Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-6H2P-G88J-GCM9

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-06 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Fix NULL pointer dereference in capture_engine

When the intel_context structure contains NULL, it raises a NULL pointer dereference error in drm_info().

(cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix NULL pointer dereference in capture_engine\n\nWhen the intel_context structure contains NULL,\nit raises a NULL pointer dereference error in drm_info().\n\n(cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d)",
  "id": "GHSA-6h2p-g88j-gcm9",
  "modified": "2025-01-06T18:31:00Z",
  "published": "2024-12-27T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56667"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da0b986256ae9a78b0215214ff44f271bfe237c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e07f9c92bd127f8835ac669d83b5e7ff59bbb40f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6ebe4f14a267bc431d0eebab4f335c0ebd45977"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6H7G-9JF3-8CR5

Vulnerability from github – Published: 2022-05-17 02:57 – Updated: 2025-04-20 03:33
VLAI
Details

base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-01T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.",
  "id": "GHSA-6h7g-9jf3-8cr5",
  "modified": "2025-04-20T03:33:28Z",
  "published": "2022-05-17T02:57:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5854"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/02/01/14"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/02/02/12"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HCF-G6GR-HHCR

Vulnerability from github – Published: 2023-03-24 22:01 – Updated: 2023-03-24 22:01
VLAI
Summary
`openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference
Details

These functions would crash when the context argument was None with certain extension types.

Thanks to David Benjamin (Google) for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.7"
            },
            {
              "fixed": "0.10.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-24T22:01:23Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "These functions would crash when the context argument was None with certain extension types.\n\nThanks to David Benjamin (Google) for reporting this issue.\n",
  "id": "GHSA-6hcf-g6gr-hhcr",
  "modified": "2023-03-24T22:01:23Z",
  "published": "2023-03-24T22:01:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sfackler/rust-openssl/pull/1854"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sfackler/rust-openssl"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "`openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference"
}

GHSA-6HCP-52XR-V4MV

Vulnerability from github – Published: 2022-11-29 00:30 – Updated: 2025-04-14 18:31
VLAI
Details

A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-28T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.",
  "id": "GHSA-6hcp-52xr-v4mv",
  "modified": "2025-04-14T18:31:41Z",
  "published": "2022-11-29T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/d785a773bed966a75ca1f11d108ae1897189975b"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/all/d5a19c1e-9968-e22e-5917-c3139c5e7e89%40kernel.dk"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/all/d5a19c1e-9968-e22e-5917-c3139c5e7e89@kernel.dk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HCP-X8FR-RWCV

Vulnerability from github – Published: 2025-04-03 09:32 – Updated: 2025-04-10 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: qcom: uefisecapp: fix efivars registration race

Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access.

Make sure that all resources have been set up before registering the efivars.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T08:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: uefisecapp: fix efivars registration race\n\nSince the conversion to using the TZ allocator, the efivars service is\nregistered before the memory pool has been allocated, something which\ncan lead to a NULL-pointer dereference in case of a racing EFI variable\naccess.\n\nMake sure that all resources have been set up before registering the\nefivars.",
  "id": "GHSA-6hcp-x8fr-rwcv",
  "modified": "2025-04-10T18:32:01Z",
  "published": "2025-04-03T09:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21998"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4e37b381a7a243c298a4858fc0a5a74e737c79a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da8d493a80993972c427002684d0742560f3be4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f15a2b96a0e41c426c63a932d0e63cde7b9784aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HCQ-7FXG-HVVV

Vulnerability from github – Published: 2022-05-14 03:07 – Updated: 2025-04-20 03:43
VLAI
Details

The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-18T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The gmp plugin in strongSwan before 5.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted RSA signature.",
  "id": "GHSA-6hcq-7fxg-hvvv",
  "modified": "2025-04-20T03:43:17Z",
  "published": "2022-05-14T03:07:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11185"
    },
    {
      "type": "WEB",
      "url": "https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-%28cve-2017-11185%29.html"
    },
    {
      "type": "WEB",
      "url": "https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-(cve-2017-11185).html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3962"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100492"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HFH-2MVQ-2JJC

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-06 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: Fix null-ptr-deref during unload module

The workqueue should be destroyed in mtk_jpeg_core.c since commit 09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwise the below calltrace can be easily triggered.

[ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023 [ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] ... [ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17 ... [ 677.882838] pc : destroy_workqueue+0x3c/0x770 [ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.884314] sp : ffff80008ad974f0 [ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070 [ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690 [ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000 [ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0 [ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10 [ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d [ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90 [ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001 [ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000 [ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118 [ 677.893977] Call trace: [ 677.894297] destroy_workqueue+0x3c/0x770 [ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw] [ 677.895677] devm_action_release+0x50/0x90 [ 677.896211] release_nodes+0xe8/0x170 [ 677.896688] devres_release_all+0xf8/0x178 [ 677.897219] device_unbind_cleanup+0x24/0x170 [ 677.897785] device_release_driver_internal+0x35c/0x480 [ 677.898461] device_release_driver+0x20/0x38 ... [ 677.912665] ---[ end trace 0000000000000000 ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-jpeg: Fix null-ptr-deref during unload module\n\nThe workqueue should be destroyed in mtk_jpeg_core.c since commit\n09aea13ecf6f (\"media: mtk-jpeg: refactor some variables\"), otherwise\nthe below calltrace can be easily triggered.\n\n[  677.862514] Unable to handle kernel paging request at virtual address dfff800000000023\n[  677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]\n...\n[  677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G           O       6.8.12-mtk+gfa1a78e5d24b+ #17\n...\n[  677.882838] pc : destroy_workqueue+0x3c/0x770\n[  677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]\n[  677.884314] sp : ffff80008ad974f0\n[  677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070\n[  677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690\n[  677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000\n[  677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0\n[  677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10\n[  677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d\n[  677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90\n[  677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001\n[  677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000\n[  677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118\n[  677.893977] Call trace:\n[  677.894297]  destroy_workqueue+0x3c/0x770\n[  677.894826]  mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]\n[  677.895677]  devm_action_release+0x50/0x90\n[  677.896211]  release_nodes+0xe8/0x170\n[  677.896688]  devres_release_all+0xf8/0x178\n[  677.897219]  device_unbind_cleanup+0x24/0x170\n[  677.897785]  device_release_driver_internal+0x35c/0x480\n[  677.898461]  device_release_driver+0x20/0x38\n...\n[  677.912665] ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-6hfh-2mvq-2jjc",
  "modified": "2025-01-06T18:31:00Z",
  "published": "2024-12-27T15:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56577"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ba08c21c6a92e6512e73644555120427c9a49d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17af2b39daf12870cac61ffc360e62bc35798afb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc3889a39baf783c64c6d628bbb74d76ce164bb1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HMQ-VW9F-P5PF

Vulnerability from github – Published: 2022-03-08 00:00 – Updated: 2022-03-17 00:02
VLAI
Details

A NULL Pointer Dereference vulnerability in the messaging_ipc.dll component as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools, VPN Standalone allows an attacker to arbitrarily crash product processes and generate crashdump files. This issue affects: Bitdefender Total Security versions prior to 26.0.3.29. Bitdefender Internet Security versions prior to 26.0.3.29. Bitdefender Antivirus Plus versions prior to 26.0.3.29. Bitdefender Endpoint Security Tools versions prior to 7.2.2.92. Bitdefender VPN Standalone versions prior to 25.5.0.48.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-07T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL Pointer Dereference vulnerability in the messaging_ipc.dll component as used in Bitdefender Total Security, Internet Security, Antivirus Plus, Endpoint Security Tools, VPN Standalone allows an attacker to arbitrarily crash product processes and generate crashdump files.\nThis issue affects:\nBitdefender Total Security\nversions prior to 26.0.3.29.\nBitdefender Internet Security\nversions prior to 26.0.3.29.\nBitdefender Antivirus Plus\nversions prior to 26.0.3.29.\nBitdefender Endpoint Security Tools\nversions prior to 7.2.2.92.\nBitdefender VPN Standalone\nversions prior to 25.5.0.48.",
  "id": "GHSA-6hmq-vw9f-p5pf",
  "modified": "2022-03-17T00:02:53Z",
  "published": "2022-03-08T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4198"
    },
    {
      "type": "WEB",
      "url": "https://www.bitdefender.com/support/security-advisories/messaging_ipc-dll-null-pointer-dereference-in-multiple-bitdefender-products-va-10016"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-483"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HQQ-R498-2PRH

Vulnerability from github – Published: 2025-10-23 12:31 – Updated: 2025-10-23 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

igc: Reinstate IGC_REMOVED logic and implement it properly

The initially merged version of the igc driver code (via commit 146740f9abc4, "igc: Add support for PF") contained the following IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:

u32 igc_rd32(struct igc_hw *hw, u32 reg)
{
    u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);
    u32 value = 0;

    if (IGC_REMOVED(hw_addr))
        return ~value;

    value = readl(&hw_addr[reg]);

    /* reads should not return all F's */
    if (!(~value) && (!reg || !(~readl(hw_addr))))
        hw->hw_addr = NULL;

    return value;
}

And:

#define wr32(reg, val) \
do { \
    u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \
    if (!IGC_REMOVED(hw_addr)) \
        writel((val), &hw_addr[(reg)]); \
} while (0)

E.g. igb has similar checks in its MMIO accessors, and has a similar macro E1000_REMOVED, which is implemented as follows:

#define E1000_REMOVED(h) unlikely(!(h))

These checks serve to detect and take note of an 0xffffffff MMIO read return from the device, which can be caused by a PCIe link flap or some other kind of PCI bus error, and to avoid performing MMIO reads and writes from that point onwards.

However, the IGC_REMOVED macro was not originally implemented:

#ifndef IGC_REMOVED
#define IGC_REMOVED(a) (0)
#endif /* IGC_REMOVED */

This led to the IGC_REMOVED logic to be removed entirely in a subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED function"), with the rationale that such checks matter only for virtualization and that igc does not support virtualization -- but a PCIe device can become detached even without virtualization being in use, and without proper checks, a PCIe bus error affecting an igc adapter will lead to various NULL pointer dereferences, as the first access after the error will set hw->hw_addr to NULL, and subsequent accesses will blindly dereference this now-NULL pointer.

This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and implements IGC_REMOVED the way it is done for igb, by checking for the unlikely() case of hw_addr being NULL. This change prevents the oopses seen when a PCIe link flap occurs on an igc adapter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Reinstate IGC_REMOVED logic and implement it properly\n\nThe initially merged version of the igc driver code (via commit\n146740f9abc4, \"igc: Add support for PF\") contained the following\nIGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:\n\n\tu32 igc_rd32(struct igc_hw *hw, u32 reg)\n\t{\n\t\tu8 __iomem *hw_addr = READ_ONCE(hw-\u003ehw_addr);\n\t\tu32 value = 0;\n\n\t\tif (IGC_REMOVED(hw_addr))\n\t\t\treturn ~value;\n\n\t\tvalue = readl(\u0026hw_addr[reg]);\n\n\t\t/* reads should not return all F\u0027s */\n\t\tif (!(~value) \u0026\u0026 (!reg || !(~readl(hw_addr))))\n\t\t\thw-\u003ehw_addr = NULL;\n\n\t\treturn value;\n\t}\n\nAnd:\n\n\t#define wr32(reg, val) \\\n\tdo { \\\n\t\tu8 __iomem *hw_addr = READ_ONCE((hw)-\u003ehw_addr); \\\n\t\tif (!IGC_REMOVED(hw_addr)) \\\n\t\t\twritel((val), \u0026hw_addr[(reg)]); \\\n\t} while (0)\n\nE.g. igb has similar checks in its MMIO accessors, and has a similar\nmacro E1000_REMOVED, which is implemented as follows:\n\n\t#define E1000_REMOVED(h) unlikely(!(h))\n\nThese checks serve to detect and take note of an 0xffffffff MMIO read\nreturn from the device, which can be caused by a PCIe link flap or some\nother kind of PCI bus error, and to avoid performing MMIO reads and\nwrites from that point onwards.\n\nHowever, the IGC_REMOVED macro was not originally implemented:\n\n\t#ifndef IGC_REMOVED\n\t#define IGC_REMOVED(a) (0)\n\t#endif /* IGC_REMOVED */\n\nThis led to the IGC_REMOVED logic to be removed entirely in a\nsubsequent commit (commit 3c215fb18e70, \"igc: remove IGC_REMOVED\nfunction\"), with the rationale that such checks matter only for\nvirtualization and that igc does not support virtualization -- but a\nPCIe device can become detached even without virtualization being in\nuse, and without proper checks, a PCIe bus error affecting an igc\nadapter will lead to various NULL pointer dereferences, as the first\naccess after the error will set hw-\u003ehw_addr to NULL, and subsequent\naccesses will blindly dereference this now-NULL pointer.\n\nThis patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and\nimplements IGC_REMOVED the way it is done for igb, by checking for the\nunlikely() case of hw_addr being NULL.  This change prevents the oopses\nseen when a PCIe link flap occurs on an igc adapter.",
  "id": "GHSA-6hqq-r498-2prh",
  "modified": "2025-10-23T12:31:15Z",
  "published": "2025-10-23T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49605"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HR8-534P-8986

Vulnerability from github – Published: 2024-03-11 18:31 – Updated: 2024-11-06 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: fix NULL pointer in channel unregistration function

__dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. When dma_async_device_unregister() is called (because of managed API or intentionally by DMA controller driver), channels are unconditionally unregistered, leading to this NULL pointer: [ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [...] [ 1.484499] Call trace: [ 1.486930] device_del+0x40/0x394 [ 1.490314] device_unregister+0x20/0x7c [ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0

Look at dma_async_device_register() function error path, channel device unregistration is done only if chan->local is not NULL.

Then add the same condition at the beginning of __dma_async_device_channel_unregister() function, to avoid NULL pointer issue whatever the API used to reach this function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-11T18:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fix NULL pointer in channel unregistration function\n\n__dma_async_device_channel_register() can fail. In case of failure,\nchan-\u003elocal is freed (with free_percpu()), and chan-\u003elocal is nullified.\nWhen dma_async_device_unregister() is called (because of managed API or\nintentionally by DMA controller driver), channels are unconditionally\nunregistered, leading to this NULL pointer:\n[    1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[...]\n[    1.484499] Call trace:\n[    1.486930]  device_del+0x40/0x394\n[    1.490314]  device_unregister+0x20/0x7c\n[    1.494220]  __dma_async_device_channel_unregister+0x68/0xc0\n\nLook at dma_async_device_register() function error path, channel device\nunregistration is done only if chan-\u003elocal is not NULL.\n\nThen add the same condition at the beginning of\n__dma_async_device_channel_unregister() function, to avoid NULL pointer\nissue whatever the API used to reach this function.",
  "id": "GHSA-6hr8-534p-8986",
  "modified": "2024-11-06T21:30:53Z",
  "published": "2024-03-11T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52492"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/047fce470412ab64cb7345f9ff5d06919078ad79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ab32986a0b9e329eb7f8f04dd57cc127f797c08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f0ccfad2031eddcc510caf4e57f2d4aa2d8a50b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9263fd2a63487c6d04cbb7b74a48fb12e1e352d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9de69732dde4e443c1c7f89acbbed2c45a6a8e17"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f5c24d94512f1b288262beda4d3dcb9629222fc7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.