CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-6723-4J9M-72QG
Vulnerability from github – Published: 2022-05-14 01:41 – Updated: 2025-04-20 03:35The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.
{
"affected": [],
"aliases": [
"CVE-2017-2647"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-31T04:59:00Z",
"severity": "HIGH"
},
"details": "The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.",
"id": "GHSA-6723-4j9m-72qg",
"modified": "2025-04-20T03:35:04Z",
"published": "2022-05-14T01:41:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2647"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2077"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2437"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2444"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:3548"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:3836"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-2647"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428353"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3849-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3849-2"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-673Q-8HC3-P8QM
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 15:32A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later
{
"affected": [],
"aliases": [
"CVE-2025-54148"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:54Z",
"severity": "LOW"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.4 ( 2026/01/20 ) and later",
"id": "GHSA-673q-8hc3-p8qm",
"modified": "2026-02-12T15:32:42Z",
"published": "2026-02-11T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54148"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6743-FX46-J8W6
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2020-13900"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-10T22:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in janus-gateway (aka Janus WebRTC Server) through 0.10.0. janus_sdp_preparse in sdp.c has a NULL pointer dereference.",
"id": "GHSA-6743-fx46-j8w6",
"modified": "2022-05-24T17:20:22Z",
"published": "2022-05-24T17:20:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13900"
},
{
"type": "WEB",
"url": "https://github.com/meetecho/janus-gateway/pull/2214"
},
{
"type": "WEB",
"url": "https://github.com/meetecho/janus-gateway/blob/v0.10.0/sdp.c#L64"
},
{
"type": "WEB",
"url": "https://github.com/meetecho/janus-gateway/blob/v0.10.0/sdp.c#L74"
},
{
"type": "WEB",
"url": "https://github.com/merrychap/CVEs/tree/master/CVE-2020-13900"
},
{
"type": "WEB",
"url": "https://github.com/merrychap/poc_exploits/tree/master/janus-webrtc/CVE-2020-13900"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-674V-8JWC-QM6F
Vulnerability from github – Published: 2022-05-17 02:51 – Updated: 2022-05-17 02:51ImageMagick allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted ps file.
{
"affected": [],
"aliases": [
"CVE-2014-9812"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-30T15:59:00Z",
"severity": "MODERATE"
},
"details": "ImageMagick allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted ps file.",
"id": "GHSA-674v-8jwc-qm6f",
"modified": "2022-05-17T02:51:57Z",
"published": "2022-05-17T02:51:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9812"
},
{
"type": "WEB",
"url": "https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream\u0026id=f093a3119704fd6d349a9ee32b9f71cabe7d04c8"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343468"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/12/24/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/02/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-675J-298R-VV37
Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: fix RCU usage in connect path
With lockdep enabled, calls to the connect function from cfg802.11 layer lead to the following warning:
============================= WARNING: suspicious RCU usage 6.7.0-rc1-wt+ #333 Not tainted
drivers/net/wireless/microchip/wilc1000/hif.c:386 suspicious rcu_dereference_check() usage! [...] stack backtrace: CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x48 dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4 wilc_parse_join_bss_param from connect+0x2c4/0x648 connect from cfg80211_connect+0x30c/0xb74 cfg80211_connect from nl80211_connect+0x860/0xa94 nl80211_connect from genl_rcv_msg+0x3fc/0x59c genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8 netlink_rcv_skb from genl_rcv+0x2c/0x3c genl_rcv from netlink_unicast+0x3b0/0x550 netlink_unicast from netlink_sendmsg+0x368/0x688 netlink_sendmsg from _syssendmsg+0x190/0x430 __sys_sendmsg from syssendmsg+0x110/0x158 _sys_sendmsg from sys_sendmsg+0xe8/0x150 sys_sendmsg from ret_fast_syscall+0x0/0x1c
This warning is emitted because in the connect path, when trying to parse target BSS parameters, we dereference a RCU pointer whithout being in RCU critical section. Fix RCU dereference usage by moving it to a RCU read critical section. To avoid wrapping the whole wilc_parse_join_bss_param under the critical section, just use the critical section to copy ies data
{
"affected": [],
"aliases": [
"CVE-2024-27053"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T13:15:50Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix RCU usage in connect path\n\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\n\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\n\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data",
"id": "GHSA-675j-298r-vv37",
"modified": "2026-05-12T12:31:44Z",
"published": "2024-05-01T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27053"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6779-G665-3PPQ
Vulnerability from github – Published: 2022-05-17 02:36 – Updated: 2022-05-17 02:36An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2016-9434"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-12T02:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-31. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page.",
"id": "GHSA-6779-g665-3ppq",
"modified": "2022-05-17T02:36:43Z",
"published": "2022-05-17T02:36:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9434"
},
{
"type": "WEB",
"url": "https://github.com/tats/w3m/issues/15"
},
{
"type": "WEB",
"url": "https://github.com/tats/w3m/blob/master/ChangeLog"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-08"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6779-V6GP-JMXV
Vulnerability from github – Published: 2024-12-28 12:30 – Updated: 2025-01-08 18:30In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix the memory allocation issue in amdgpu_discovery_get_nps_info()
Fix two issues with memory allocation in amdgpu_discovery_get_nps_info() for mem_ranges:
-
Add a check for allocation failure to avoid dereferencing a null pointer.
-
As suggested by Christophe, use kvcalloc() for memory allocation, which checks for multiplication overflow.
Additionally, assign the output parameters nps_type and range_cnt after the kvcalloc() call to prevent modifying the output parameters in case of an error return.
{
"affected": [],
"aliases": [
"CVE-2024-56697"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-28T10:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the memory allocation issue in amdgpu_discovery_get_nps_info()\n\nFix two issues with memory allocation in amdgpu_discovery_get_nps_info()\nfor mem_ranges:\n\n - Add a check for allocation failure to avoid dereferencing a null\n pointer.\n\n - As suggested by Christophe, use kvcalloc() for memory allocation,\n which checks for multiplication overflow.\n\nAdditionally, assign the output parameters nps_type and range_cnt after\nthe kvcalloc() call to prevent modifying the output parameters in case\nof an error return.",
"id": "GHSA-6779-v6gp-jmxv",
"modified": "2025-01-08T18:30:48Z",
"published": "2024-12-28T12:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56697"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a1144da794adedb9447437c57d69add56494309d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d14bea4e094871226ea69772d69dab8b7b5f4915"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e8f1dbaa0437eba4e8c1d6a6d81eca2e2ce3d197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-677C-PQCW-QH84
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-11-01 15:31In the Linux kernel, the following vulnerability has been resolved:
mptcp: clear 'kern' flag from fallback sockets
The mptcp ULP extension relies on sk->sk_sock_kern being set correctly: It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from working for plain tcp sockets (any userspace-exposed socket).
But in case of fallback, accept() can return a plain tcp sk. In such case, sk is still tagged as 'kernel' and setsockopt will work.
This will crash the kernel, The subflow extension has a NULL ctx->conn mptcp socket:
BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0 Call Trace: tcp_data_ready+0xf8/0x370 [..]
{
"affected": [],
"aliases": [
"CVE-2021-47593"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T15:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: clear \u0027kern\u0027 flag from fallback sockets\n\nThe mptcp ULP extension relies on sk-\u003esk_sock_kern being set correctly:\nIt prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, \"mptcp\", 6); from\nworking for plain tcp sockets (any userspace-exposed socket).\n\nBut in case of fallback, accept() can return a plain tcp sk.\nIn such case, sk is still tagged as \u0027kernel\u0027 and setsockopt will work.\n\nThis will crash the kernel, The subflow extension has a NULL ctx-\u003econn\nmptcp socket:\n\nBUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0\nCall Trace:\n tcp_data_ready+0xf8/0x370\n [..]",
"id": "GHSA-677c-pqcw-qh84",
"modified": "2024-11-01T15:31:45Z",
"published": "2024-06-19T15:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47593"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/451f1eded7f56e93aaf52eb547ba97742d9c0e97"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c26ac0ea3a91c210cf90452e625dc441adf3e549"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6692b3b97bdc165d150f4c1505751a323a80717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-677F-C75X-79M2
Vulnerability from github – Published: 2025-05-26 15:30 – Updated: 2025-12-16 21:30In the Linux kernel, the following vulnerability has been resolved:
net_sched: Flush gso_skb list too during ->change()
Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen.
This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.
{
"affected": [],
"aliases": [
"CVE-2025-37992"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T15:15:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Flush gso_skb list too during -\u003echange()\n\nPreviously, when reducing a qdisc\u0027s limit via the -\u003echange() operation, only\nthe main skb queue was trimmed, potentially leaving packets in the gso_skb\nlist. This could result in NULL pointer dereference when we only check\nsch-\u003elimit against sch-\u003eq.qlen.\n\nThis patch introduces a new helper, qdisc_dequeue_internal(), which ensures\nboth the gso_skb list and the main queue are properly flushed when trimming\nexcess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)\nare updated to use this helper in their -\u003echange() routines.",
"id": "GHSA-677f-c75x-79m2",
"modified": "2025-12-16T21:30:49Z",
"published": "2025-05-26T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37992"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-677F-PP67-87JC
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2025-04-11 04:07The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request.
{
"affected": [],
"aliases": [
"CVE-2012-1016"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-03-05T04:54:00Z",
"severity": "MODERATE"
},
"details": "The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request.",
"id": "GHSA-677f-pp67-87jc",
"modified": "2025-04-11T04:07:58Z",
"published": "2022-05-13T01:11:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1016"
},
{
"type": "WEB",
"url": "https://github.com/krb5/krb5/commit/db64ca25d661a47b996b4e2645998b5d7f0eb52c"
},
{
"type": "WEB",
"url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=7527"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/55040"
},
{
"type": "WEB",
"url": "http://web.mit.edu/kerberos/www/krb5-1.10"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.