Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-6QVP-R6R3-9P7H

Vulnerability from github – Published: 2019-01-17 14:05 – Updated: 2025-12-04 16:20
VLAI
Summary
Nokogiri NULL Pointer Dereference
Details

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-14404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:20:04Z",
    "nvd_published_at": "2018-07-19T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "A NULL pointer dereference vulnerability exists in the `xpath.c:xmlXPathCompOpEval()` function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the `XPATH_OP_AND` or `XPATH_OP_OR` case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.",
  "id": "GHSA-6qvp-r6r3-9p7h",
  "modified": "2025-12-04T16:20:45Z",
  "published": "2019-01-17T14:05:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14404"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/issues/1785"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1543"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595985"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/issues/10"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190719-0002"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3739-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3739-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri NULL Pointer Dereference"
}

GHSA-6R8W-5WM5-436V

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

Untrusted pointer dereference in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Untrusted pointer dereference in some Intel(R) Graphics Drivers before version 26.20.100.8141 may allow a privileged user to potentially enable a denial of service via local access.",
  "id": "GHSA-6r8w-5wm5-436v",
  "modified": "2022-05-24T17:42:25Z",
  "published": "2022-05-24T17:42:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12370"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6RH3-M266-5M77

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-10-07 18:15
VLAI
Details

A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn\u0027t been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.",
  "id": "GHSA-6rh3-m266-5m77",
  "modified": "2022-10-07T18:15:55Z",
  "published": "2022-05-24T17:14:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1730"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1730"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2A7BIFKUYIYKTY7FX4BEWVC2OHS5DPOU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLSWHBQ3EPKGTGLQNH554Z746BJ3C554"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200424-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4327-1"
    },
    {
      "type": "WEB",
      "url": "https://www.libssh.org/security/advisories/CVE-2020-1730.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RJ2-XG9P-3JJ4

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-05-29 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

atm: lec: fix null-ptr-deref in lec_arp_clear_vccs

syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer.

In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc). When the underlying VCC is closed, lec_vcc_close() iterates over all ARP entries and calls lec_arp_clear_vccs() for each matched entry.

For example, when lec_vcc_close() iterates through the hlists in priv->lec_arp_empty_ones or other ARP tables:

  1. In the first iteration, for the first matched ARP entry sharing the VCC, lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back) and sets vcc->user_back to NULL.
  2. In the second iteration, for the next matched ARP entry sharing the same VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from vcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it via vcc->pop = vpriv->old_pop, leading to a null-ptr-deref crash.

Fix this by adding a null check for vpriv before dereferencing it. If vpriv is already NULL, it means the VCC has been cleared by a previous call, so we can safely skip the cleanup and just clear the entry's vcc/recv_vcc pointers.

The entire cleanup block (including vcc_release_async()) is placed inside the vpriv guard because a NULL vpriv indicates the VCC has already been fully released by a prior iteration — repeating the teardown would redundantly set flags and trigger callbacks on an already-closing socket.

The Fixes tag points to the initial commit because the entry->vcc path has been vulnerable since the original code. The entry->recv_vcc path was later added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back") with the same pattern, and both paths are fixed here.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:23Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix null-ptr-deref in lec_arp_clear_vccs\n\nsyzkaller reported a null-ptr-deref in lec_arp_clear_vccs().\nThis issue can be easily reproduced using the syzkaller reproducer.\n\nIn the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by\nmultiple lec_arp_table entries (e.g., via entry-\u003evcc or entry-\u003erecv_vcc).\nWhen the underlying VCC is closed, lec_vcc_close() iterates over all\nARP entries and calls lec_arp_clear_vccs() for each matched entry.\n\nFor example, when lec_vcc_close() iterates through the hlists in\npriv-\u003elec_arp_empty_ones or other ARP tables:\n\n1. In the first iteration, for the first matched ARP entry sharing the VCC,\nlec_arp_clear_vccs() frees the associated vpriv (which is vcc-\u003euser_back)\nand sets vcc-\u003euser_back to NULL.\n2. In the second iteration, for the next matched ARP entry sharing the same\nVCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from\nvcc-\u003euser_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it\nvia `vcc-\u003epop = vpriv-\u003eold_pop`, leading to a null-ptr-deref crash.\n\nFix this by adding a null check for vpriv before dereferencing\nit. If vpriv is already NULL, it means the VCC has been cleared\nby a previous call, so we can safely skip the cleanup and just\nclear the entry\u0027s vcc/recv_vcc pointers.\n\nThe entire cleanup block (including vcc_release_async()) is placed inside\nthe vpriv guard because a NULL vpriv indicates the VCC has already been\nfully released by a prior iteration \u2014 repeating the teardown would\nredundantly set flags and trigger callbacks on an already-closing socket.\n\nThe Fixes tag points to the initial commit because the entry-\u003evcc path has\nbeen vulnerable since the original code. The entry-\u003erecv_vcc path was later\nadded by commit 8d9f73c0ad2f (\"atm: fix a memory leak of vcc-\u003euser_back\")\nwith the same pattern, and both paths are fixed here.",
  "id": "GHSA-6rj2-xg9p-3jj4",
  "modified": "2026-05-29T18:31:13Z",
  "published": "2026-03-25T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23286"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/101bacb303e89dc2e0640ae6a5e0fb97c4eb45bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d9f57ea29a1f1772373b98a509b44d49fda609e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30c9744a989feb22cfbb84170eb0e038a7a2c1da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f1cfea7921f5c126a441d973690eeba52677b64"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/622062f24644b4536d3f437e0cf7a8c4bb421665"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ea92ab075d809ec8a96669a5ecf00f752057875"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8aff65a82b6389ec674d46e5b3d3ae6f07db5e3e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9665986eb127290ceb535bd5d04d7a84265d94f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RPQ-7WMG-7QJV

Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2025-03-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_api: fix error handling causing NULL dereference

tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change().

fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with exts->actions as argument, where it is dereferenced.

Example trace:

BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1 RIP: 0010:tcf_action_init+0x1f8/0x2c0 Call Trace: tcf_action_init+0x1f8/0x2c0 tcf_exts_validate_ex+0x175/0x190 fl_change+0x537/0x1120 [cls_flower]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T10:15:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_api: fix error handling causing NULL dereference\n\ntcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can\nreturn 1 if the allocation succeeded after wrapping. This was treated as\nan error, with value 1 returned to caller tcf_exts_init_ex() which sets\nexts-\u003eactions to NULL and returns 1 to caller fl_change().\n\nfl_change() treats err == 1 as success, calling tcf_exts_validate_ex()\nwhich calls tcf_action_init() with exts-\u003eactions as argument, where it\nis dereferenced.\n\nExample trace:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1\nRIP: 0010:tcf_action_init+0x1f8/0x2c0\nCall Trace:\n tcf_action_init+0x1f8/0x2c0\n tcf_exts_validate_ex+0x175/0x190\n fl_change+0x537/0x1120 [cls_flower]",
  "id": "GHSA-6rpq-7wmg-7qjv",
  "modified": "2025-03-13T21:31:18Z",
  "published": "2025-03-12T12:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21857"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/071ed42cff4fcdd89025d966d48eabef59913bf2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3c74b5787caf59bb1e9c5fe0a360643a71eb1e8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e4c56cf41876ef2a82f0877fe2a67648f8632b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de4b679aa3b4da7ec34f639df068b914f20e3c3c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RPX-57FJ-HJ72

Vulnerability from github – Published: 2024-08-21 09:31 – Updated: 2024-09-13 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Add exception protection processing for vd in axi_chan_handle_err function

Since there is no protection for vd, a kernel panic will be triggered here in exceptional cases.

You can refer to the processing of axi_chan_block_xfer_complete function

The triggered kernel panic is as follows:

[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 [ 67.848447] Mem abort info: [ 67.848449] ESR = 0x96000004 [ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits [ 67.848454] SET = 0, FnV = 0 [ 67.848456] EA = 0, S1PTW = 0 [ 67.848458] Data abort info: [ 67.848460] ISV = 0, ISS = 0x00000004 [ 67.848462] CM = 0, WnR = 0 [ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000 [ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000 [ 67.848472] Internal error: Oops: 96000004 [#1] SMP [ 67.848475] Modules linked in: dmatest [ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11 [ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--) [ 67.848487] pc : axi_chan_handle_err+0xc4/0x230 [ 67.848491] lr : axi_chan_handle_err+0x30/0x230 [ 67.848493] sp : ffff0803fe55ae50 [ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200 [ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080 [ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850 [ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000 [ 67.848512] x21: 0000000000000080 x20: 0000000000002000 [ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000 [ 67.848521] x17: 0000000000000000 x16: 0000000000000000 [ 67.848525] x15: 0000000000000000 x14: 0000000000000000 [ 67.848529] x13: 0000000000000000 x12: 0000000000000040 [ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a [ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270 [ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0 [ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480 [ 67.848550] x3 : dead000000000100 x2 : dead000000000122 [ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168 [ 67.848559] Call trace: [ 67.848562] axi_chan_handle_err+0xc4/0x230 [ 67.848566] dw_axi_dma_interrupt+0xf4/0x590 [ 67.848569] __handle_irq_event_percpu+0x60/0x220 [ 67.848573] handle_irq_event+0x64/0x120 [ 67.848576] handle_fasteoi_irq+0xc4/0x220 [ 67.848580] __handle_domain_irq+0x80/0xe0 [ 67.848583] gic_handle_irq+0xc0/0x138 [ 67.848585] el1_irq+0xc8/0x180 [ 67.848588] arch_cpu_idle+0x14/0x2c [ 67.848591] default_idle_call+0x40/0x16c [ 67.848594] do_idle+0x1f0/0x250 [ 67.848597] cpu_startup_entry+0x2c/0x60 [ 67.848600] rest_init+0xc0/0xcc [ 67.848603] arch_call_rest_init+0x14/0x1c [ 67.848606] start_kernel+0x4cc/0x500 [ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1) [ 67.848613] ---[ end trace 585a97036f88203a ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-21T07:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nAdd exception protection processing for vd in axi_chan_handle_err function\n\nSince there is no protection for vd, a kernel panic will be\ntriggered here in exceptional cases.\n\nYou can refer to the processing of axi_chan_block_xfer_complete function\n\nThe triggered kernel panic is as follows:\n\n[   67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060\n[   67.848447] Mem abort info:\n[   67.848449]   ESR = 0x96000004\n[   67.848451]   EC = 0x25: DABT (current EL), IL = 32 bits\n[   67.848454]   SET = 0, FnV = 0\n[   67.848456]   EA = 0, S1PTW = 0\n[   67.848458] Data abort info:\n[   67.848460]   ISV = 0, ISS = 0x00000004\n[   67.848462]   CM = 0, WnR = 0\n[   67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000\n[   67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000\n[   67.848472] Internal error: Oops: 96000004 [#1] SMP\n[   67.848475] Modules linked in: dmatest\n[   67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11\n[   67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)\n[   67.848487] pc : axi_chan_handle_err+0xc4/0x230\n[   67.848491] lr : axi_chan_handle_err+0x30/0x230\n[   67.848493] sp : ffff0803fe55ae50\n[   67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200\n[   67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080\n[   67.848504] x25: ffff800010d33880 x24: ffff80001139d850\n[   67.848508] x23: ffff0800c097c168 x22: 0000000000000000\n[   67.848512] x21: 0000000000000080 x20: 0000000000002000\n[   67.848517] x19: ffff0800c097c080 x18: 0000000000000000\n[   67.848521] x17: 0000000000000000 x16: 0000000000000000\n[   67.848525] x15: 0000000000000000 x14: 0000000000000000\n[   67.848529] x13: 0000000000000000 x12: 0000000000000040\n[   67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a\n[   67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270\n[   67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0\n[   67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480\n[   67.848550] x3 : dead000000000100 x2 : dead000000000122\n[   67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168\n[   67.848559] Call trace:\n[   67.848562]  axi_chan_handle_err+0xc4/0x230\n[   67.848566]  dw_axi_dma_interrupt+0xf4/0x590\n[   67.848569]  __handle_irq_event_percpu+0x60/0x220\n[   67.848573]  handle_irq_event+0x64/0x120\n[   67.848576]  handle_fasteoi_irq+0xc4/0x220\n[   67.848580]  __handle_domain_irq+0x80/0xe0\n[   67.848583]  gic_handle_irq+0xc0/0x138\n[   67.848585]  el1_irq+0xc8/0x180\n[   67.848588]  arch_cpu_idle+0x14/0x2c\n[   67.848591]  default_idle_call+0x40/0x16c\n[   67.848594]  do_idle+0x1f0/0x250\n[   67.848597]  cpu_startup_entry+0x2c/0x60\n[   67.848600]  rest_init+0xc0/0xcc\n[   67.848603]  arch_call_rest_init+0x14/0x1c\n[   67.848606]  start_kernel+0x4cc/0x500\n[   67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)\n[   67.848613] ---[ end trace 585a97036f88203a ]---",
  "id": "GHSA-6rpx-57fj-hj72",
  "modified": "2024-09-13T15:31:31Z",
  "published": "2024-08-21T09:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52899"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20d0a6d17e85a8a816a64fa7d7cae616f1617833"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5054d001ffaf76155637c5e5b922c11016cd6a5d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51a7ad5b60efac65691729d10745c28fa1016b96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53dd833fd0a2d8f0118d01ea063a70652689d31e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57054fe516d59d03a7bcf1888e82479ccc244f87"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f534dc438828cc3f1f8c6895b8bdfbef079521fb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RQP-5XH4-J422

Vulnerability from github – Published: 2026-02-06 06:30 – Updated: 2026-02-06 06:30
VLAI
Details

A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-06T06:15:50Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-6rqp-5xh4-j422",
  "modified": "2026-02-06T06:30:27Z",
  "published": "2026-02-06T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libuvc/libuvc/issues/300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libuvc/libuvc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oneafter/0104/blob/main/repro"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344509"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344509"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.743388"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6RVQ-8CG9-GM39

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-13457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-12T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.",
  "id": "GHSA-6rvq-8cg9-gm39",
  "modified": "2022-05-13T01:27:25Z",
  "published": "2022-05-13T01:27:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13457"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/fakhrizulkifli/87cf1c1ad403b4d40a86d90c9c9bf7ab"
    },
    {
      "type": "WEB",
      "url": "https://knowledge.opsview.com/v5.3/docs/whats-new"
    },
    {
      "type": "WEB",
      "url": "https://knowledge.opsview.com/v5.4/docs/whats-new"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45082"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RX6-6HH2-M59M

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_commit() in mjs.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_bcode_commit() in mjs.c.",
  "id": "GHSA-6rx6-6hh2-m59m",
  "modified": "2022-07-29T00:00:26Z",
  "published": "2022-07-27T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mjs/issues/163"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V4W-QF8X-8HJM

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

gpio: mvebu: fix NULL pointer dereference in suspend/resume

mvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO banks during suspend/resume, but not all banks have PWM functionality. GPIO banks without PWM have mvchip->mvpwm set to NULL.

Calling mvebu_pwm_suspend() with mvpwm == NULL causes a NULL pointer dereference when it tries to access mvpwm->blink_select.

Unable to handle kernel NULL pointer dereference at virtual address 00000020 when write [00000020] *pgd=00000000 Internal error: Oops: 815 [#1] PREEMPT ARM Modules linked in: CPU: 0 UID: 0 PID: 406 Comm: sh Not tainted 6.12.74-rt12-yocto-standard-g4e96f98fb7db-dirty #353 Hardware name: Marvell Armada 370/XP (Device Tree) PC is at regmap_mmio_read+0x38/0x54 LR is at regmap_mmio_read+0x38/0x54 pc : [] lr : [] psr: 200f0013 sp : f0c11d10 ip : 00000000 fp : c100d2f0 r10: c14fb854 r9 : 00000000 r8 : 00000000 r7 : c1799c00 r6 : 00000020 r5 : 00000020 r4 : c179c7c0 r3 : f0a231a0 r2 : 00000020 r1 : 00000020 r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: 135ec059 DAC: 00000051 Call trace: regmap_mmio_read from _regmap_bus_reg_read+0x78/0xac _regmap_bus_reg_read from _regmap_read+0x60/0x154 _regmap_read from regmap_read+0x3c/0x60 regmap_read from mvebu_gpio_suspend+0xa4/0x14c mvebu_gpio_suspend from dpm_run_callback+0x54/0x180 dpm_run_callback from device_suspend+0x124/0x630 device_suspend from dpm_suspend+0x124/0x270 dpm_suspend from dpm_suspend_start+0x64/0x6c dpm_suspend_start from suspend_devices_and_enter+0x140/0x8e8 suspend_devices_and_enter from pm_suspend+0x2fc/0x308 pm_suspend from state_store+0x6c/0xc8 state_store from kernfs_fop_write_iter+0x10c/0x1f8 kernfs_fop_write_iter from vfs_write+0x270/0x468 vfs_write from ksys_write+0x70/0xf0 ksys_write from ret_fast_syscall+0x0/0x54

Add a NULL check for mvchip->mvpwm before calling the PWM suspend/resume functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:41Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: mvebu: fix NULL pointer dereference in suspend/resume\n\nmvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO\nbanks during suspend/resume, but not all banks have PWM functionality.\nGPIO banks without PWM have mvchip-\u003emvpwm set to NULL.\n\nCalling mvebu_pwm_suspend() with mvpwm == NULL causes a NULL pointer\ndereference when it tries to access mvpwm-\u003eblink_select.\n\n  Unable to handle kernel NULL pointer dereference at virtual address 00000020 when write\n  [00000020] *pgd=00000000\n  Internal error: Oops: 815 [#1] PREEMPT ARM\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 406 Comm: sh Not tainted 6.12.74-rt12-yocto-standard-g4e96f98fb7db-dirty #353\n  Hardware name: Marvell Armada 370/XP (Device Tree)\n  PC is at regmap_mmio_read+0x38/0x54\n  LR is at regmap_mmio_read+0x38/0x54\n  pc : [\u003cc05fd2ac\u003e]    lr : [\u003cc05fd2ac\u003e]    psr: 200f0013\n  sp : f0c11d10  ip : 00000000  fp : c100d2f0\n  r10: c14fb854  r9 : 00000000  r8 : 00000000\n  r7 : c1799c00  r6 : 00000020  r5 : 00000020  r4 : c179c7c0\n  r3 : f0a231a0  r2 : 00000020  r1 : 00000020  r0 : 00000000\n  Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none\n  Control: 10c5387d  Table: 135ec059  DAC: 00000051\n  Call trace:\n   regmap_mmio_read from _regmap_bus_reg_read+0x78/0xac\n   _regmap_bus_reg_read from _regmap_read+0x60/0x154\n   _regmap_read from regmap_read+0x3c/0x60\n   regmap_read from mvebu_gpio_suspend+0xa4/0x14c\n   mvebu_gpio_suspend from dpm_run_callback+0x54/0x180\n   dpm_run_callback from device_suspend+0x124/0x630\n   device_suspend from dpm_suspend+0x124/0x270\n   dpm_suspend from dpm_suspend_start+0x64/0x6c\n   dpm_suspend_start from suspend_devices_and_enter+0x140/0x8e8\n   suspend_devices_and_enter from pm_suspend+0x2fc/0x308\n   pm_suspend from state_store+0x6c/0xc8\n   state_store from kernfs_fop_write_iter+0x10c/0x1f8\n   kernfs_fop_write_iter from vfs_write+0x270/0x468\n   vfs_write from ksys_write+0x70/0xf0\n   ksys_write from ret_fast_syscall+0x0/0x54\n\nAdd a NULL check for mvchip-\u003emvpwm before calling the PWM\nsuspend/resume functions.",
  "id": "GHSA-6v4w-qf8x-8hjm",
  "modified": "2026-07-08T15:31:46Z",
  "published": "2026-06-25T09:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53237"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ef24338eda3c7e96d6f94a988266ff16ed3985d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6136c1474db88272231573e222896e1998d34662"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7db09011ce62162d72897fc4856b4425245dfe35"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9ad50d7505ebd48282ec3630258dc820fc85c81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9677a9274ffb44987ec209dc8ec9f2d34946956"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.