CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6309 vulnerabilities reference this CWE, most recent first.
GHSA-6CF5-RV3H-C7JX
Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2024-09-20 21:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()
This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes.
dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---
{
"affected": [],
"aliases": [
"CVE-2024-46749"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T08:15:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()\n\nThis adds a check before freeing the rx-\u003eskb in flush and close\nfunctions to handle the kernel crash seen while removing driver after FW\ndownload fails or before FW download completes.\n\ndmesg log:\n[ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080\n[ 54.643398] Mem abort info:\n[ 54.646204] ESR = 0x0000000096000004\n[ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 54.655286] SET = 0, FnV = 0\n[ 54.658348] EA = 0, S1PTW = 0\n[ 54.661498] FSC = 0x04: level 0 translation fault\n[ 54.666391] Data abort info:\n[ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000\n[ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000\n[ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse\n[ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2\n[ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT)\n[ 54.744368] Workqueue: hci0 hci_power_on\n[ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 54.757249] pc : kfree_skb_reason+0x18/0xb0\n[ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart]\n[ 54.782921] sp : ffff8000805ebca0\n[ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000\n[ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230\n[ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92\n[ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff\n[ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857\n[ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642\n[ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688\n[ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000\n[ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac\n[ 54.857599] Call trace:\n[ 54.857601] kfree_skb_reason+0x18/0xb0\n[ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart]\n[ 54.863888] hci_dev_open_sync+0x3a8/0xa04\n[ 54.872773] hci_power_on+0x54/0x2e4\n[ 54.881832] process_one_work+0x138/0x260\n[ 54.881842] worker_thread+0x32c/0x438\n[ 54.881847] kthread+0x118/0x11c\n[ 54.881853] ret_from_fork+0x10/0x20\n[ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400)\n[ 54.896410] ---[ end trace 0000000000000000 ]---",
"id": "GHSA-6cf5-rv3h-c7jx",
"modified": "2024-09-20T21:31:38Z",
"published": "2024-09-18T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46749"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/013dae4735d2010544d1f2121bdeb8e6c9ea171e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/056e0cd381d59a9124b7c43dd715e15f56a11635"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c68bbf5e334b35b36ac5b9f0419f1f93f796bad1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6CF9-GR3M-FGC8
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL. The result is a crash in gf_filter_pck_new_alloc_internal.
{
"affected": [],
"aliases": [
"CVE-2021-30015"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-19T20:15:00Z",
"severity": "MODERATE"
},
"details": "There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL. The result is a crash in gf_filter_pck_new_alloc_internal.",
"id": "GHSA-6cf9-gr3m-fgc8",
"modified": "2022-05-24T17:47:49Z",
"published": "2022-05-24T17:47:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30015"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1719"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6CG7-X9GH-4WF6
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
{
"affected": [],
"aliases": [
"CVE-2021-34798"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-16T15:15:00Z",
"severity": "HIGH"
},
"details": "Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.",
"id": "GHSA-6cg7-x9gh-4wf6",
"modified": "2022-05-24T19:14:51Z",
"published": "2022-05-24T19:14:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34798"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"type": "WEB",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6CJ4-5M2X-2QJ3
Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: fix bulk_move corruption when adding a entry
When the resource is the first in the bulk_move range, adding it again (thus moving it to the tail) will corrupt the list since the first pointer is not moved. This eventually lead to null pointer deref in ttm_lru_bulk_move_del()
{
"affected": [],
"aliases": [
"CVE-2023-53444"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix bulk_move corruption when adding a entry\n\nWhen the resource is the first in the bulk_move range, adding it again\n(thus moving it to the tail) will corrupt the list since the first\npointer is not moved. This eventually lead to null pointer deref in\nttm_lru_bulk_move_del()",
"id": "GHSA-6cj4-5m2x-2qj3",
"modified": "2025-12-12T21:31:31Z",
"published": "2025-09-18T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53444"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4481913607e58196c48a4fef5e6f45350684ec3c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70a3015683b007a0db4a1e858791b69afd45fc83"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7cf50e41bdc2d574056ebbfeaafc5f0e2562d5b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6CJ6-4HH2-HVRG
Vulnerability from github – Published: 2025-09-23 15:31 – Updated: 2025-09-23 15:31In the Linux kernel, the following vulnerability has been resolved:
media: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers
If the application queues an NV12M jpeg as output buffer, but then queues a single planar capture buffer, the kernel will crash with "Unable to handle kernel NULL pointer dereference" in mxc_jpeg_addrs, prevent this by finishing the job with error.
{
"affected": [],
"aliases": [
"CVE-2022-49165"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers\n\nIf the application queues an NV12M jpeg as output buffer, but then\nqueues a single planar capture buffer, the kernel will crash with\n\"Unable to handle kernel NULL pointer dereference\" in mxc_jpeg_addrs,\nprevent this by finishing the job with error.",
"id": "GHSA-6cj6-4hh2-hvrg",
"modified": "2025-09-23T15:31:07Z",
"published": "2025-09-23T15:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49165"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/417591a766b3c040c346044541ff949c0b2bb7b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4eb591c47c82a6a6ad293ed108c3cb77115fbc25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d075ede7d24f19dc817c5bd517a53f0524f9031"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eff76b180751e5e55c872d17755680c3b83ba9ab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6CPC-423V-FX46
Vulnerability from github – Published: 2024-11-27 12:31 – Updated: 2024-11-27 12:31The webdriver for the Browser object expects an error object to be initialized when the webdriver_session_query function fails. But this function can fail for various reasons without an error description and then the wd->error will be NULL and trying to read from it will result in a crash.
{
"affected": [],
"aliases": [
"CVE-2024-42329"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-27T12:15:20Z",
"severity": "LOW"
},
"details": "The webdriver for the Browser object expects an error object to be initialized when the webdriver_session_query function fails. But this function can fail for various reasons without an error description and then the wd-\u003eerror will be NULL and trying to read from it will result in a crash.",
"id": "GHSA-6cpc-423v-fx46",
"modified": "2024-11-27T12:31:54Z",
"published": "2024-11-27T12:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42329"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-25625"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6CPX-32J8-J7QJ
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2016-9114"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-30T22:59:00Z",
"severity": "HIGH"
},
"details": "There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image-\u003ecomps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service.",
"id": "GHSA-6cpx-32j8-j7qj",
"modified": "2022-05-13T01:16:23Z",
"published": "2022-05-13T01:16:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9114"
},
{
"type": "WEB",
"url": "https://github.com/uclouvain/openjpeg/issues/857"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201710-26"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93979"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6CR3-6R56-XR54
Vulnerability from github – Published: 2025-03-14 00:30 – Updated: 2025-03-14 00:30In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Address NULL pointer dereference after starget_to_rport()
Calls to starget_to_rport() may return NULL. Add check for NULL rport before dereference.
{
"affected": [],
"aliases": [
"CVE-2022-49332"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Address NULL pointer dereference after starget_to_rport()\n\nCalls to starget_to_rport() may return NULL. Add check for NULL rport\nbefore dereference.",
"id": "GHSA-6cr3-6r56-xr54",
"modified": "2025-03-14T00:30:51Z",
"published": "2025-03-14T00:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49332"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/68fcff1127e4995ddbd4b6861892a25c23db3f70"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6f808bd78e8296b4ded813b7182988d57e1f6176"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6F2J-R97J-F7V5
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 21:30In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register
The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind, which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this structure needs to be stored inside the driver data before invoking it.
As drvdata is currently uninitialized it leads to a crash when registering the DSI DRM encoder right after acquiring the mode_config.idr_mutex, blocking all subsequent DRM operations.
Fixes the following crash during mediatek-drm probe (tested on Xiaomi Smart Clock x04g):
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [...] Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib drm_dma_helper drm_kms_helper panel_simple [...] Call trace: drm_mode_object_add+0x58/0x98 (P) __drm_encoder_init+0x48/0x140 drm_encoder_init+0x6c/0xa0 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper] mtk_dsi_bind+0x34/0x13c [mediatek_drm] component_bind_all+0x120/0x280 mtk_drm_bind+0x284/0x67c [mediatek_drm] try_to_bring_up_aggregate_device+0x23c/0x320 __component_add+0xa4/0x198 component_add+0x14/0x20 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm] mipi_dsi_attach+0x2c/0x50 panel_simple_dsi_probe+0x4c/0x9c [panel_simple] mipi_dsi_drv_probe+0x1c/0x28 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __device_attach_driver+0xbc/0x17c bus_for_each_drv+0x88/0xf0 __device_attach+0x9c/0x1cc device_initial_probe+0x54/0x60 bus_probe_device+0x34/0xa0 device_add+0x5b0/0x800 mipi_dsi_device_register_full+0xdc/0x16c mipi_dsi_host_register+0xc4/0x17c mtk_dsi_probe+0x10c/0x260 [mediatek_drm] platform_probe+0x5c/0xa4 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1f8 bus_for_each_dev+0x7c/0xe0 driver_attach+0x24/0x30 bus_add_driver+0x11c/0x240 driver_register+0x68/0x130 __platform_register_drivers+0x64/0x160 mtk_drm_init+0x24/0x1000 [mediatek_drm] do_one_initcall+0x60/0x1d0 do_init_module+0x54/0x240 load_module+0x1838/0x1dc0 init_module_from_file+0xd8/0xf0 __arm64_sys_finit_module+0x1b4/0x428 invoke_syscall.constprop.0+0x48/0xc8 do_el0_svc+0x3c/0xb8 el0_svc+0x34/0xe8 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
{
"affected": [],
"aliases": [
"CVE-2026-31562"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register\n\nThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,\nwhich uses dev_get_drvdata to retrieve the mtk_dsi struct, so this\nstructure needs to be stored inside the driver data before invoking it.\n\nAs drvdata is currently uninitialized it leads to a crash when\nregistering the DSI DRM encoder right after acquiring\nthe mode_config.idr_mutex, blocking all subsequent DRM operations.\n\nFixes the following crash during mediatek-drm probe (tested on Xiaomi\nSmart Clock x04g):\n\nUnable to handle kernel NULL pointer dereference at virtual address\n 0000000000000040\n[...]\nModules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib\n drm_dma_helper drm_kms_helper panel_simple\n[...]\nCall trace:\n drm_mode_object_add+0x58/0x98 (P)\n __drm_encoder_init+0x48/0x140\n drm_encoder_init+0x6c/0xa0\n drm_simple_encoder_init+0x20/0x34 [drm_kms_helper]\n mtk_dsi_bind+0x34/0x13c [mediatek_drm]\n component_bind_all+0x120/0x280\n mtk_drm_bind+0x284/0x67c [mediatek_drm]\n try_to_bring_up_aggregate_device+0x23c/0x320\n __component_add+0xa4/0x198\n component_add+0x14/0x20\n mtk_dsi_host_attach+0x78/0x100 [mediatek_drm]\n mipi_dsi_attach+0x2c/0x50\n panel_simple_dsi_probe+0x4c/0x9c [panel_simple]\n mipi_dsi_drv_probe+0x1c/0x28\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __device_attach_driver+0xbc/0x17c\n bus_for_each_drv+0x88/0xf0\n __device_attach+0x9c/0x1cc\n device_initial_probe+0x54/0x60\n bus_probe_device+0x34/0xa0\n device_add+0x5b0/0x800\n mipi_dsi_device_register_full+0xdc/0x16c\n mipi_dsi_host_register+0xc4/0x17c\n mtk_dsi_probe+0x10c/0x260 [mediatek_drm]\n platform_probe+0x5c/0xa4\n really_probe+0xc0/0x3dc\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x40/0x120\n __driver_attach+0xc8/0x1f8\n bus_for_each_dev+0x7c/0xe0\n driver_attach+0x24/0x30\n bus_add_driver+0x11c/0x240\n driver_register+0x68/0x130\n __platform_register_drivers+0x64/0x160\n mtk_drm_init+0x24/0x1000 [mediatek_drm]\n do_one_initcall+0x60/0x1d0\n do_init_module+0x54/0x240\n load_module+0x1838/0x1dc0\n init_module_from_file+0xd8/0xf0\n __arm64_sys_finit_module+0x1b4/0x428\n invoke_syscall.constprop.0+0x48/0xc8\n do_el0_svc+0x3c/0xb8\n el0_svc+0x34/0xe8\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80)",
"id": "GHSA-6f2j-r97j-f7v5",
"modified": "2026-04-27T21:30:47Z",
"published": "2026-04-24T15:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31562"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4cfdfeb6ac06079f92fccd977fa742d6c5b8dd3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a709b7e36324dfc1e6728eb81405470b7ae84e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df03f5ac1eae7c5a2c01846e3e64dfc2870eec6b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6F3G-P975-CJV5
Vulnerability from github – Published: 2026-05-27 18:31 – Updated: 2026-05-30 15:30A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).
{
"affected": [],
"aliases": [
"CVE-2025-70116"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T17:16:29Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).",
"id": "GHSA-6f3g-p975-cjv5",
"modified": "2026-05-30T15:30:21Z",
"published": "2026-05-27T18:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70116"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/3345"
},
{
"type": "WEB",
"url": "https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364"
},
{
"type": "WEB",
"url": "https://infosec.exchange/@sigdevel/116624563750949972"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/30/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.