Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-69H6-FPM9-FC3R

Vulnerability from github – Published: 2024-04-05 09:30 – Updated: 2024-12-20 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/platform: Create persistent IRQ handlers

The vfio-platform SET_IRQS ioctl currently allows loopback triggering of an interrupt before a signaling eventfd has been configured by the user, which thereby allows a NULL pointer dereference.

Rather than register the IRQ relative to a valid trigger, register all IRQs in a disabled state in the device open path. This allows mask operations on the IRQ to nest within the overall enable state governed by a valid eventfd signal. This decouples @masked, protected by the @locked spinlock from @trigger, protected via the @igate mutex.

In doing so, it's guaranteed that changes to @trigger cannot race the IRQ handlers because the IRQ handler is synchronously disabled before modifying the trigger, and loopback triggering of the IRQ via ioctl is safe due to serialization with trigger changes via igate.

For compatibility, request_irq() failures are maintained to be local to the SET_IRQS ioctl rather than a fatal error in the open device path. This allows, for example, a userspace driver with polling mode support to continue to work regardless of moving the request_irq() call site. This necessarily blocks all SET_IRQS access to the failed index.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-05T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path.  This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal.  This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it\u0027s guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.",
  "id": "GHSA-69h6-fpm9-fc3r",
  "modified": "2024-12-20T15:30:44Z",
  "published": "2024-04-05T09:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69JX-MJ79-459W

Vulnerability from github – Published: 2024-09-27 15:30 – Updated: 2024-10-02 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change

When disabling wifi mt7921_ipv6_addr_change() is called as a notifier. At this point mvif->phy is already NULL so we cannot use it here.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T13:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change\n\nWhen disabling wifi mt7921_ipv6_addr_change() is called as a notifier.\nAt this point mvif-\u003ephy is already NULL so we cannot use it here.",
  "id": "GHSA-69jx-mj79-459w",
  "modified": "2024-10-02T15:30:37Z",
  "published": "2024-09-27T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46860"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/479ffee68d59c599f8aed8fa2dcc8e13e7bd13c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bfee9346d8c17d928ef6da2b8bffab88fa2a553"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d92bafd4c67efb692f722d73a07412b5f88c6d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69Q2-GVV3-F7CR

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

An issue was discovered in gravity through 0.8.1. A NULL pointer dereference exists in the function ircode_add_check() located in gravity_ircode.c. It allows an attacker to cause Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in gravity through 0.8.1. A NULL pointer dereference exists in the function ircode_add_check() located in gravity_ircode.c. It allows an attacker to cause Denial of Service.",
  "id": "GHSA-69q2-gvv3-f7cr",
  "modified": "2022-05-24T19:15:13Z",
  "published": "2022-05-24T19:15:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32282"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marcobambini/gravity/issues/315"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69W2-J9PM-3JXM

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn

Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:01Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients\n\nDuring a warm reset flow, the cl-\u003edevice pointer may be NULL if the\nreset occurs while clients are still being enumerated. Accessing\ncl-\u003edevice-\u003ereference_count without a NULL check leads to a kernel panic.\n\nThis issue was identified during multi-unit warm reboot stress clycles.\nAdd a defensive NULL check for cl-\u003edevice to ensure stability under\nsuch intensive testing conditions.\n\nKASAN: null-ptr-deref in range [0000000000000000-0000000000000007]\nWorkqueue: ish_fw_update_wq fw_reset_work_fn\n\nCall Trace:\n ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp]\n ishtp_reset_handler+0x85/0x1a0 [intel_ishtp]\n fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]",
  "id": "GHSA-69w2-j9pm-3jxm",
  "modified": "2026-06-25T21:31:19Z",
  "published": "2026-05-27T15:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45877"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b605e8ce60698c27a26f512968a597fd620d2e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/272dac57caa981718e7188c80c703e7bb1998054"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/56f7db581ee73af53cd512e00a6261a025bf1d58"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/feb4bcfd405282de60aba321f13a1272b30c5af4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69XP-RRPM-QMJ5

Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-03-28 21:30
VLAI
Details

A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T20:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-69xp-rrpm-qmj5",
  "modified": "2025-03-28T21:30:46Z",
  "published": "2025-03-28T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2926"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HDFGroup/hdf5/issues/5384"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.301901"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.301901"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.521246"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6C4R-CXGH-GHM9

Vulnerability from github – Published: 2025-07-04 15:31 – Updated: 2025-11-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Avoid NULL pointer dereference in v3d_job_update_stats()

The following kernel Oops was recently reported by Mesa CI:

[ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588 [ 800.148619] Mem abort info: [ 800.151402] ESR = 0x0000000096000005 [ 800.155141] EC = 0x25: DABT (current EL), IL = 32 bits [ 800.160444] SET = 0, FnV = 0 [ 800.163488] EA = 0, S1PTW = 0 [ 800.166619] FSC = 0x05: level 1 translation fault [ 800.171487] Data abort info: [ 800.174357] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 800.179832] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 800.184873] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 800.190176] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001014c2000 [ 800.196607] [0000000000000588] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 800.205305] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 800.211564] Modules linked in: vc4 snd_soc_hdmi_codec drm_display_helper v3d cec gpu_sched drm_dma_helper drm_shmem_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm i2c_brcmstb snd_timer snd backlight [ 800.234448] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 800.244182] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 800.250005] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 800.256959] pc : v3d_job_update_stats+0x60/0x130 [v3d] [ 800.262112] lr : v3d_job_update_stats+0x48/0x130 [v3d] [ 800.267251] sp : ffffffc080003e60 [ 800.270555] x29: ffffffc080003e60 x28: ffffffd842784980 x27: 0224012000000000 [ 800.277687] x26: ffffffd84277f630 x25: ffffff81012fd800 x24: 0000000000000020 [ 800.284818] x23: ffffff8040238b08 x22: 0000000000000570 x21: 0000000000000158 [ 800.291948] x20: 0000000000000000 x19: ffffff8040238000 x18: 0000000000000000 [ 800.299078] x17: ffffffa8c1bd2000 x16: ffffffc080000000 x15: 0000000000000000 [ 800.306208] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 800.313338] x11: 0000000000000040 x10: 0000000000001a40 x9 : ffffffd83b39757c [ 800.320468] x8 : ffffffd842786420 x7 : 7fffffffffffffff x6 : 0000000000ef32b0 [ 800.327598] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : ffffffd842784980 [ 800.334728] x2 : 0000000000000004 x1 : 0000000000010002 x0 : 000000ba4c0ca382 [ 800.341859] Call trace: [ 800.344294] v3d_job_update_stats+0x60/0x130 [v3d] [ 800.349086] v3d_irq+0x124/0x2e0 [v3d] [ 800.352835] __handle_irq_event_percpu+0x58/0x218 [ 800.357539] handle_irq_event+0x54/0xb8 [ 800.361369] handle_fasteoi_irq+0xac/0x240 [ 800.365458] handle_irq_desc+0x48/0x68 [ 800.369200] generic_handle_domain_irq+0x24/0x38 [ 800.373810] gic_handle_irq+0x48/0xd8 [ 800.377464] call_on_irq_stack+0x24/0x58 [ 800.381379] do_interrupt_handler+0x88/0x98 [ 800.385554] el1_interrupt+0x34/0x68 [ 800.389123] el1h_64_irq_handler+0x18/0x28 [ 800.393211] el1h_64_irq+0x64/0x68 [ 800.396603] default_idle_call+0x3c/0x168 [ 800.400606] do_idle+0x1fc/0x230 [ 800.403827] cpu_startup_entry+0x40/0x50 [ 800.407742] rest_init+0xe4/0xf0 [ 800.410962] start_kernel+0x5e8/0x790 [ 800.414616] __primary_switched+0x80/0x90 [ 800.418622] Code: 8b170277 8b160296 11000421 b9000861 (b9401ac1) [ 800.424707] ---[ end trace 0000000000000000 ]--- [ 800.457313] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

This issue happens when the file descriptor is closed before the jobs submitted by it are completed. When the job completes, we update the global GPU stats and the per-fd GPU stats, which are exposed through fdinfo. If the file descriptor was closed, then the struct v3d_file_priv and its stats were already freed and we can't update the per-fd stats.

Therefore, if the file descriptor was already closed, don't u ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T14:15:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()`\n\nThe following kernel Oops was recently reported by Mesa CI:\n\n[  800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588\n[  800.148619] Mem abort info:\n[  800.151402]   ESR = 0x0000000096000005\n[  800.155141]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  800.160444]   SET = 0, FnV = 0\n[  800.163488]   EA = 0, S1PTW = 0\n[  800.166619]   FSC = 0x05: level 1 translation fault\n[  800.171487] Data abort info:\n[  800.174357]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[  800.179832]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  800.184873]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  800.190176] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001014c2000\n[  800.196607] [0000000000000588] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[  800.205305] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[  800.211564] Modules linked in: vc4 snd_soc_hdmi_codec drm_display_helper v3d cec gpu_sched drm_dma_helper drm_shmem_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm i2c_brcmstb snd_timer snd backlight\n[  800.234448] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1  Debian 1:6.12.25-1+rpt1\n[  800.244182] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n[  800.250005] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  800.256959] pc : v3d_job_update_stats+0x60/0x130 [v3d]\n[  800.262112] lr : v3d_job_update_stats+0x48/0x130 [v3d]\n[  800.267251] sp : ffffffc080003e60\n[  800.270555] x29: ffffffc080003e60 x28: ffffffd842784980 x27: 0224012000000000\n[  800.277687] x26: ffffffd84277f630 x25: ffffff81012fd800 x24: 0000000000000020\n[  800.284818] x23: ffffff8040238b08 x22: 0000000000000570 x21: 0000000000000158\n[  800.291948] x20: 0000000000000000 x19: ffffff8040238000 x18: 0000000000000000\n[  800.299078] x17: ffffffa8c1bd2000 x16: ffffffc080000000 x15: 0000000000000000\n[  800.306208] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[  800.313338] x11: 0000000000000040 x10: 0000000000001a40 x9 : ffffffd83b39757c\n[  800.320468] x8 : ffffffd842786420 x7 : 7fffffffffffffff x6 : 0000000000ef32b0\n[  800.327598] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : ffffffd842784980\n[  800.334728] x2 : 0000000000000004 x1 : 0000000000010002 x0 : 000000ba4c0ca382\n[  800.341859] Call trace:\n[  800.344294]  v3d_job_update_stats+0x60/0x130 [v3d]\n[  800.349086]  v3d_irq+0x124/0x2e0 [v3d]\n[  800.352835]  __handle_irq_event_percpu+0x58/0x218\n[  800.357539]  handle_irq_event+0x54/0xb8\n[  800.361369]  handle_fasteoi_irq+0xac/0x240\n[  800.365458]  handle_irq_desc+0x48/0x68\n[  800.369200]  generic_handle_domain_irq+0x24/0x38\n[  800.373810]  gic_handle_irq+0x48/0xd8\n[  800.377464]  call_on_irq_stack+0x24/0x58\n[  800.381379]  do_interrupt_handler+0x88/0x98\n[  800.385554]  el1_interrupt+0x34/0x68\n[  800.389123]  el1h_64_irq_handler+0x18/0x28\n[  800.393211]  el1h_64_irq+0x64/0x68\n[  800.396603]  default_idle_call+0x3c/0x168\n[  800.400606]  do_idle+0x1fc/0x230\n[  800.403827]  cpu_startup_entry+0x40/0x50\n[  800.407742]  rest_init+0xe4/0xf0\n[  800.410962]  start_kernel+0x5e8/0x790\n[  800.414616]  __primary_switched+0x80/0x90\n[  800.418622] Code: 8b170277 8b160296 11000421 b9000861 (b9401ac1)\n[  800.424707] ---[ end trace 0000000000000000 ]---\n[  800.457313] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThis issue happens when the file descriptor is closed before the jobs\nsubmitted by it are completed. When the job completes, we update the\nglobal GPU stats and the per-fd GPU stats, which are exposed through\nfdinfo. If the file descriptor was closed, then the struct `v3d_file_priv`\nand its stats were already freed and we can\u0027t update the per-fd stats.\n\nTherefore, if the file descriptor was already closed, don\u0027t u\n---truncated---",
  "id": "GHSA-6c4r-cxgh-ghm9",
  "modified": "2025-11-19T21:31:14Z",
  "published": "2025-07-04T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38189"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f4701489d0f768a232b10d281491184f34bacf0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c886784000934d5486621106da0614c85bcd76a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1bc3a13bd775791cca0bb144d977b00f3598042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C63-4574-7P9F

Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2025-11-03 21:30
VLAI
Details

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-14T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.",
  "id": "GHSA-6c63-4574-7p9f",
  "modified": "2025-11-03T21:30:44Z",
  "published": "2022-10-14T19:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2850"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:7087"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:7133"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8162"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8680"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8886"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8976"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:0479"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2850"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2118691"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CF5-RV3H-C7JX

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2024-09-20 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()

This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes.

dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()\n\nThis adds a check before freeing the rx-\u003eskb in flush and close\nfunctions to handle the kernel crash seen while removing driver after FW\ndownload fails or before FW download completes.\n\ndmesg log:\n[   54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080\n[   54.643398] Mem abort info:\n[   54.646204]   ESR = 0x0000000096000004\n[   54.649964]   EC = 0x25: DABT (current EL), IL = 32 bits\n[   54.655286]   SET = 0, FnV = 0\n[   54.658348]   EA = 0, S1PTW = 0\n[   54.661498]   FSC = 0x04: level 0 translation fault\n[   54.666391] Data abort info:\n[   54.669273]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[   54.674768]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[   54.674771]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[   54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000\n[   54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000\n[   54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[   54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse\n[   54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2\n[   54.744364] Hardware name: FSL i.MX8MM EVK board (DT)\n[   54.744368] Workqueue: hci0 hci_power_on\n[   54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   54.757249] pc : kfree_skb_reason+0x18/0xb0\n[   54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart]\n[   54.782921] sp : ffff8000805ebca0\n[   54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000\n[   54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230\n[   54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92\n[   54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff\n[   54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857\n[   54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642\n[   54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688\n[   54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000\n[   54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000\n[   54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac\n[   54.857599] Call trace:\n[   54.857601]  kfree_skb_reason+0x18/0xb0\n[   54.863878]  btnxpuart_flush+0x40/0x58 [btnxpuart]\n[   54.863888]  hci_dev_open_sync+0x3a8/0xa04\n[   54.872773]  hci_power_on+0x54/0x2e4\n[   54.881832]  process_one_work+0x138/0x260\n[   54.881842]  worker_thread+0x32c/0x438\n[   54.881847]  kthread+0x118/0x11c\n[   54.881853]  ret_from_fork+0x10/0x20\n[   54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400)\n[   54.896410] ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-6cf5-rv3h-c7jx",
  "modified": "2024-09-20T21:31:38Z",
  "published": "2024-09-18T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46749"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/013dae4735d2010544d1f2121bdeb8e6c9ea171e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/056e0cd381d59a9124b7c43dd715e15f56a11635"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c68bbf5e334b35b36ac5b9f0419f1f93f796bad1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CF9-GR3M-FGC8

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL. The result is a crash in gf_filter_pck_new_alloc_internal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-19T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL. The result is a crash in gf_filter_pck_new_alloc_internal.",
  "id": "GHSA-6cf9-gr3m-fgc8",
  "modified": "2022-05-24T17:47:49Z",
  "published": "2022-05-24T17:47:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6CG7-X9GH-4WF6

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-16T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.",
  "id": "GHSA-6cg7-x9gh-4wf6",
  "modified": "2022-05-24T19:14:51Z",
  "published": "2022-05-24T19:14:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34798"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2021-17"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4982"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211008-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-20"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
    },
    {
      "type": "WEB",
      "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.