Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-68JG-6V9H-662H

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-19 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: Don't clobber irqfd routing type when deassigning irqfd

When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below), clobbering the entry type without notifying arch code is surprising and error prone.

As a bonus, checking that the irqfd is active provides a convenient location for documenting why KVM must not consume the routing entry for an irqfd that is in the process of being deassigned: once the irqfd is deleted from the list (which happens before the eventfd is detached), it will no longer receive updates via kvm_irq_routing_update(), and so KVM could deliver an event using stale routing information (relative to KVM_SET_GSI_ROUTING returning to userspace).

As an even better bonus, explicitly checking for the irqfd being active fixes a similar bug to the one the clobbering is trying to prevent: if an irqfd is deactivated, and then its routing is changed, kvm_irq_routing_update() won't invoke kvm_arch_update_irqfd_routing() (because the irqfd isn't in the list). And so if the irqfd is in bypass mode, IRQs will continue to be posted using the old routing information.

As for kvm_arch_irq_bypass_del_producer(), clobbering the routing type results in KVM incorrectly keeping the IRQ in bypass mode, which is especially problematic on AMD as KVM tracks IRQs that are being posted to a vCPU in a list whose lifetime is tied to the irqfd.

Without the help of KASAN to detect use-after-free, the most common sympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to the memory for irqfd structure being re-allocated and zeroed, resulting in irqfd->irq_bypass_data being NULL when read by avic_update_iommu_vcpu_affinity():

BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--5dddc257e6b2-irqfd #31 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:amd_iommu_update_ga+0x19/0xe0 Call Trace: avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd] __avic_vcpu_load+0xf4/0x130 [kvm_amd] kvm_arch_vcpu_load+0x89/0x210 [kvm] vcpu_load+0x30/0x40 [kvm] kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm] kvm_vcpu_ioctl+0x571/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x6f/0x9d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x46893b ---[ end trace 0000000000000000 ]---

If AVIC is inhibited when the irfd is deassigned, the bug will manifest as list corruption, e.g. on the next irqfd assignment.

list_add corruption. next->prev should be prev (ffff8d474d5cd588), but was 0000000000000000. (next=ffff8d8658f86530). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Oops: invalid opcode: 0000 [#1] SMP CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test Tainted: G U W O 6.19.0-smp--f19dc4d680ba-irqfd #28 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:__list_add_valid_or_report+0x97/0xc0 Call Trace: avic_pi_update_irte+0x28e/0x2b0 [kvm_amd] kvm_pi_update_irte+0xbf/0x190 [kvm] kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm] irq_bypass_register_consumer+0xcd/0x170 [irqbypa ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T17:15:57Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t clobber irqfd routing type when deassigning irqfd\n\nWhen deassigning a KVM_IRQFD, don\u0027t clobber the irqfd\u0027s copy of the IRQ\u0027s\nrouting entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86\nand arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.  Instead, to\nhandle a concurrent routing update, verify that the irqfd is still active\nbefore consuming the routing information.  As evidenced by the x86 and\narm64 bugs, and another bug in kvm_arch_update_irqfd_routing() (see below),\nclobbering the entry type without notifying arch code is surprising and\nerror prone.\n\nAs a bonus, checking that the irqfd is active provides a convenient\nlocation for documenting _why_ KVM must not consume the routing entry for\nan irqfd that is in the process of being deassigned: once the irqfd is\ndeleted from the list (which happens *before* the eventfd is detached), it\nwill no longer receive updates via kvm_irq_routing_update(), and so KVM\ncould deliver an event using stale routing information (relative to\nKVM_SET_GSI_ROUTING returning to userspace).\n\nAs an even better bonus, explicitly checking for the irqfd being active\nfixes a similar bug to the one the clobbering is trying to prevent: if an\nirqfd is deactivated, and then its routing is changed,\nkvm_irq_routing_update() won\u0027t invoke kvm_arch_update_irqfd_routing()\n(because the irqfd isn\u0027t in the list).  And so if the irqfd is in bypass\nmode, IRQs will continue to be posted using the old routing information.\n\nAs for kvm_arch_irq_bypass_del_producer(), clobbering the routing type\nresults in KVM incorrectly keeping the IRQ in bypass mode, which is\nespecially problematic on AMD as KVM tracks IRQs that are being posted to\na vCPU in a list whose lifetime is tied to the irqfd.\n\nWithout the help of KASAN to detect use-after-free, the most common\nsympton on AMD is a NULL pointer deref in amd_iommu_update_ga() due to\nthe memory for irqfd structure being re-allocated and zeroed, resulting\nin irqfd-\u003eirq_bypass_data being NULL when read by\navic_update_iommu_vcpu_affinity():\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000018\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 40cf2b9067 P4D 40cf2b9067 PUD 408362a067 PMD 0\n  Oops: Oops: 0000 [#1] SMP\n  CPU: 6 UID: 0 PID: 40383 Comm: vfio_irq_test\n  Tainted: G     U  W  O        6.19.0-smp--5dddc257e6b2-irqfd #31 NONE\n  Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n  RIP: 0010:amd_iommu_update_ga+0x19/0xe0\n  Call Trace:\n   \u003cTASK\u003e\n   avic_update_iommu_vcpu_affinity+0x3d/0x90 [kvm_amd]\n   __avic_vcpu_load+0xf4/0x130 [kvm_amd]\n   kvm_arch_vcpu_load+0x89/0x210 [kvm]\n   vcpu_load+0x30/0x40 [kvm]\n   kvm_arch_vcpu_ioctl_run+0x45/0x620 [kvm]\n   kvm_vcpu_ioctl+0x571/0x6a0 [kvm]\n   __se_sys_ioctl+0x6d/0xb0\n   do_syscall_64+0x6f/0x9d0\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  RIP: 0033:0x46893b\n    \u003c/TASK\u003e\n  ---[ end trace 0000000000000000 ]---\n\nIf AVIC is inhibited when the irfd is deassigned, the bug will manifest as\nlist corruption, e.g. on the next irqfd assignment.\n\n  list_add corruption. next-\u003eprev should be prev (ffff8d474d5cd588),\n                       but was 0000000000000000. (next=ffff8d8658f86530).\n  ------------[ cut here ]------------\n  kernel BUG at lib/list_debug.c:31!\n  Oops: invalid opcode: 0000 [#1] SMP\n  CPU: 128 UID: 0 PID: 80818 Comm: vfio_irq_test\n  Tainted: G     U  W  O        6.19.0-smp--f19dc4d680ba-irqfd #28 NONE\n  Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025\n  RIP: 0010:__list_add_valid_or_report+0x97/0xc0\n  Call Trace:\n   \u003cTASK\u003e\n   avic_pi_update_irte+0x28e/0x2b0 [kvm_amd]\n   kvm_pi_update_irte+0xbf/0x190 [kvm]\n   kvm_arch_irq_bypass_add_producer+0x72/0x90 [kvm]\n   irq_bypass_register_consumer+0xcd/0x170 [irqbypa\n---truncated---",
  "id": "GHSA-68jg-6v9h-662h",
  "modified": "2026-03-19T18:31:14Z",
  "published": "2026-02-14T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23198"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2284bc168b148a17b5ca3b37b3d95c411f18a08d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4385b2f2843549bfb932e0dcf76bf4b065543a3c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d14ba1e144e796b5fc81044f08cfba9024ca195"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/959a063e7f12524bc1871ad1f519787967bbcd45"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4d37cdb77a0015f51fee083598fa227cc07aaf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b61f9b2fcf181451d0a319889478cc53c001123e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff48c9312d042bfbe826ca675e98acc6c623211c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68M6-X9CQ-FJWX

Vulnerability from github – Published: 2024-03-03 00:30 – Updated: 2024-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

serial: 8250_port: Check IRQ data before use

In case the leaf driver wants to use IRQ polling (irq = 0) and IIR register shows that an interrupt happened in the 8250 hardware the IRQ data can be NULL. In such a case we need to skip the wake event as we came to this path from the timer interrupt and quite likely system is already awake.

Without this fix we have got an Oops:

serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A
...
BUG: kernel NULL pointer dereference, address: 0000000000000010
RIP: 0010:serial8250_handle_irq+0x7c/0x240
Call Trace:
 ? serial8250_handle_irq+0x7c/0x240
 ? __pfx_serial8250_timeout+0x10/0x10
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-02T22:15:49Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_port: Check IRQ data before use\n\nIn case the leaf driver wants to use IRQ polling (irq = 0) and\nIIR register shows that an interrupt happened in the 8250 hardware\nthe IRQ data can be NULL. In such a case we need to skip the wake\nevent as we came to this path from the timer interrupt and quite\nlikely system is already awake.\n\nWithout this fix we have got an Oops:\n\n    serial8250: ttyS0 at I/O 0x3f8 (irq = 0, base_baud = 115200) is a 16550A\n    ...\n    BUG: kernel NULL pointer dereference, address: 0000000000000010\n    RIP: 0010:serial8250_handle_irq+0x7c/0x240\n    Call Trace:\n     ? serial8250_handle_irq+0x7c/0x240\n     ? __pfx_serial8250_timeout+0x10/0x10",
  "id": "GHSA-68m6-x9cq-fjwx",
  "modified": "2024-12-11T18:30:36Z",
  "published": "2024-03-03T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52567"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b837f13a818f96304736453ac53b66a70aaa4f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3345cc5f02f1fb4c4dcb114706f2210d879ab933"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf3c728e3692cc6d998874f0f27d433117348742"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c334650150c29234b0923476f51573ae1b2f252a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cce7fc8b29961b64fadb1ce398dc5ff32a79643b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e14afa4450cb7e4cf93e993a765801203d41d014"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e14f68a48fd445a083ac0750fafcb064df5f18f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee5732caaffba3a37e753fdb89b4958db9a61847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68VM-3R5X-QQ59

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

leds: class: Protect brightness_show() with led_cdev->led_access mutex

There is NULL pointer issue observed if from Process A where hid device being added which results in adding a led_cdev addition and later a another call to access of led_cdev attribute from Process B can result in NULL pointer issue.

Use mutex led_cdev->led_access to protect access to led->cdev and its attribute inside brightness_show() and max_brightness_show() and also update the comment for mutex that it should be used to protect the led class device fields.

Process A               Process B

kthread+0x114 worker_thread+0x244 process_scheduled_works+0x248 uhid_device_add_worker+0x24 hid_add_device+0x120 device_add+0x268 bus_probe_device+0x94 device_initial_probe+0x14 __device_attach+0xfc bus_for_each_drv+0x10c __device_attach_driver+0x14c driver_probe_device+0x3c __driver_probe_device+0xa0 really_probe+0x190 hid_device_probe+0x130 ps_probe+0x990 ps_led_register+0x94 devm_led_classdev_register_ext+0x58 led_classdev_register_ext+0x1f8 device_create_with_groups+0x48 device_create_groups_vargs+0xc8 device_add+0x244 kobject_uevent+0x14 kobject_uevent_env[jt]+0x224 mutex_unlock[jt]+0xc4 __mutex_unlock_slowpath+0xd4 wake_up_q+0x70 try_to_wake_up[jt]+0x48c preempt_schedule_common+0x28 __schedule+0x628 __switch_to+0x174 el0t_64_sync+0x1a8/0x1ac el0t_64_sync_handler+0x68/0xbc el0_svc+0x38/0x68 do_el0_svc+0x1c/0x28 el0_svc_common+0x80/0xe0 invoke_syscall+0x58/0x114 __arm64_sys_read+0x1c/0x2c ksys_read+0x78/0xe8 vfs_read+0x1e0/0x2c8 kernfs_fop_read_iter+0x68/0x1b4 seq_read_iter+0x158/0x4ec kernfs_seq_show+0x44/0x54 sysfs_kf_seq_show+0xb4/0x130 dev_attr_show+0x38/0x74 brightness_show+0x20/0x4c dualshock4_led_get_brightness+0xc/0x74

[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 [ 3313.874301][ T4013] Mem abort info: [ 3313.874303][ T4013] ESR = 0x0000000096000006 [ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits [ 3313.874307][ T4013] SET = 0, FnV = 0 [ 3313.874309][ T4013] EA = 0, S1PTW = 0 [ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault [ 3313.874313][ T4013] Data abort info: [ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000 ..

[ 3313.874332][ T4013] Dumping ftrace buffer: [ 3313.874334][ T4013] (ftrace buffer empty) .. .. [ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader [ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74 [ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60 [ 3313.874656][ T4013] sp : ffffffc0b910bbd0 .. .. [ 3313.874685][ T4013] Call trace: [ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74 [ 3313.874690][ T4013] brightness_show+0x20/0x4c [ 3313.874692][ T4013] dev_attr_show+0x38/0x74 [ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130 [ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54 [ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec [ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4 [ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8 [ 3313.874711][ T4013] ksys_read+0x78/0xe8 [ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c [ 3313.874718][ T4013] invoke_syscall+0x58/0x114 [ 3313.874721][ T4013] el0_svc_common+0x80/0xe0 [ 3313.874724][ T4013] do_el0_svc+0x1c/0x28 [ 3313.874727][ T4013] el0_svc+0x38/0x68 [ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc [ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: class: Protect brightness_show() with led_cdev-\u003eled_access mutex\n\nThere is NULL pointer issue observed if from Process A where hid device\nbeing added which results in adding a led_cdev addition and later a\nanother call to access of led_cdev attribute from Process B can result\nin NULL pointer issue.\n\nUse mutex led_cdev-\u003eled_access to protect access to led-\u003ecdev and its\nattribute inside brightness_show() and max_brightness_show() and also\nupdate the comment for mutex that it should be used to protect the led\nclass device fields.\n\n\tProcess A \t\t\t\tProcess B\n\n kthread+0x114\n worker_thread+0x244\n process_scheduled_works+0x248\n uhid_device_add_worker+0x24\n hid_add_device+0x120\n device_add+0x268\n bus_probe_device+0x94\n device_initial_probe+0x14\n __device_attach+0xfc\n bus_for_each_drv+0x10c\n __device_attach_driver+0x14c\n driver_probe_device+0x3c\n __driver_probe_device+0xa0\n really_probe+0x190\n hid_device_probe+0x130\n ps_probe+0x990\n ps_led_register+0x94\n devm_led_classdev_register_ext+0x58\n led_classdev_register_ext+0x1f8\n device_create_with_groups+0x48\n device_create_groups_vargs+0xc8\n device_add+0x244\n kobject_uevent+0x14\n kobject_uevent_env[jt]+0x224\n mutex_unlock[jt]+0xc4\n __mutex_unlock_slowpath+0xd4\n wake_up_q+0x70\n try_to_wake_up[jt]+0x48c\n preempt_schedule_common+0x28\n __schedule+0x628\n __switch_to+0x174\n\t\t\t\t\t\tel0t_64_sync+0x1a8/0x1ac\n\t\t\t\t\t\tel0t_64_sync_handler+0x68/0xbc\n\t\t\t\t\t\tel0_svc+0x38/0x68\n\t\t\t\t\t\tdo_el0_svc+0x1c/0x28\n\t\t\t\t\t\tel0_svc_common+0x80/0xe0\n\t\t\t\t\t\tinvoke_syscall+0x58/0x114\n\t\t\t\t\t\t__arm64_sys_read+0x1c/0x2c\n\t\t\t\t\t\tksys_read+0x78/0xe8\n\t\t\t\t\t\tvfs_read+0x1e0/0x2c8\n\t\t\t\t\t\tkernfs_fop_read_iter+0x68/0x1b4\n\t\t\t\t\t\tseq_read_iter+0x158/0x4ec\n\t\t\t\t\t\tkernfs_seq_show+0x44/0x54\n\t\t\t\t\t\tsysfs_kf_seq_show+0xb4/0x130\n\t\t\t\t\t\tdev_attr_show+0x38/0x74\n\t\t\t\t\t\tbrightness_show+0x20/0x4c\n\t\t\t\t\t\tdualshock4_led_get_brightness+0xc/0x74\n\n[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[ 3313.874301][ T4013] Mem abort info:\n[ 3313.874303][ T4013]   ESR = 0x0000000096000006\n[ 3313.874305][ T4013]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 3313.874307][ T4013]   SET = 0, FnV = 0\n[ 3313.874309][ T4013]   EA = 0, S1PTW = 0\n[ 3313.874311][ T4013]   FSC = 0x06: level 2 translation fault\n[ 3313.874313][ T4013] Data abort info:\n[ 3313.874314][ T4013]   ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 3313.874316][ T4013]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 3313.874318][ T4013]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000\n..\n\n[ 3313.874332][ T4013] Dumping ftrace buffer:\n[ 3313.874334][ T4013]    (ftrace buffer empty)\n..\n..\n[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader\n[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74\n[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60\n[ 3313.874656][ T4013] sp : ffffffc0b910bbd0\n..\n..\n[ 3313.874685][ T4013] Call trace:\n[ 3313.874687][ T4013]  dualshock4_led_get_brightness+0xc/0x74\n[ 3313.874690][ T4013]  brightness_show+0x20/0x4c\n[ 3313.874692][ T4013]  dev_attr_show+0x38/0x74\n[ 3313.874696][ T4013]  sysfs_kf_seq_show+0xb4/0x130\n[ 3313.874700][ T4013]  kernfs_seq_show+0x44/0x54\n[ 3313.874703][ T4013]  seq_read_iter+0x158/0x4ec\n[ 3313.874705][ T4013]  kernfs_fop_read_iter+0x68/0x1b4\n[ 3313.874708][ T4013]  vfs_read+0x1e0/0x2c8\n[ 3313.874711][ T4013]  ksys_read+0x78/0xe8\n[ 3313.874714][ T4013]  __arm64_sys_read+0x1c/0x2c\n[ 3313.874718][ T4013]  invoke_syscall+0x58/0x114\n[ 3313.874721][ T4013]  el0_svc_common+0x80/0xe0\n[ 3313.874724][ T4013]  do_el0_svc+0x1c/0x28\n[ 3313.874727][ T4013]  el0_svc+0x38/0x68\n[ 3313.874730][ T4013]  el0t_64_sync_handler+0x68/0xbc\n[ 3313.874732][ T4013]  el0t_64_sync+0x1a8/0x1ac",
  "id": "GHSA-68vm-3r5x-qq59",
  "modified": "2025-11-03T21:31:52Z",
  "published": "2024-12-27T15:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56587"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ca7cd938725a4050dcd62ae9472e931d603118d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50d9f68e4adf86901cbab1bd5b91f710aa9141b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84b42d5b5fcd767c9b7f30b0b32065ed949fe804"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8283d52ed15c02bb2eb9b1b8644dcc34f8e98f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bb4a6236a430cfc3713f470f3a969f39d6d4ca25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddcfc5708da9972ac23a9121b3d819b0a53d6f21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6d6fb563e4be245a17bc4261a4b294e8bf8a31e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68WM-7F94-VQ2H

Vulnerability from github – Published: 2022-05-14 03:31 – Updated: 2022-05-14 03:31
VLAI
Details

A NULL pointer dereference bug in the function ObReferenceObjectByHandle in the Kingsoft Internet Security 9+ kernel driver KWatch3.sys allows local non-privileged users to crash the system via IOCTL 0x80030030.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-30T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference bug in the function ObReferenceObjectByHandle in the Kingsoft Internet Security 9+ kernel driver KWatch3.sys allows local non-privileged users to crash the system via IOCTL 0x80030030.",
  "id": "GHSA-68wm-7f94-vq2h",
  "modified": "2022-05-14T03:31:04Z",
  "published": "2022-05-14T03:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9151"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Mar/78"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68WQ-8VPF-V9V8

Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2026-05-12 12:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.

syzbot reported:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline] xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline] xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline] xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-12T13:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()\n\nip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.\n\nsyzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: wg-kex-wg1 wg_packet_handshake_send_worker\n RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64\nCode: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00\nRSP: 0018:ffffc90000117378 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7\nRDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98\nRBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000\nR10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]\n  xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]\n  xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541\n  xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835\n  xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]\n  xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201\n  xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]\n  xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309\n  ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256\n  send6+0x611/0xd20 drivers/net/wireguard/socket.c:139\n  wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178\n  wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200\n  wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40\n  wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51\n  process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n  process_scheduled_works kernel/workqueue.c:3312 [inline]\n  worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n  kthread+0x2c1/0x3a0 kernel/kthread.c:389\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244",
  "id": "GHSA-68wq-8vpf-v9v8",
  "modified": "2026-05-12T12:32:02Z",
  "published": "2024-07-12T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40959"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20427b85781aca0ad072851f6907a3d4b2fed8d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/600a62b4232ac027f788c3ca395bc2333adeaacf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83c02fb2cc0afee5bb53cddf3f34f045f654ad6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f30f1f1a51d91e19f5a09236bb0b59e6a07ad08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c71761292d4d002a8eccb57b86792c4e3b3eb3c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/caf0bec84c62fb1cf6f7c9f0e8c857c87f8adbc3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d46401052c2d5614da8efea5788532f0401cb164"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f897d7171652fcfc76d042bfec798b010ee89e41"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68XV-2P42-WM3Q

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

The cifs_close function in fs/cifs/file.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact by setting the O_DIRECT flag during an attempt to open a file on a CIFS filesystem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-09-06T16:55:00Z",
    "severity": "HIGH"
  },
  "details": "The cifs_close function in fs/cifs/file.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact by setting the O_DIRECT flag during an attempt to open a file on a CIFS filesystem.",
  "id": "GHSA-68xv-2p42-wm3q",
  "modified": "2022-05-13T01:25:05Z",
  "published": "2022-05-13T01:25:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1771"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=703016"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7797069305d13252fd66cf722aa8f2cbeb3c95cd"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7797069305d13252fd66cf722aa8f2cbeb3c95cd"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=linux-cifs\u0026m=130204357001849\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=linux-cifs\u0026m=130204730006155\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/8367"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/05/09/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-692G-7998-J2VJ

Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tls: fix missing memory barrier in tls_init

In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.

CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)

// In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2)

                               // In sock_common_setsockopt()
                               READ_ONCE(sk->sk_prot)->setsockopt()

                               // In tls_{setsockopt,getsockopt}()
                               ctx->sk_proto->setsockopt()    -(3)

In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference.

To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-21T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix missing memory barrier in tls_init\n\nIn tls_init(), a write memory barrier is missing, and store-store\nreordering may cause NULL dereference in tls_{setsockopt,getsockopt}.\n\nCPU0                               CPU1\n-----                              -----\n// In tls_init()\n// In tls_ctx_create()\nctx = kzalloc()\nctx-\u003esk_proto = READ_ONCE(sk-\u003esk_prot) -(1)\n\n// In update_sk_prot()\nWRITE_ONCE(sk-\u003esk_prot, tls_prots)     -(2)\n\n                                   // In sock_common_setsockopt()\n                                   READ_ONCE(sk-\u003esk_prot)-\u003esetsockopt()\n\n                                   // In tls_{setsockopt,getsockopt}()\n                                   ctx-\u003esk_proto-\u003esetsockopt()    -(3)\n\nIn the above scenario, when (1) and (2) are reordered, (3) can observe\nthe NULL value of ctx-\u003esk_proto, causing NULL dereference.\n\nTo fix it, we rely on rcu_assign_pointer() which implies the release\nbarrier semantic. By moving rcu_assign_pointer() after ctx-\u003esk_proto is\ninitialized, we can ensure that ctx-\u003esk_proto are visible when\nchanging sk-\u003esk_prot.",
  "id": "GHSA-692g-7998-j2vj",
  "modified": "2026-05-12T12:31:56Z",
  "published": "2024-06-21T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36489"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c260a24cf1c4d30ea3646124f766ee46169280b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/335c8f1566d8e44c384d16b450a18554896d4e8b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91e61dd7a0af660408e87372d8330ceb218be302"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab67c2fd3d070a21914d0c31319d3858ab4e199c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d72e126e9a36d3d33889829df8fc90100bb0e071"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef21007a7b581c7fe64d5a10c320880a033c837b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-692M-8CMM-MGXX

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-10-30 00:31
VLAI
Details

OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in /OpenDMARC/libopendmarc/opendmarc_policy.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in /OpenDMARC/libopendmarc/opendmarc_policy.c.",
  "id": "GHSA-692m-8cmm-mgxx",
  "modified": "2024-10-30T00:31:03Z",
  "published": "2024-02-26T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25768"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6956-R7M5-CGQ5

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 15:30
VLAI
Details

A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T14:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request.",
  "id": "GHSA-6956-r7m5-cgq5",
  "modified": "2025-01-14T15:30:52Z",
  "published": "2025-01-14T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42786"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-695C-RC34-8H4V

Vulnerability from github – Published: 2026-03-24 06:31 – Updated: 2026-03-24 06:31
VLAI
Details

NULL Pointer Dereference vulnerability in taurusxin ncmdump (‎src/utils‎ modules). This vulnerability is associated with program files cJSON.Cpp‎.

This issue affects ncmdump: before 1.4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T04:17:31Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Dereference vulnerability in taurusxin ncmdump (\u200esrc/utils\u200e modules). This vulnerability is associated with program files cJSON.Cpp\u200e.\n\nThis issue affects ncmdump: before 1.4.0.",
  "id": "GHSA-695c-rc34-8h4v",
  "modified": "2026-03-24T06:31:13Z",
  "published": "2026-03-24T06:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4743"
    },
    {
      "type": "WEB",
      "url": "https://github.com/taurusxin/ncmdump/pull/52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.