Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-6F5Q-28VF-CQGR

Vulnerability from github – Published: 2022-05-14 00:55 – Updated: 2022-05-14 00:55
VLAI
Details

Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-25T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly.",
  "id": "GHSA-6f5q-28vf-cqgr",
  "modified": "2022-05-14T00:55:01Z",
  "published": "2022-05-14T00:55:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xkbcommon/libxkbcommon/commit/e3cacae7b1bfda0d839c280494f23284a1187adf"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2079"
    },
    {
      "type": "WEB",
      "url": "https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201810-05"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3786-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3786-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F5R-5MJV-2P43

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-09 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: hisi_sas: Create all dump files during debugfs initialization

For the current debugfs of hisi_sas, after user triggers dump, the driver allocate memory space to save the register information and create debugfs files to display the saved information. In this process, the debugfs files created after each dump.

Therefore, when the dump is triggered while the driver is unbind, the following hang occurs:

[67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [67840.862947] Mem abort info: [67840.865855] ESR = 0x0000000096000004 [67840.869713] EC = 0x25: DABT (current EL), IL = 32 bits [67840.875125] SET = 0, FnV = 0 [67840.878291] EA = 0, S1PTW = 0 [67840.881545] FSC = 0x04: level 0 translation fault [67840.886528] Data abort info: [67840.889524] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [67840.895117] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [67840.900284] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000 [67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000 [67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [67841.003628] pc : down_write+0x30/0x98 [67841.007546] lr : start_creating.part.0+0x60/0x198 [67841.012495] sp : ffff8000b979ba20 [67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40 [67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8 [67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18 [67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020 [67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff [67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18 [67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18 [67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9 [67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001 [67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0 [67841.089759] Call trace: [67841.092456] down_write+0x30/0x98 [67841.096017] start_creating.part.0+0x60/0x198 [67841.100613] debugfs_create_dir+0x48/0x1f8 [67841.104950] debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw] [67841.111447] debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw] [67841.118111] debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw] [67841.125115] full_proxy_write+0x68/0xc8 [67841.129175] vfs_write+0xd8/0x3f0 [67841.132708] ksys_write+0x70/0x108 [67841.136317] __arm64_sys_write+0x24/0x38 [67841.140440] invoke_syscall+0x50/0x128 [67841.144385] el0_svc_common.constprop.0+0xc8/0xf0 [67841.149273] do_el0_svc+0x24/0x38 [67841.152773] el0_svc+0x38/0xd8 [67841.156009] el0t_64_sync_handler+0xc0/0xc8 [67841.160361] el0t_64_sync+0x1a4/0x1a8 [67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05) [67841.170443] ---[ end trace 0000000000000000 ]---

To fix this issue, create all directories and files during debugfs initialization. In this way, the driver only needs to allocate memory space to save information each time the user triggers dumping.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Create all dump files during debugfs initialization\n\nFor the current debugfs of hisi_sas, after user triggers dump, the\ndriver allocate memory space to save the register information and create\ndebugfs files to display the saved information. In this process, the\ndebugfs files created after each dump.\n\nTherefore, when the dump is triggered while the driver is unbind, the\nfollowing hang occurs:\n\n[67840.853907] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[67840.862947] Mem abort info:\n[67840.865855]   ESR = 0x0000000096000004\n[67840.869713]   EC = 0x25: DABT (current EL), IL = 32 bits\n[67840.875125]   SET = 0, FnV = 0\n[67840.878291]   EA = 0, S1PTW = 0\n[67840.881545]   FSC = 0x04: level 0 translation fault\n[67840.886528] Data abort info:\n[67840.889524]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[67840.895117]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[67840.900284]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[67840.905709] user pgtable: 4k pages, 48-bit VAs, pgdp=0000002803a1f000\n[67840.912263] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000\n[67840.919177] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[67840.996435] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[67841.003628] pc : down_write+0x30/0x98\n[67841.007546] lr : start_creating.part.0+0x60/0x198\n[67841.012495] sp : ffff8000b979ba20\n[67841.016046] x29: ffff8000b979ba20 x28: 0000000000000010 x27: 0000000000024b40\n[67841.023412] x26: 0000000000000012 x25: ffff20202b355ae8 x24: ffff20202b35a8c8\n[67841.030779] x23: ffffa36877928208 x22: ffffa368b4972240 x21: ffff8000b979bb18\n[67841.038147] x20: ffff00281dc1e3c0 x19: fffffffffffffffe x18: 0000000000000020\n[67841.045515] x17: 0000000000000000 x16: ffffa368b128a530 x15: ffffffffffffffff\n[67841.052888] x14: ffff8000b979bc18 x13: ffffffffffffffff x12: ffff8000b979bb18\n[67841.060263] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa368b1289b18\n[67841.067640] x8 : 0000000000000012 x7 : 0000000000000000 x6 : 00000000000003a9\n[67841.075014] x5 : 0000000000000000 x4 : ffff002818c5cb00 x3 : 0000000000000001\n[67841.082388] x2 : 0000000000000000 x1 : ffff002818c5cb00 x0 : 00000000000000a0\n[67841.089759] Call trace:\n[67841.092456]  down_write+0x30/0x98\n[67841.096017]  start_creating.part.0+0x60/0x198\n[67841.100613]  debugfs_create_dir+0x48/0x1f8\n[67841.104950]  debugfs_create_files_v3_hw+0x88/0x348 [hisi_sas_v3_hw]\n[67841.111447]  debugfs_snapshot_regs_v3_hw+0x708/0x798 [hisi_sas_v3_hw]\n[67841.118111]  debugfs_trigger_dump_v3_hw_write+0x9c/0x120 [hisi_sas_v3_hw]\n[67841.125115]  full_proxy_write+0x68/0xc8\n[67841.129175]  vfs_write+0xd8/0x3f0\n[67841.132708]  ksys_write+0x70/0x108\n[67841.136317]  __arm64_sys_write+0x24/0x38\n[67841.140440]  invoke_syscall+0x50/0x128\n[67841.144385]  el0_svc_common.constprop.0+0xc8/0xf0\n[67841.149273]  do_el0_svc+0x24/0x38\n[67841.152773]  el0_svc+0x38/0xd8\n[67841.156009]  el0t_64_sync_handler+0xc0/0xc8\n[67841.160361]  el0t_64_sync+0x1a4/0x1a8\n[67841.164189] Code: b9000882 d2800002 d2800023 f9800011 (c85ffc05)\n[67841.170443] ---[ end trace 0000000000000000 ]---\n\nTo fix this issue, create all directories and files during debugfs\ninitialization. In this way, the driver only needs to allocate memory\nspace to save information each time the user triggers dumping.",
  "id": "GHSA-6f5r-5mjv-2p43",
  "modified": "2025-01-09T18:32:13Z",
  "published": "2024-12-27T15:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56588"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c55f99123075e5429850b41b06f7dfffcb708eb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c8c50c9855a9e1b0d1e3680e5ad839002a9deb5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f564f15f88490b484e02442dc4c4b11640ea172"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F6M-G7V2-775J

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-10 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw

devm_kasprintf() calls can return null pointers on failure. But the return values were not checked in npcm8xx_gpio_fw(). Add NULL check in npcm8xx_gpio_fw(), to handle kernel NULL pointer dereference error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw\n\ndevm_kasprintf() calls can return null pointers on failure.\nBut the return values were not checked in npcm8xx_gpio_fw().\nAdd NULL check in npcm8xx_gpio_fw(), to handle kernel NULL\npointer dereference error.",
  "id": "GHSA-6f6m-g7v2-775j",
  "modified": "2025-04-10T15:31:45Z",
  "published": "2025-04-01T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21982"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a08a86e5aff8e65368ccd463348fdda26100821"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a585f6ea42ec259a9a57e3e2580fa527c92187d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/acf40ab42799e4ae1397ee6f5c5941092d66f999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F84-P6H5-X3QM

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-05 18:14
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: Add NULL pointer check in i3c_master_queue_ibi()

The I3C master driver may receive an IBI from a target device that has not been probed yet. In such cases, the master calls i3c_master_queue_ibi() to queue an IBI work task, leading to "Unable to handle kernel read from unreadable memory" and resulting in a kernel panic.

Typical IBI handling flow: 1. The I3C master scans target devices and probes their respective drivers. 2. The target device driver calls i3c_device_request_ibi() to enable IBI and assigns dev->ibi = ibi. 3. The I3C master receives an IBI from the target device and calls i3c_master_queue_ibi() to queue the target device driver’s IBI handler task.

However, since target device events are asynchronous to the I3C probe sequence, step 3 may occur before step 2, causing dev->ibi to be NULL, leading to a kernel panic.

Add a NULL pointer check in i3c_master_queue_ibi() to prevent accessing an uninitialized dev->ibi, ensuring stability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T13:15:50Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: Add NULL pointer check in i3c_master_queue_ibi()\n\nThe I3C master driver may receive an IBI from a target device that has not\nbeen probed yet. In such cases, the master calls `i3c_master_queue_ibi()`\nto queue an IBI work task, leading to \"Unable to handle kernel read from\nunreadable memory\" and resulting in a kernel panic.\n\nTypical IBI handling flow:\n1. The I3C master scans target devices and probes their respective drivers.\n2. The target device driver calls `i3c_device_request_ibi()` to enable IBI\n   and assigns `dev-\u003eibi = ibi`.\n3. The I3C master receives an IBI from the target device and calls\n   `i3c_master_queue_ibi()` to queue the target device driver\u2019s IBI\n   handler task.\n\nHowever, since target device events are asynchronous to the I3C probe\nsequence, step 3 may occur before step 2, causing `dev-\u003eibi` to be `NULL`,\nleading to a kernel panic.\n\nAdd a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing\nan uninitialized `dev-\u003eibi`, ensuring stability.",
  "id": "GHSA-6f84-p6h5-x3qm",
  "modified": "2025-11-05T18:14:24Z",
  "published": "2025-05-01T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23147"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09359e7c8751961937cb5fc50220969b0a4e1058"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b54faa5f47fa7c642179744aeff03f0810dc62e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ba402610843d7d15c7f3966a461deeeaff7fba4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6871a676aa534e8f218279672e0445c725f81026"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd496a44f041da9ef3afe14d1d6193d460424e91"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d83b0c03ef8fbea2f03029a1cc1f5041f0e1d47f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6bba328578feb58c614c11868c259b40484c5fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe4a4fc179b7898055555a11685915473588392e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff9d61db59bb27d16d3f872bff2620d50856b80c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F8V-6CC2-9P3F

Vulnerability from github – Published: 2022-05-14 00:54 – Updated: 2022-05-14 00:54
VLAI
Details

An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14609"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-27T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized.",
  "id": "GHSA-6f8v-6cc2-9p3f",
  "modified": "2022-05-14T00:54:13Z",
  "published": "2022-05-14T00:54:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14609"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.kernel.org/show_bug.cgi?id=199833"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://patchwork.kernel.org/patch/10500521"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3821-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3821-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4094-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4118-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4308"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F8X-5HMV-67RJ

Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

clk: Fix clk_core_get NULL dereference

It is possible for clk_core_get to dereference a NULL in the following sequence:

clk_core_get() of_clk_get_hw_from_clkspec() __of_clk_get_hw_from_provider() __clk_get_hw()

__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at hw->core.

Prior to commit dde4eff47c82 ("clk: Look for parents with clkdev based clk_lookups") the check IS_ERR_OR_NULL() was performed which would have caught the NULL.

Reading the description of this function it talks about returning NULL but that cannot be so at the moment.

Update the function to check for hw before dereferencing it and return NULL if hw is NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T13:15:49Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_core_get NULL dereference\n\nIt is possible for clk_core_get to dereference a NULL in the following\nsequence:\n\nclk_core_get()\n    of_clk_get_hw_from_clkspec()\n        __of_clk_get_hw_from_provider()\n            __clk_get_hw()\n\n__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at\nhw-\u003ecore.\n\nPrior to commit dde4eff47c82 (\"clk: Look for parents with clkdev based\nclk_lookups\") the check IS_ERR_OR_NULL() was performed which would have\ncaught the NULL.\n\nReading the description of this function it talks about returning NULL but\nthat cannot be so at the moment.\n\nUpdate the function to check for hw before dereferencing it and return NULL\nif hw is NULL.",
  "id": "GHSA-6f8x-5hmv-67rj",
  "modified": "2026-05-12T12:31:44Z",
  "published": "2024-05-01T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27038"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0efb9ef6fb95384ba631d6819e66f10392aabfa2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/239174535dba11f7b83de0eaaa27909024f8c185"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f073b24a9e2becd25ac4505a9780a87e621bb51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5d9b1aa61b401867b9066d54086b3e4ee91f8ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8b2b26fdd011ebe36d68a9a321ca45801685959"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c554badcae9c45b737a22d23454170c6020b90e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7ae7d1265686b55832a445b1db8cdd69738ac07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e97fe4901e0f59a0bfd524578fe3768f8ca42428"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FFC-5VCX-VFP5

Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2022-05-14 03:49
VLAI
Details

EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-03T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service.",
  "id": "GHSA-6ffc-5vcx-vfp5",
  "modified": "2022-05-14T03:49:57Z",
  "published": "2022-05-14T03:49:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000471"
    },
    {
      "type": "WEB",
      "url": "https://github.com/embedthis/goahead/pull/258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/embedthis/goahead/commit/5e6be61e42448f503e75e287dc332b1ecbf2a665#diff-7c9c60c790648b06210f57b9e2f53ca7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FHQ-5HRR-WQ44

Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-04-27 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to NULL, and is used as a sentinel to skip folio operations like lock and rmap.

In the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL, pgprot) passes NULL through folio_pfn() and page_to_pfn(). With SPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD pointing to non-existent physical memory. On other memory models it is a NULL dereference.

Use page_folio(src_page) to obtain the valid huge zero folio from the page, which was obtained from pmd_page() and remains valid throughout.

After commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio special"), moved huge zero PMDs must remain special so vm_normal_page_pmd() continues to treat them as special mappings.

move_pages_huge_pmd() currently reconstructs the destination PMD in the huge zero page branch, which drops PMD state such as pmd_special() on architectures with CONFIG_ARCH_HAS_PTE_SPECIAL. As a result, vm_normal_page_pmd() can treat the moved huge zero PMD as a normal page and corrupt its refcount.

Instead of reconstructing the PMD from the folio, derive the destination entry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD metadata the same way move_huge_pmd() does for moved entries by marking it soft-dirty and clearing uffd-wp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-03T16:16:38Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()\n\nmove_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge\nzero pages.  For the huge zero page path, src_folio is explicitly set to\nNULL, and is used as a sentinel to skip folio operations like lock and\nrmap.\n\nIn the huge zero page branch, src_folio is NULL, so folio_mk_pmd(NULL,\npgprot) passes NULL through folio_pfn() and page_to_pfn().  With\nSPARSEMEM_VMEMMAP this silently produces a bogus PFN, installing a PMD\npointing to non-existent physical memory.  On other memory models it is a\nNULL dereference.\n\nUse page_folio(src_page) to obtain the valid huge zero folio from the\npage, which was obtained from pmd_page() and remains valid throughout.\n\nAfter commit d82d09e48219 (\"mm/huge_memory: mark PMD mappings of the huge\nzero folio special\"), moved huge zero PMDs must remain special so\nvm_normal_page_pmd() continues to treat them as special mappings.\n\nmove_pages_huge_pmd() currently reconstructs the destination PMD in the\nhuge zero page branch, which drops PMD state such as pmd_special() on\narchitectures with CONFIG_ARCH_HAS_PTE_SPECIAL.  As a result,\nvm_normal_page_pmd() can treat the moved huge zero PMD as a normal page\nand corrupt its refcount.\n\nInstead of reconstructing the PMD from the folio, derive the destination\nentry from src_pmdval after pmdp_huge_clear_flush(), then handle the PMD\nmetadata the same way move_huge_pmd() does for moved entries by marking it\nsoft-dirty and clearing uffd-wp.",
  "id": "GHSA-6fhq-5hrr-wq44",
  "modified": "2026-04-27T15:30:32Z",
  "published": "2026-04-03T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31397"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3133d0986dc5a231d5419167dbac65312b28b41"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f3caaee0f9e489fd2282d4ce45791dc8aed2da62"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fae654083bfa409bb2244f390232e2be47f05bfc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FQW-R97C-866J

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-13T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.",
  "id": "GHSA-6fqw-r97c-866j",
  "modified": "2022-05-24T19:14:16Z",
  "published": "2022-05-24T19:14:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/289ffce3e0d224d314f5f92a744d5fe35999f20b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6FR3-G4MR-859F

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01
VLAI
Details

An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-22T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940.",
  "id": "GHSA-6fr3-g4mr-859f",
  "modified": "2022-05-24T17:01:48Z",
  "published": "2022-05-24T17:01:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18976"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/155436/Asterisk-Project-Security-Advisory-AST-2019-008.html"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2019/Nov/20"
    },
    {
      "type": "WEB",
      "url": "https://www.asterisk.org/downloads/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.cybersecurity-help.cz/vdb/SB2019112218?affChecked=1"
    },
    {
      "type": "WEB",
      "url": "http://downloads.asterisk.org/pub/security/AST-2019-008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.