Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-78X3-GQHV-HVHP

Vulnerability from github – Published: 2022-05-14 03:25 – Updated: 2022-05-14 03:25
VLAI
Details

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile SD 410/12, SD 615/16/SD 415, and SD 810, while processing QSEE Syscall 'qsee_macc_gen_ecc_privkey', untrusted pointer dereference occurs, which could result in arbitrary write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-9134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-18T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile SD 410/12, SD 615/16/SD 415, and SD 810, while processing QSEE Syscall \u0027qsee_macc_gen_ecc_privkey\u0027, untrusted pointer dereference occurs, which could result in arbitrary write.",
  "id": "GHSA-78x3-gqhv-hvhp",
  "modified": "2022-05-14T03:25:07Z",
  "published": "2022-05-14T03:25:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9134"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-04-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103671"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78XC-39M5-V2C6

Vulnerability from github – Published: 2026-02-18 18:30 – Updated: 2026-03-18 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: Avoid creating sub-groups asynchronously

The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.

The crash can be easily reproduced with the following commands:

# cd /sys/kernel/config/pci_ep/functions/pci_epf_test # for i in {1..20}; do mkdir test && rmdir test; done

BUG: kernel NULL pointer dereference, address: 0000000000000088 ... Call Trace: configfs_register_group+0x3d/0x190 pci_epf_cfs_work+0x41/0x110 process_one_work+0x18f/0x350 worker_thread+0x25a/0x3a0

Fix this issue by using configfs_add_default_group() API which does not have the deadlock problem as configfs_register_group() and does not require the delayed work handler.

[mani: slightly reworded the description and added stable list]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T16:22:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: Avoid creating sub-groups asynchronously\n\nThe asynchronous creation of sub-groups by a delayed work could lead to a\nNULL pointer dereference when the driver directory is removed before the\nwork completes.\n\nThe crash can be easily reproduced with the following commands:\n\n  # cd /sys/kernel/config/pci_ep/functions/pci_epf_test\n  # for i in {1..20}; do mkdir test \u0026\u0026 rmdir test; done\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000088\n  ...\n  Call Trace:\n   configfs_register_group+0x3d/0x190\n   pci_epf_cfs_work+0x41/0x110\n   process_one_work+0x18f/0x350\n   worker_thread+0x25a/0x3a0\n\nFix this issue by using configfs_add_default_group() API which does not\nhave the deadlock problem as configfs_register_group() and does not require\nthe delayed work handler.\n\n[mani: slightly reworded the description and added stable list]",
  "id": "GHSA-78xc-39m5-v2c6",
  "modified": "2026-03-18T18:31:12Z",
  "published": "2026-02-18T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71233"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24a253c3aa6d9a2cde46158ce9782e023bfbf32d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f609b3bffd4207cf9f2c9b41e1978457a5a1ea9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/73cee890adafa2c219bb865356e08e7f82423fe5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cb905eca73944089a0db01443c7628a9e87012d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9af3cf58bb4c8d6dea4166011c780756b1138b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa9fb38f5fe9c80094c2138354d45cdc8d094d69"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7924-4FVJ-RF9C

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: xsk: disable txq irq before flushing hw

ice_qp_dis() intends to stop a given queue pair that is a target of xsk pool attach/detach. One of the steps is to disable interrupts on these queues. It currently is broken in a way that txq irq is turned off after HW flush which in turn takes no effect.

ice_qp_dis(): -> ice_qvec_dis_irq() --> disable rxq irq --> flush hw -> ice_vsi_stop_tx_ring() -->disable txq irq

Below splat can be triggered by following steps: - start xdpsock WITHOUT loading xdp prog - run xdp_rxq_info with XDP_TX action on this interface - start traffic - terminate xdpsock

[ 256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018 [ 256.319560] #PF: supervisor read access in kernel mode [ 256.324775] #PF: error_code(0x0000) - not-present page [ 256.329994] PGD 0 P4D 0 [ 256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G OE 6.2.0-rc5+ #51 [ 256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice] [ 256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 <49> 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44 [ 256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206 [ 256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f [ 256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80 [ 256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000 [ 256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000 [ 256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600 [ 256.421990] FS: 0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000 [ 256.430207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0 [ 256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 256.457770] PKRU: 55555554 [ 256.460529] Call Trace: [ 256.463015] [ 256.465157] ? ice_xmit_zc+0x6e/0x150 [ice] [ 256.469437] ice_napi_poll+0x46d/0x680 [ice] [ 256.473815] ? _raw_spin_unlock_irqrestore+0x1b/0x40 [ 256.478863] __napi_poll+0x29/0x160 [ 256.482409] net_rx_action+0x136/0x260 [ 256.486222] __do_softirq+0xe8/0x2e5 [ 256.489853] ? smpboot_thread_fn+0x2c/0x270 [ 256.494108] run_ksoftirqd+0x2a/0x50 [ 256.497747] smpboot_thread_fn+0x1c1/0x270 [ 256.501907] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 256.506594] kthread+0xea/0x120 [ 256.509785] ? __pfx_kthread+0x10/0x10 [ 256.513597] ret_from_fork+0x29/0x50 [ 256.517238]

In fact, irqs were not disabled and napi managed to be scheduled and run while xsk_pool pointer was still valid, but SW ring of xdp_buff pointers was already freed.

To fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also while at it, remove redundant ice_clean_rx_ring() call - this is handled in ice_qp_clean_rings().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: xsk: disable txq irq before flushing hw\n\nice_qp_dis() intends to stop a given queue pair that is a target of xsk\npool attach/detach. One of the steps is to disable interrupts on these\nqueues. It currently is broken in a way that txq irq is turned off\n*after* HW flush which in turn takes no effect.\n\nice_qp_dis():\n-\u003e ice_qvec_dis_irq()\n--\u003e disable rxq irq\n--\u003e flush hw\n-\u003e ice_vsi_stop_tx_ring()\n--\u003edisable txq irq\n\nBelow splat can be triggered by following steps:\n- start xdpsock WITHOUT loading xdp prog\n- run xdp_rxq_info with XDP_TX action on this interface\n- start traffic\n- terminate xdpsock\n\n[  256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018\n[  256.319560] #PF: supervisor read access in kernel mode\n[  256.324775] #PF: error_code(0x0000) - not-present page\n[  256.329994] PGD 0 P4D 0\n[  256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G           OE      6.2.0-rc5+ #51\n[  256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[  256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice]\n[  256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 \u003c49\u003e 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44\n[  256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206\n[  256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f\n[  256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80\n[  256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000\n[  256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000\n[  256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600\n[  256.421990] FS:  0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000\n[  256.430207] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0\n[  256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  256.457770] PKRU: 55555554\n[  256.460529] Call Trace:\n[  256.463015]  \u003cTASK\u003e\n[  256.465157]  ? ice_xmit_zc+0x6e/0x150 [ice]\n[  256.469437]  ice_napi_poll+0x46d/0x680 [ice]\n[  256.473815]  ? _raw_spin_unlock_irqrestore+0x1b/0x40\n[  256.478863]  __napi_poll+0x29/0x160\n[  256.482409]  net_rx_action+0x136/0x260\n[  256.486222]  __do_softirq+0xe8/0x2e5\n[  256.489853]  ? smpboot_thread_fn+0x2c/0x270\n[  256.494108]  run_ksoftirqd+0x2a/0x50\n[  256.497747]  smpboot_thread_fn+0x1c1/0x270\n[  256.501907]  ? __pfx_smpboot_thread_fn+0x10/0x10\n[  256.506594]  kthread+0xea/0x120\n[  256.509785]  ? __pfx_kthread+0x10/0x10\n[  256.513597]  ret_from_fork+0x29/0x50\n[  256.517238]  \u003c/TASK\u003e\n\nIn fact, irqs were not disabled and napi managed to be scheduled and run\nwhile xsk_pool pointer was still valid, but SW ring of xdp_buff pointers\nwas already freed.\n\nTo fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also\nwhile at it, remove redundant ice_clean_rx_ring() call - this is handled\nin ice_qp_clean_rings().",
  "id": "GHSA-7924-4fvj-rf9c",
  "modified": "2025-11-10T18:30:29Z",
  "published": "2025-05-02T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53102"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/243cde8de10894d7812c8a6b62653bf04d8f9700"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ecc6e44959382f95c9d427cd8da85121a9cecda"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b830c9642386867863ac64295185f896ff2928ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b89a453c6918e0f346fb0562e8c7812b94d28c73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cccba1ff0798a27f7b8d0c06762ef977400a2afb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-792H-J2JM-MF8X

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-06-30 00:00
VLAI
Details

A null pointer dereference vulnerability in devices/vector/gdevtxtw.c and psi/zbfont.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. This is fixed in v9.51.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-13T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability in devices/vector/gdevtxtw.c and psi/zbfont.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted postscript file. This is fixed in v9.51.",
  "id": "GHSA-792h-j2jm-mf8x",
  "modified": "2022-06-30T00:00:30Z",
  "published": "2022-05-24T17:25:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16307"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=701822"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-20"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4469-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4748"
    },
    {
      "type": "WEB",
      "url": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=407c98a38c3a6ac1681144ed45cc2f4fc374c91f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-793P-H652-2QV7

Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20
VLAI
Details

The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 and 7.0.6-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-30T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 and 7.0.6-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.",
  "id": "GHSA-793p-h652-2qv7",
  "modified": "2022-05-17T02:20:37Z",
  "published": "2022-05-17T02:20:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7945-5MCV-F2PP

Vulnerability from github – Published: 2024-03-08 17:33 – Updated: 2024-11-12 21:32
VLAI
Summary
LibOSDP vulnerable to a null pointer deref in osdp_reply_name
Details

Issue:

At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare all of the range. On a case of an undefined reply id within the range, name will be null (name = names[reply_id - REPLY_ACK];). Null name will casue a crash on next line: if (name[0] == '\0') as null[0] is invalid.

Attack:

As this logic is not limited to a secure connection, attacker may trigger this vulnerability without any prior knowledge.

Impact

Denial of Service

Patch

The issue has been patched in 24409e98a260176765956ec766a04cb35984fab1

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "libosdp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-08T17:33:46Z",
    "nvd_published_at": "2024-11-12T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "### Issue:\nAt ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare all of the range. On a case of an undefined reply id within the range, name will be null (`name = names[reply_id - REPLY_ACK];`). Null name will casue a crash on next line: `if (name[0] == \u0027\\0\u0027)` as null[0] is invalid.\n\n### Attack:\nAs this logic is not limited to a secure connection, attacker may trigger this vulnerability without any prior knowledge.\n\n### Impact\nDenial of Service\n\n### Patch\nThe issue has been patched in 24409e98a260176765956ec766a04cb35984fab1\n",
  "id": "GHSA-7945-5mcv-f2pp",
  "modified": "2024-11-12T21:32:15Z",
  "published": "2024-03-08T17:33:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-7945-5mcv-f2pp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goToMain/libosdp/commit/24409e98a260176765956ec766a04cb35984fab1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goToMain/libosdp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibOSDP vulnerable to a null pointer deref in osdp_reply_name"
}

GHSA-794G-3P8M-5JPC

Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-26 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: allow ext4_get_group_info() to fail

Previously, ext4_get_group_info() would treat an invalid group number as BUG(), since in theory it should never happen. However, if a malicious attaker (or fuzzer) modifies the superblock via the block device while it is the file system is mounted, it is possible for s_first_data_block to get set to a very large number. In that case, when calculating the block group of some block number (such as the starting block of a preallocation region), could result in an underflow and very large block group number. Then the BUG_ON check in ext4_get_group_info() would fire, resutling in a denial of service attack that can be triggered by root or someone with write access to the block device.

For a quality of implementation perspective, it's best that even if the system administrator does something that they shouldn't, that it will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() will call ext4_error and return NULL. We also add fallback code in all of the callers of ext4_get_group_info() that it might NULL.

Also, since ext4_get_group_info() was already borderline to be an inline function, un-inline it. The results in a next reduction of the compiled text size of ext4 by roughly 2k.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: allow ext4_get_group_info() to fail\n\nPreviously, ext4_get_group_info() would treat an invalid group number\nas BUG(), since in theory it should never happen.  However, if a\nmalicious attaker (or fuzzer) modifies the superblock via the block\ndevice while it is the file system is mounted, it is possible for\ns_first_data_block to get set to a very large number.  In that case,\nwhen calculating the block group of some block number (such as the\nstarting block of a preallocation region), could result in an\nunderflow and very large block group number.  Then the BUG_ON check in\next4_get_group_info() would fire, resutling in a denial of service\nattack that can be triggered by root or someone with write access to\nthe block device.\n\nFor a quality of implementation perspective, it\u0027s best that even if\nthe system administrator does something that they shouldn\u0027t, that it\nwill not trigger a BUG.  So instead of BUG\u0027ing, ext4_get_group_info()\nwill call ext4_error and return NULL.  We also add fallback code in\nall of the callers of ext4_get_group_info() that it might NULL.\n\nAlso, since ext4_get_group_info() was already borderline to be an\ninline function, un-inline it.  The results in a next reduction of the\ncompiled text size of ext4 by roughly 2k.",
  "id": "GHSA-794g-3p8m-5jpc",
  "modified": "2026-01-26T21:30:30Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53503"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/100c0ad6c04597fefeaaba2bb1827cc015d95067"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31668cebf45adfb6283e465e641c4f5a21b07afa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5354b2af34064a4579be8bc0e2f15a7b70f14b5f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/620a3c28221bb219b81bc0bffd065cc187494302"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4319e457d6e3fb33e443efeaf4634fc36e8a9ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7958-2FHP-VVXF

Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-20 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()

devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference.

Prevent null pointer dereference in mt7996_mmio_wed_init()

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7996_mmio_wed_init()",
  "id": "GHSA-7958-2fhp-vvxf",
  "modified": "2025-11-20T21:30:30Z",
  "published": "2025-07-03T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38156"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1072fc0ca1f8d0d5397d24853386876f937b8e63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f30e2b059757d8711a823e4c9c023db62a1d171"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af861c6dea2ef06845a5c7672999a06c06099735"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79C6-W7W7-4C6Q

Vulnerability from github – Published: 2022-05-02 03:38 – Updated: 2024-02-09 03:32
VLAI
Details

The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary, which triggers an access of an "uninitialized cred pointer."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-08-14T15:16:00Z",
    "severity": "HIGH"
  },
  "details": "The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel before 2.6.31-rc6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary, which triggers an access of an \"uninitialized cred pointer.\"",
  "id": "GHSA-79c6-w7w7-4c6q",
  "modified": "2024-02-09T03:32:55Z",
  "published": "2022-05-02T03:38:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2768"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52909"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3440625d78711bee41a84cf29c3d8c579b522666"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3440625d78711bee41a84cf29c3d8c579b522666"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2009/6/22/91"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36278"
    },
    {
      "type": "WEB",
      "url": "http://thread.gmane.org/gmane.linux.hardware.blackfin.kernel.devel/1905"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:051"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2009/08/13/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/36037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79GJ-8P4X-8FQF

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26
VLAI
Details

hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings.",
  "id": "GHSA-79gj-8p4x-8fqf",
  "modified": "2022-05-13T01:26:37Z",
  "published": "2022-05-13T01:26:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20125"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3923-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2018/12/19/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106298"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.