CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-79H6-F389-CQGV
Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-10-01 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix possible crash when setting up bsg fails
If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash:
BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2
{
"affected": [],
"aliases": [
"CVE-2025-21723"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T02:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix possible crash when setting up bsg fails\n\nIf bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value.\nConsequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc-\u003ebsg_queue)\"\nwill not be satisfied, preventing execution from entering\nbsg_remove_queue(), which could lead to the following crash:\n\nBUG: kernel NULL pointer dereference, address: 000000000000041c\nCall Trace:\n \u003cTASK\u003e\n mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr]\n mpi3mr_remove+0x6f/0x340 [mpi3mr]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x19d/0x220\n unbind_store+0xa4/0xb0\n kernfs_fop_write_iter+0x11f/0x200\n vfs_write+0x1fc/0x3e0\n ksys_write+0x67/0xe0\n do_syscall_64+0x38/0x80\n entry_SYSCALL_64_after_hwframe+0x78/0xe2",
"id": "GHSA-79h6-f389-cqgv",
"modified": "2025-10-01T21:31:11Z",
"published": "2025-02-27T03:34:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21723"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19b248069d1b1424982723a2bf3941ad864d5204"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/295006f6e8c17212d3098811166e29627d19e05c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/832b8f95a2832321b8200ae478ed988b25faaef4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-79P2-24V8-GP9V
Vulnerability from github – Published: 2024-11-05 12:31 – Updated: 2026-05-17 18:30In the Linux kernel, the following vulnerability has been resolved:
bpf: support non-r10 register spill/fill to/from stack in precision tracking
Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it and potentially adjusting offset.
To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking.
This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches.
There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states).
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)
Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees.
Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. In this case, we don't want to entries, so we need to reuse last added entry, if it is present.
Relying on insn_idx comparison has the same ambiguity problem as the one that was fixed recently in [0], so we avoid that.
[0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/
{
"affected": [],
"aliases": [
"CVE-2023-52920"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T10:15:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support non-r10 register spill/fill to/from stack in precision tracking\n\nUse instruction (jump) history to record instructions that performed\nregister spill/fill to/from stack, regardless if this was done through\nread-only r10 register, or any other register after copying r10 into it\n*and* potentially adjusting offset.\n\nTo make this work reliably, we push extra per-instruction flags into\ninstruction history, encoding stack slot index (spi) and stack frame\nnumber in extra 10 bit flags we take away from prev_idx in instruction\nhistory. We don\u0027t touch idx field for maximum performance, as it\u0027s\nchecked most frequently during backtracking.\n\nThis change removes basically the last remaining practical limitation of\nprecision backtracking logic in BPF verifier. It fixes known\ndeficiencies, but also opens up new opportunities to reduce number of\nverified states, explored in the subsequent patches.\n\nThere are only three differences in selftests\u0027 BPF object files\naccording to veristat, all in the positive direction (less states).\n\nFile Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)\n-------------------------------------- ------------- --------- --------- ------------- ---------- ---------- -------------\ntest_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%)\nxdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%)\nxdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)\n\nNote, I avoided renaming jmp_history to more generic insn_hist to\nminimize number of lines changed and potential merge conflicts between\nbpf and bpf-next trees.\n\nNotice also cur_hist_entry pointer reset to NULL at the beginning of\ninstruction verification loop. This pointer avoids the problem of\nrelying on last jump history entry\u0027s insn_idx to determine whether we\nalready have entry for current instruction or not. It can happen that we\nadded jump history entry because current instruction is_jmp_point(), but\nalso we need to add instruction flags for stack access. In this case, we\ndon\u0027t want to entries, so we need to reuse last added entry, if it is\npresent.\n\nRelying on insn_idx comparison has the same ambiguity problem as the one\nthat was fixed recently in [0], so we avoid that.\n\n [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/",
"id": "GHSA-79p2-24v8-gp9v",
"modified": "2026-05-17T18:30:25Z",
"published": "2024-11-05T12:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52920"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/199f0452873741fa4b8d4d88958e929030b2f92b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41f6f64e6999a837048b1bd13a2f8742964eca6b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4da60feca4d35e1a9b03dc0affa3354f9ff45e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecc2aeeaa08a355d84d3ca9c3d2512399a194f29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-79W7-7M7G-WMX3
Vulnerability from github – Published: 2024-08-17 12:30 – Updated: 2024-09-03 18:31In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()
Instead of getting the epc_features from pci_epc_get_features() API, use the cached pci_epf_test::epc_features value to avoid the NULL check. Since the NULL check is already performed in pci_epf_test_bind(), having one more check in pci_epf_test_core_init() is redundant and it is not possible to hit the NULL pointer dereference.
Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier" flag"), 'epc_features' got dereferenced without the NULL check, leading to the following false positive Smatch warning:
drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)
Thus, remove the redundant NULL check and also use the epc_features:: {msix_capable/msi_capable} flags directly to avoid local variables.
[kwilczynski: commit log]
{
"affected": [],
"aliases": [
"CVE-2024-43824"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-17T10:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached \u0027epc_features\u0027 in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), \u0027epc_features\u0027 got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed \u0027epc_features\u0027 could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]",
"id": "GHSA-79w7-7m7g-wmx3",
"modified": "2024-09-03T18:31:31Z",
"published": "2024-08-17T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43824"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-79X7-RVWV-CM9M
Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Ignore multiple conn complete events
When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored.
The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do not contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks are introduced.
Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497
{
"affected": [],
"aliases": [
"CVE-2022-49138"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:51Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Ignore multiple conn complete events\n\nWhen one of the three connection complete events is received multiple\ntimes for the same handle, the device is registered multiple times which\nleads to memory corruptions. Therefore, consequent events for a single\nconnection are ignored.\n\nThe conn-\u003estate can hold different values, therefore HCI_CONN_HANDLE_UNSET\nis introduced to identify new connections. To make sure the events do not\ncontain this or another invalid handle HCI_CONN_HANDLE_MAX and checks\nare introduced.\n\nBuglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497",
"id": "GHSA-79x7-rvwv-cm9m",
"modified": "2025-09-23T18:30:20Z",
"published": "2025-09-23T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49138"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aa1ca580e3ffe62a2c5ea1c095b609b2943c5269"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5ebaa7c5f6f688959e8d40840b2249ede63b8ed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7C4G-8373-RCP3
Vulnerability from github – Published: 2021-12-31 00:00 – Updated: 2025-11-04 00:30Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2021-4186"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-30T22:15:00Z",
"severity": "HIGH"
},
"details": "Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-7c4g-8373-rcp3",
"modified": "2025-11-04T00:30:30Z",
"published": "2021-12-31T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4186"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4186.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/17737"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-04"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2021-16.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7C55-6MQJ-Q569
Vulnerability from github – Published: 2022-05-14 03:14 – Updated: 2025-04-20 03:48The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.
{
"affected": [],
"aliases": [
"CVE-2017-12193"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-22T18:29:00Z",
"severity": "MODERATE"
},
"details": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.",
"id": "GHSA-7c55-6mqj-q569",
"modified": "2025-04-20T03:48:53Z",
"published": "2022-05-14T03:14:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12193"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/ea6789980fdaa610d7eb63602c746bf6ec70cd2b"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0151"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0152"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0181"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-12193"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1501215"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3698-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3698-2"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7C77-5HJP-3754
Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-07-08 15:31In the Linux kernel, the following vulnerability has been resolved:
batman-adv: v: stop OGMv2 on disabled interface
When a batadv_hard_iface is disabled, its mesh_iface pointer is set to NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via batadv_v_ogm_queue_on_if() for interfaces that have since lost their mesh_iface association. This results in a NULL pointer dereference when batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the now NULL hard_iface->mesh_iface to retrieve the batadv_priv.
It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was called.
{
"affected": [],
"aliases": [
"CVE-2026-52913"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T08:16:21Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: v: stop OGMv2 on disabled interface\n\nWhen a batadv_hard_iface is disabled, its mesh_iface pointer is set to\nNULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via\nbatadv_v_ogm_queue_on_if() for interfaces that have since lost their\nmesh_iface association. This results in a NULL pointer dereference when\nbatadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the\nnow NULL hard_iface-\u003emesh_iface to retrieve the batadv_priv.\n\nIt is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that\nit is using the same mesh_iface for which batadv_v_ogm_send_meshif() was\ncalled.",
"id": "GHSA-7c77-5hjp-3754",
"modified": "2026-07-08T15:31:43Z",
"published": "2026-06-24T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52913"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/040fe8eb34624002071dd21de9824dfe668ce65d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1be1e99cbd5b74a69d3f92200ca87cf1bce852db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31dcb9711abd1dcd2080d9fac05c79dd9997d6bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ff461af943efb5e74d09942d5ffee7644d1e1fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70c9f6ab0d8f785087fb74fb85464a9a5288bfdb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aad70db50ea3d7dfe30e402b889ff075a293b287"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7391a2b854a62235539c68e9cbf6fc7910a8e9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8ce8b8331a1bc44ad4905886a482214d428b253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7C8R-GW7P-H2XW
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed()
In probe(), request_irq() is called before allocating/registering a
power_supply handle. If an interrupt is fired between the call to
request_irq() and power_supply_register(), the power_supply handle
will be used uninitialized in power_supply_changed() in
wm97xx_bat_update() (triggered from the interrupt handler). This will
lead to a NULL pointer dereference since
Fix this racy NULL pointer dereference by making sure the IRQ is
requested after the registration of the power_supply handle. Since
the IRQ is the last thing requests in the probe() now, remove the
error path for freeing it. Instead add one for unregistering the
power_supply handle when IRQ request fails.
{
"affected": [],
"aliases": [
"CVE-2026-45869"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed()\n\nIn `probe()`, `request_irq()` is called before allocating/registering a\n`power_supply` handle. If an interrupt is fired between the call to\n`request_irq()` and `power_supply_register()`, the `power_supply` handle\nwill be used uninitialized in `power_supply_changed()` in\n`wm97xx_bat_update()` (triggered from the interrupt handler). This will\nlead to a `NULL` pointer dereference since\n\nFix this racy `NULL` pointer dereference by making sure the IRQ is\nrequested _after_ the registration of the `power_supply` handle. Since\nthe IRQ is the last thing requests in the `probe()` now, remove the\nerror path for freeing it. Instead add one for unregistering the\n`power_supply` handle when IRQ request fails.",
"id": "GHSA-7c8r-gw7p-h2xw",
"modified": "2026-06-25T21:31:19Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45869"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39fe0eac6d755ef215026518985fcf8de9360e9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3d7b5391bb95505b3581c1fb77150c467ab92864"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/438f9a303ea8b55162b2d5376490c2ab3ec165a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86183153c299e8bb1839e717286d6c6f39508a59"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93bdf715d33cf5ee01c58e8546c2469c71ce082a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b7d77cb046b4487e8e511e04e62b6f416ce845c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c0def811ad8d642dca9b6d31a198cc39f5f90837"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dfaf235d5a6b60cbf115a14a656946303ad007b7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7C98-4WPW-92JQ
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointer dereference during the parsing of the Binding DN could allow an unauthenticated attacker to crash the 389-ds-base directory server. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2021-3480"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointer dereference during the parsing of the Binding DN could allow an unauthenticated attacker to crash the 389-ds-base directory server. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-7c98-4wpw-92jq",
"modified": "2022-05-24T19:02:53Z",
"published": "2022-05-24T19:02:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3480"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944640"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVQCDRQRFHXVR3Z3FQYM3UMC7QZUDDRJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXMOMPTZTGOVFOZUUNXHOVCAYIPST74W"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7CCR-WGH4-75WX
Vulnerability from github – Published: 2022-05-14 03:57 – Updated: 2022-05-14 03:57The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.
{
"affected": [],
"aliases": [
"CVE-2016-3070"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-08-06T20:59:00Z",
"severity": "HIGH"
},
"details": "The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.",
"id": "GHSA-7ccr-wgh4-75wx",
"modified": "2022-05-14T03:57:46Z",
"published": "2022-05-14T03:57:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3070"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/42cb14b110a5698ccf26ce59c4441722605a3743"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:2574"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:2584"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-3070"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1308846"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-3070"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=42cb14b110a5698ccf26ce59c4441722605a3743"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2574.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2584.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3607"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/90518"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3034-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3034-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3035-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3035-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3035-3"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3036-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3037-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.