x10c\n[ 9.967029] driver_probe_device from __device_attach_driver+0xb8/0x13c\n[ 9.973946] __device_attach_driver from bus_for_each_drv+0x90/0xe0\n[ 9.980509] bus_for_each_drv from __device_attach+0x110/0x184\n[ 9.986632] __device_attach from bus_probe_device+0x8c/0x94\n[ 9.992577] bus_probe_device from deferred_probe_work_func+0x78/0xa8\n[ 9.999311] deferred_probe_work_func from process_one_work+0x290/0x73c\n[ 10.006292] process_one_work from worker_thread+0x30/0x4b8\n[ 10.012155] worker_thread from kthread+0xd4/0x10c\n[ 10.017238] kthread from ret_from_fork+0x14/0x3c",
"id": "GHSA-6259-v4q8-ghq3",
"modified": "2025-11-13T21:31:18Z",
"published": "2025-06-18T12:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50047"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/246bbf2f977ea36aaf41f5d24370fef433250728"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/92dc64e8f591425ce4dabf7d479ebf6e67fb8853"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb1753bc689c7a7f94da6eee7efc1ae6d8abb36c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd236b62d25e44ecfa26b0910a12f8d8251aff00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3a4b55829617cad2d36fa6524367ef629566ba6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-627X-567F-X2PF
Vulnerability from github – Published: 2024-03-18 12:30 – Updated: 2025-03-03 18:31In the Linux kernel, the following vulnerability has been resolved:
block: Fix iterating over an empty bio with bio_for_each_folio_all
If the bio contains no data, bio_first_folio() calls page_folio() on a NULL pointer and oopses. Move the test that we've reached the end of the bio from bio_next_folio() to bio_first_folio().
[axboe: add unlikely() to error case]
{
"affected": [],
"aliases": [
"CVE-2024-26632"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T11:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix iterating over an empty bio with bio_for_each_folio_all\n\nIf the bio contains no data, bio_first_folio() calls page_folio() on a\nNULL pointer and oopses. Move the test that we\u0027ve reached the end of\nthe bio from bio_next_folio() to bio_first_folio().\n\n[axboe: add unlikely() to error case]",
"id": "GHSA-627x-567f-x2pf",
"modified": "2025-03-03T18:31:20Z",
"published": "2024-03-18T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26632"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6bd8182137a12d22d3f2cee463271bdcb491659"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6350b5cb78e9024c49eaee6fdb914ad2903a5fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca3ede3f5893e2d26d4dbdef1eec28a8487fafde"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62CC-P492-PJH2
Vulnerability from github – Published: 2025-09-23 15:31 – Updated: 2025-09-23 15:31In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Implement ref count for SRB
The timeout handler and the done function are racing. When qla2x00_async_iocb_timeout() starts to run it can be preempted by the normal response path (via the firmware?). qla24xx_async_gpsc_sp_done() releases the SRB unconditionally. When scheduling back to qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed sp->qpair pointer:
qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21. qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21 qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400. qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx]
Obvious solution to this is to introduce a reference counter. One reference is taken for the normal code path (the 'good' case) and one for the timeout path. As we always race between the normal good case and the timeout/abort handler we need to serialize it. Also we cannot assume any order between the handlers. Since this is slow path we can use proper synchronization via locks.
When we are able to cancel a timer (del_timer returns 1) we know there can't be any error handling in progress because the timeout handler hasn't expired yet, thus we can safely decrement the refcounter by one.
If we are not able to cancel the timer, we know an abort handler is running. We have to make sure we call sp->done() in the abort handlers before calling kref_put().
{
"affected": [],
"aliases": [
"CVE-2022-49159"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Implement ref count for SRB\n\nThe timeout handler and the done function are racing. When\nqla2x00_async_iocb_timeout() starts to run it can be preempted by the\nnormal response path (via the firmware?). qla24xx_async_gpsc_sp_done()\nreleases the SRB unconditionally. When scheduling back to\nqla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed\nsp-\u003eqpair pointer:\n\n qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21.\n qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21\n qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400.\n qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000004\n IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx]\n\nObvious solution to this is to introduce a reference counter. One reference\nis taken for the normal code path (the \u0027good\u0027 case) and one for the timeout\npath. As we always race between the normal good case and the timeout/abort\nhandler we need to serialize it. Also we cannot assume any order between\nthe handlers. Since this is slow path we can use proper synchronization via\nlocks.\n\nWhen we are able to cancel a timer (del_timer returns 1) we know there\ncan\u0027t be any error handling in progress because the timeout handler hasn\u0027t\nexpired yet, thus we can safely decrement the refcounter by one.\n\nIf we are not able to cancel the timer, we know an abort handler is\nrunning. We have to make sure we call sp-\u003edone() in the abort handlers\nbefore calling kref_put().",
"id": "GHSA-62cc-p492-pjh2",
"modified": "2025-09-23T15:31:07Z",
"published": "2025-09-23T15:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49159"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31e6cdbe0eae37badceb5e0d4f06cf051432fd77"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ceda7f794f3dfe272491e93e3e93049f8be5f07b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e140723f78ff418c8df7d990e102e07b65c87d4a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e17111dd2fda81c35f309b1e5b6ab35809a375e7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.