Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-74W9-C64J-QMCW

Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2024-10-25 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check stream_status before it is used

[WHAT & HOW] dc_state_get_stream_status can return null, and therefore null must be checked before stream_status is used.

This fixes 1 NULL_RETURNS issue reported by Coverity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T18:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check stream_status before it is used\n\n[WHAT \u0026 HOW]\ndc_state_get_stream_status can return null, and therefore null must be\nchecked before stream_status is used.\n\nThis fixes 1 NULL_RETURNS issue reported by Coverity.",
  "id": "GHSA-74w9-c64j-qmcw",
  "modified": "2024-10-25T15:31:25Z",
  "published": "2024-10-21T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49893"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4914c8bfee1843fae046a12970b6f178e6642659"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/58a8ee96f84d2c21abb85ad8c22d2bbdf59bd7a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-74XW-GWFM-7PV7

Vulnerability from github – Published: 2021-12-18 00:00 – Updated: 2024-11-21 22:18
VLAI
Summary
bounter Null pointer reference
Details

Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bounter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-21T22:18:17Z",
    "nvd_published_at": "2021-12-17T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket.",
  "id": "GHSA-74xw-gwfm-7pv7",
  "modified": "2024-11-21T22:18:17Z",
  "published": "2021-12-18T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41497"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RaRe-Technologies/bounter/issues/47"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RaRe-Technologies/bounter"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bounter/PYSEC-2021-880.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bounter Null pointer reference"
}

GHSA-7565-8WHX-JMG5

Vulnerability from github – Published: 2025-09-26 12:31 – Updated: 2025-09-26 12:31
VLAI
Details

A vulnerability was found in BehaviorTree up to 4.7.0. Affected by this issue is the function JsonExporter::fromJson of the file /src/json_export.cpp. Performing manipulation of the argument Source results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named 4b23dcaf0ce951a31299ebdd61df69f9ce99a76d. It is suggested to install a patch to address this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T12:15:34Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in BehaviorTree up to 4.7.0. Affected by this issue is the function JsonExporter::fromJson of the file /src/json_export.cpp. Performing manipulation of the argument Source results in null pointer dereference. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named 4b23dcaf0ce951a31299ebdd61df69f9ce99a76d. It is suggested to install a patch to address this issue.",
  "id": "GHSA-7565-8whx-jmg5",
  "modified": "2025-09-26T12:31:08Z",
  "published": "2025-09-26T12:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1008"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BehaviorTree/BehaviorTree.CPP/pull/1009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BehaviorTree/BehaviorTree.CPP/commit/4b23dcaf0ce951a31299ebdd61df69f9ce99a76d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/22270928/poc.zip"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325954"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325954"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.654073"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-756H-GRQ9-2JVH

Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-25 15:30
VLAI
Details

A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-23T18:15:34Z",
    "severity": "HIGH"
  },
  "details": "A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node-\u003enext is valid before accessing node-\u003enext-\u003eoverflow_wrap, resulting in a crash if the split fails or returns a partial node chain.",
  "id": "GHSA-756h-grq9-2jvh",
  "modified": "2025-09-25T15:30:23Z",
  "published": "2025-09-23T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55780"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=708720"
    },
    {
      "type": "WEB",
      "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ISH2YU/CVE-2025-55780/tree/main"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-758P-V7G2-6F96

Vulnerability from github – Published: 2025-03-18 21:31 – Updated: 2025-03-18 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix unregistering of framebuffers without device

OF framebuffers do not have an underlying device in the Linux device hierarchy. Do a regular unregister call instead of hot unplugging such a non-existing device. Fixes a NULL dereference. An example error message on ppc64le is shown below.

BUG: Kernel NULL pointer dereference on read at 0x00000060 Faulting instruction address: 0xc00000000080dfa4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries [...] CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1 NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430 REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365) MSR: 8000000002009033 CR: 28228282 XER: 20000000 CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029 GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000 GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283 GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000 GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80 GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0 GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0 GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0 NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0 [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable) [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150 [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0 [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm] [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs] [...] [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0 [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250

The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal"). Most firmware framebuffers have an underlying platform device, which can be hot-unplugged before loading the native graphics driver. OF framebuffers do not (yet) have that device. Fix the code by unregistering the framebuffer as before without a hot unplug.

Tested with 5.17 on qemu ppc64le emulation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix unregistering of framebuffers without device\n\nOF framebuffers do not have an underlying device in the Linux\ndevice hierarchy. Do a regular unregister call instead of hot\nunplugging such a non-existing device. Fixes a NULL dereference.\nAn example error message on ppc64le is shown below.\n\n  BUG: Kernel NULL pointer dereference on read at 0x00000060\n  Faulting instruction address: 0xc00000000080dfa4\n  Oops: Kernel access of bad area, sig: 11 [#1]\n  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n  [...]\n  CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1\n  NIP:  c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430\n  REGS: c000000004132fe0 TRAP: 0300   Not tainted  (5.17.0-ae085d7f9365)\n  MSR:  8000000002009033 \u003cSF,VEC,EE,ME,IR,DR,RI,LE\u003e  CR: 28228282  XER: 20000000\n  CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0\n  GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029\n  GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000\n  GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283\n  GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000\n  GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80\n  GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0\n  GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0\n  GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0\n  NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0\n  [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)\n  [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150\n  [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0\n  [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]\n  [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]\n  [...]\n  [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0\n  [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250\n\nThe bug [1] was introduced by commit 27599aacbaef (\"fbdev: Hot-unplug\nfirmware fb devices on forced removal\"). Most firmware framebuffers\nhave an underlying platform device, which can be hot-unplugged\nbefore loading the native graphics driver. OF framebuffers do not\n(yet) have that device. Fix the code by unregistering the framebuffer\nas before without a hot unplug.\n\nTested with 5.17 on qemu ppc64le emulation.",
  "id": "GHSA-758p-v7g2-6f96",
  "modified": "2025-03-18T21:31:59Z",
  "published": "2025-03-18T21:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49070"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f525289ff0ddeb380813bd81e0f9bdaaa1c9078"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2388f826cdc9af2651991adc0feb79de9bdf2232"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de33df481545974ba47c46f05194e769e4307843"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/feed87ff122b1640c221d4dd559442ab2cd50bb1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75C8-GQ9F-5JV5

Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2026-05-12 12:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent possible NULL deref in fib6_nh_init()

syzbot reminds us that in6_dev_get() can return NULL.

fib6_nh_init() ip6_validate_gw( &idev ) ip6_route_check_nh( idev ) *idev = in6_dev_get(dev); // can be NULL

Oops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606 Code: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b RSP: 0018:ffffc900032775a0 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8 RBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000 R10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8 R13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000 FS: 00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809 ip6_route_add+0x28/0x160 net/ipv6/route.c:3853 ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483 inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f940f07cea9

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-12T13:15:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent possible NULL deref in fib6_nh_init()\n\nsyzbot reminds us that in6_dev_get() can return NULL.\n\nfib6_nh_init()\n    ip6_validate_gw(  \u0026idev  )\n        ip6_route_check_nh(  idev  )\n            *idev = in6_dev_get(dev); // can be NULL\n\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7]\nCPU: 0 PID: 11237 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00249-gbe27b8965297 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:fib6_nh_init+0x640/0x2160 net/ipv6/route.c:3606\nCode: 00 00 fc ff df 4c 8b 64 24 58 48 8b 44 24 28 4c 8b 74 24 30 48 89 c1 48 89 44 24 28 48 8d 98 e0 05 00 00 48 89 d8 48 c1 e8 03 \u003c42\u003e 0f b6 04 38 84 c0 0f 85 b3 17 00 00 8b 1b 31 ff 89 de e8 b8 8b\nRSP: 0018:ffffc900032775a0 EFLAGS: 00010202\nRAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffffc90003277a54 RDI: ffff88802b3a08d8\nRBP: ffffc900032778b0 R08: 00000000000002fc R09: 0000000000000000\nR10: 00000000000002fc R11: 0000000000000000 R12: ffff88802b3a08b8\nR13: 1ffff9200064eec8 R14: ffffc90003277a00 R15: dffffc0000000000\nFS:  00007f940feb06c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000245e8000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  ip6_route_info_create+0x99e/0x12b0 net/ipv6/route.c:3809\n  ip6_route_add+0x28/0x160 net/ipv6/route.c:3853\n  ipv6_route_ioctl+0x588/0x870 net/ipv6/route.c:4483\n  inet6_ioctl+0x21a/0x280 net/ipv6/af_inet6.c:579\n  sock_do_ioctl+0x158/0x460 net/socket.c:1222\n  sock_ioctl+0x629/0x8e0 net/socket.c:1341\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f940f07cea9",
  "id": "GHSA-75c8-gq9f-5jv5",
  "modified": "2026-05-12T12:32:02Z",
  "published": "2024-07-12T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40961"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2eab4543a2204092c3a7af81d7d6c506e59a03a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3200ffeec4d59aad5bc9ca75d2c1fae47c0aeade"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cdfe813015d5a24586bd0a84fa0fa6eb0a1f668"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/88b9a55e2e35ea846d41f4efdc29d23345bd1aa4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae8d3d39efe366c2198f530e01e4bf07830bf403"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6947723c9eabcab58cfb33cdb0a565a6aee6727"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de5ad4d45cd0128a2a37555f48ab69aa19d78adc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75F6-78JR-4656

Vulnerability from github – Published: 2021-05-21 14:25 – Updated: 2024-11-01 16:54
VLAI
Summary
Null pointer dereference in `EditDistance`
Details

Impact

An attacker can trigger a null pointer dereference in the implementation of tf.raw_ops.EditDistance:

import tensorflow as tf

hypothesis_indices = tf.constant([247, 247, 247], shape=[1, 3], dtype=tf.int64)
hypothesis_values = tf.constant([-9.9999], shape=[1], dtype=tf.float32)
hypothesis_shape = tf.constant([0, 0, 0], shape=[3], dtype=tf.int64)
truth_indices = tf.constant([], shape=[0, 3], dtype=tf.int64)
truth_values = tf.constant([], shape=[0], dtype=tf.float32)
truth_shape = tf.constant([0, 0, 0], shape=[3], dtype=tf.int64)

tf.raw_ops.EditDistance(
    hypothesis_indices=hypothesis_indices, hypothesis_values=hypothesis_values,
    hypothesis_shape=hypothesis_shape, truth_indices=truth_indices,
    truth_values=truth_values, truth_shape=truth_shape, normalize=True)

This is because the implementation has incomplete validation of the input parameters.

In the above scenario, an attacker causes an allocation of an empty tensor for the output:

OP_REQUIRES_OK(ctx, ctx->allocate_output("output", output_shape, &output));
auto output_t = output->flat<float>();
output_t.setZero();

Because output_shape has 0 elements, the result of output->flat<T>() has an empty buffer, so calling setZero would result in a null dereference.

Patches

We have patched the issue in GitHub commit f4c364a5d6880557f6f5b6eb5cee2c407f0186b3.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T19:43:25Z",
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAn attacker can trigger a null pointer dereference in the implementation of `tf.raw_ops.EditDistance`: \n    \n```python\nimport tensorflow as tf\n\nhypothesis_indices = tf.constant([247, 247, 247], shape=[1, 3], dtype=tf.int64)\nhypothesis_values = tf.constant([-9.9999], shape=[1], dtype=tf.float32)\nhypothesis_shape = tf.constant([0, 0, 0], shape=[3], dtype=tf.int64)\ntruth_indices = tf.constant([], shape=[0, 3], dtype=tf.int64)\ntruth_values = tf.constant([], shape=[0], dtype=tf.float32)\ntruth_shape = tf.constant([0, 0, 0], shape=[3], dtype=tf.int64)\n\ntf.raw_ops.EditDistance(\n    hypothesis_indices=hypothesis_indices, hypothesis_values=hypothesis_values,\n    hypothesis_shape=hypothesis_shape, truth_indices=truth_indices,\n    truth_values=truth_values, truth_shape=truth_shape, normalize=True)\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/79865b542f9ffdc9caeb255631f7c56f1d4b6517/tensorflow/core/kernels/edit_distance_op.cc#L103-L159) has incomplete validation of the input parameters.\n\nIn the above scenario, an attacker causes an allocation of an empty tensor for the output:\n\n```cc\nOP_REQUIRES_OK(ctx, ctx-\u003eallocate_output(\"output\", output_shape, \u0026output));\nauto output_t = output-\u003eflat\u003cfloat\u003e();\noutput_t.setZero();\n```\n\nBecause `output_shape` has 0 elements, the result of `output-\u003eflat\u003cT\u003e()` has an empty buffer, so calling `setZero` would result in a null dereference.\n\n### Patches\nWe have patched the issue in GitHub commit [f4c364a5d6880557f6f5b6eb5cee2c407f0186b3](https://github.com/tensorflow/tensorflow/commit/f4c364a5d6880557f6f5b6eb5cee2c407f0186b3).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
  "id": "GHSA-75f6-78jr-4656",
  "modified": "2024-11-01T16:54:25Z",
  "published": "2021-05-21T14:25:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-75f6-78jr-4656"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/f4c364a5d6880557f6f5b6eb5cee2c407f0186b3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-492.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-690.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-201.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Null pointer dereference in `EditDistance`"
}

GHSA-75FR-FRC7-XQ46

Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45
VLAI
Details

All versions of the NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler where a NULL pointer dereference may lead to denial of service or potential escalation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-09T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of the NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler where a NULL pointer dereference may lead to denial of service or potential escalation of privileges.",
  "id": "GHSA-75fr-frc7-xq46",
  "modified": "2022-05-17T02:45:14Z",
  "published": "2022-05-17T02:45:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0348"
    },
    {
      "type": "WEB",
      "url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4462"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75G3-C2W4-6CXV

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

libming 0.4.8 has a NULL pointer dereference in the getName function of the decompile.c file, a different vulnerability than CVE-2018-7872 and CVE-2018-9165.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-24T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "libming 0.4.8 has a NULL pointer dereference in the getName function of the decompile.c file, a different vulnerability than CVE-2018-7872 and CVE-2018-9165.",
  "id": "GHSA-75g3-c2w4-6cxv",
  "modified": "2022-05-14T01:42:54Z",
  "published": "2022-05-14T01:42:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libming/libming/issues/160"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75GP-4MQX-XMR6

Vulnerability from github – Published: 2022-01-07 00:00 – Updated: 2023-05-27 06:30
VLAI
Details

A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the shift_chunk_offsets.part function, which causes a Denial of Service (context-dependent).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-06T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the shift_chunk_offsets.part function, which causes a Denial of Service (context-dependent).",
  "id": "GHSA-75gp-4mqx-xmr6",
  "modified": "2023-05-27T06:30:36Z",
  "published": "2022-01-07T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1999"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.