Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-79H6-F389-CQGV

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-10-01 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpi3mr: Fix possible crash when setting up bsg fails

If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash:

BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix possible crash when setting up bsg fails\n\nIf bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value.\nConsequently, in mpi3mr_bsg_exit(), the condition \"if(!mrioc-\u003ebsg_queue)\"\nwill not be satisfied, preventing execution from entering\nbsg_remove_queue(), which could lead to the following crash:\n\nBUG: kernel NULL pointer dereference, address: 000000000000041c\nCall Trace:\n  \u003cTASK\u003e\n  mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr]\n  mpi3mr_remove+0x6f/0x340 [mpi3mr]\n  pci_device_remove+0x3f/0xb0\n  device_release_driver_internal+0x19d/0x220\n  unbind_store+0xa4/0xb0\n  kernfs_fop_write_iter+0x11f/0x200\n  vfs_write+0x1fc/0x3e0\n  ksys_write+0x67/0xe0\n  do_syscall_64+0x38/0x80\n  entry_SYSCALL_64_after_hwframe+0x78/0xe2",
  "id": "GHSA-79h6-f389-cqgv",
  "modified": "2025-10-01T21:31:11Z",
  "published": "2025-02-27T03:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21723"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19b248069d1b1424982723a2bf3941ad864d5204"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/295006f6e8c17212d3098811166e29627d19e05c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/832b8f95a2832321b8200ae478ed988b25faaef4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79P2-24V8-GP9V

Vulnerability from github – Published: 2024-11-05 12:31 – Updated: 2026-05-17 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: support non-r10 register spill/fill to/from stack in precision tracking

Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it and potentially adjusting offset.

To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking.

This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches.

There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states).

File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)


test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)

Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees.

Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. In this case, we don't want to entries, so we need to reuse last added entry, if it is present.

Relying on insn_idx comparison has the same ambiguity problem as the one that was fixed recently in [0], so we avoid that.

[0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T10:15:24Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support non-r10 register spill/fill to/from stack in precision tracking\n\nUse instruction (jump) history to record instructions that performed\nregister spill/fill to/from stack, regardless if this was done through\nread-only r10 register, or any other register after copying r10 into it\n*and* potentially adjusting offset.\n\nTo make this work reliably, we push extra per-instruction flags into\ninstruction history, encoding stack slot index (spi) and stack frame\nnumber in extra 10 bit flags we take away from prev_idx in instruction\nhistory. We don\u0027t touch idx field for maximum performance, as it\u0027s\nchecked most frequently during backtracking.\n\nThis change removes basically the last remaining practical limitation of\nprecision backtracking logic in BPF verifier. It fixes known\ndeficiencies, but also opens up new opportunities to reduce number of\nverified states, explored in the subsequent patches.\n\nThere are only three differences in selftests\u0027 BPF object files\naccording to veristat, all in the positive direction (less states).\n\nFile                                    Program        Insns (A)  Insns (B)  Insns  (DIFF)  States (A)  States (B)  States (DIFF)\n--------------------------------------  -------------  ---------  ---------  -------------  ----------  ----------  -------------\ntest_cls_redirect_dynptr.bpf.linked3.o  cls_redirect        2987       2864  -123 (-4.12%)         240         231    -9 (-3.75%)\nxdp_synproxy_kern.bpf.linked3.o         syncookie_tc       82848      82661  -187 (-0.23%)        5107        5073   -34 (-0.67%)\nxdp_synproxy_kern.bpf.linked3.o         syncookie_xdp      85116      84964  -152 (-0.18%)        5162        5130   -32 (-0.62%)\n\nNote, I avoided renaming jmp_history to more generic insn_hist to\nminimize number of lines changed and potential merge conflicts between\nbpf and bpf-next trees.\n\nNotice also cur_hist_entry pointer reset to NULL at the beginning of\ninstruction verification loop. This pointer avoids the problem of\nrelying on last jump history entry\u0027s insn_idx to determine whether we\nalready have entry for current instruction or not. It can happen that we\nadded jump history entry because current instruction is_jmp_point(), but\nalso we need to add instruction flags for stack access. In this case, we\ndon\u0027t want to entries, so we need to reuse last added entry, if it is\npresent.\n\nRelying on insn_idx comparison has the same ambiguity problem as the one\nthat was fixed recently in [0], so we avoid that.\n\n  [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/",
  "id": "GHSA-79p2-24v8-gp9v",
  "modified": "2026-05-17T18:30:25Z",
  "published": "2024-11-05T12:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52920"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/199f0452873741fa4b8d4d88958e929030b2f92b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41f6f64e6999a837048b1bd13a2f8742964eca6b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e4da60feca4d35e1a9b03dc0affa3354f9ff45e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ecc2aeeaa08a355d84d3ca9c3d2512399a194f29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79W7-7M7G-WMX3

Vulnerability from github – Published: 2024-08-17 12:30 – Updated: 2024-09-03 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init()

Instead of getting the epc_features from pci_epc_get_features() API, use the cached pci_epf_test::epc_features value to avoid the NULL check. Since the NULL check is already performed in pci_epf_test_bind(), having one more check in pci_epf_test_core_init() is redundant and it is not possible to hit the NULL pointer dereference.

Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier" flag"), 'epc_features' got dereferenced without the NULL check, leading to the following false positive Smatch warning:

drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747)

Thus, remove the redundant NULL check and also use the epc_features:: {msix_capable/msi_capable} flags directly to avoid local variables.

[kwilczynski: commit log]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Make use of cached \u0027epc_features\u0027 in pci_epf_test_core_init()\n\nInstead of getting the epc_features from pci_epc_get_features() API, use\nthe cached pci_epf_test::epc_features value to avoid the NULL check. Since\nthe NULL check is already performed in pci_epf_test_bind(), having one more\ncheck in pci_epf_test_core_init() is redundant and it is not possible to\nhit the NULL pointer dereference.\n\nAlso with commit a01e7214bef9 (\"PCI: endpoint: Remove \"core_init_notifier\"\nflag\"), \u0027epc_features\u0027 got dereferenced without the NULL check, leading to\nthe following false positive Smatch warning:\n\n  drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed \u0027epc_features\u0027 could be null (see line 747)\n\nThus, remove the redundant NULL check and also use the epc_features::\n{msix_capable/msi_capable} flags directly to avoid local variables.\n\n[kwilczynski: commit log]",
  "id": "GHSA-79w7-7m7g-wmx3",
  "modified": "2024-09-03T18:31:31Z",
  "published": "2024-08-17T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43824"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a5095a8bd1bd349cce1c879e5e44407a34dda8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af4ad016abb1632ff7ee598a6037952b495e5b80"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79X7-RVWV-CM9M

Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Ignore multiple conn complete events

When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored.

The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do not contain this or another invalid handle HCI_CONN_HANDLE_MAX and checks are introduced.

Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Ignore multiple conn complete events\n\nWhen one of the three connection complete events is received multiple\ntimes for the same handle, the device is registered multiple times which\nleads to memory corruptions. Therefore, consequent events for a single\nconnection are ignored.\n\nThe conn-\u003estate can hold different values, therefore HCI_CONN_HANDLE_UNSET\nis introduced to identify new connections. To make sure the events do not\ncontain this or another invalid handle HCI_CONN_HANDLE_MAX and checks\nare introduced.\n\nBuglink: https://bugzilla.kernel.org/show_bug.cgi?id=215497",
  "id": "GHSA-79x7-rvwv-cm9m",
  "modified": "2025-09-23T18:30:20Z",
  "published": "2025-09-23T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49138"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa1ca580e3ffe62a2c5ea1c095b609b2943c5269"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5ebaa7c5f6f688959e8d40840b2249ede63b8ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C4G-8373-RCP3

Vulnerability from github – Published: 2021-12-31 00:00 – Updated: 2025-11-04 00:30
VLAI
Details

Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-30T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-7c4g-8373-rcp3",
  "modified": "2025-11-04T00:30:30Z",
  "published": "2021-12-31T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4186"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4186.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/17737"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-04"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2021-16.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C55-6MQJ-Q569

Vulnerability from github – Published: 2022-05-14 03:14 – Updated: 2025-04-20 03:48
VLAI
Details

The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-22T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.",
  "id": "GHSA-7c55-6mqj-q569",
  "modified": "2025-04-20T03:48:53Z",
  "published": "2022-05-14T03:14:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12193"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/ea6789980fdaa610d7eb63602c746bf6ec70cd2b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0151"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0152"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0181"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2017-12193"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1501215"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3698-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3698-2"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101678"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C77-5HJP-3754

Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-07-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: v: stop OGMv2 on disabled interface

When a batadv_hard_iface is disabled, its mesh_iface pointer is set to NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via batadv_v_ogm_queue_on_if() for interfaces that have since lost their mesh_iface association. This results in a NULL pointer dereference when batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the now NULL hard_iface->mesh_iface to retrieve the batadv_priv.

It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was called.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T08:16:21Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: v: stop OGMv2 on disabled interface\n\nWhen a batadv_hard_iface is disabled, its mesh_iface pointer is set to\nNULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via\nbatadv_v_ogm_queue_on_if() for interfaces that have since lost their\nmesh_iface association. This results in a NULL pointer dereference when\nbatadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the\nnow NULL hard_iface-\u003emesh_iface to retrieve the batadv_priv.\n\nIt is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that\nit is using the same mesh_iface for which batadv_v_ogm_send_meshif() was\ncalled.",
  "id": "GHSA-7c77-5hjp-3754",
  "modified": "2026-07-08T15:31:43Z",
  "published": "2026-06-24T09:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52913"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/040fe8eb34624002071dd21de9824dfe668ce65d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1be1e99cbd5b74a69d3f92200ca87cf1bce852db"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31dcb9711abd1dcd2080d9fac05c79dd9997d6bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ff461af943efb5e74d09942d5ffee7644d1e1fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70c9f6ab0d8f785087fb74fb85464a9a5288bfdb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aad70db50ea3d7dfe30e402b889ff075a293b287"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7391a2b854a62235539c68e9cbf6fc7910a8e9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8ce8b8331a1bc44ad4905886a482214d428b253"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C8R-GW7P-H2XW

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed()

In probe(), request_irq() is called before allocating/registering a power_supply handle. If an interrupt is fired between the call to request_irq() and power_supply_register(), the power_supply handle will be used uninitialized in power_supply_changed() in wm97xx_bat_update() (triggered from the interrupt handler). This will lead to a NULL pointer dereference since

Fix this racy NULL pointer dereference by making sure the IRQ is requested after the registration of the power_supply handle. Since the IRQ is the last thing requests in the probe() now, remove the error path for freeing it. Instead add one for unregistering the power_supply handle when IRQ request fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45869"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed()\n\nIn `probe()`, `request_irq()` is called before allocating/registering a\n`power_supply` handle. If an interrupt is fired between the call to\n`request_irq()` and `power_supply_register()`, the `power_supply` handle\nwill be used uninitialized in `power_supply_changed()` in\n`wm97xx_bat_update()` (triggered from the interrupt handler). This will\nlead to a `NULL` pointer dereference since\n\nFix this racy `NULL` pointer dereference by making sure the IRQ is\nrequested _after_ the registration of the `power_supply` handle. Since\nthe IRQ is the last thing requests in the `probe()` now, remove the\nerror path for freeing it. Instead add one for unregistering the\n`power_supply` handle when IRQ request fails.",
  "id": "GHSA-7c8r-gw7p-h2xw",
  "modified": "2026-06-25T21:31:19Z",
  "published": "2026-05-27T15:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45869"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39fe0eac6d755ef215026518985fcf8de9360e9e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d7b5391bb95505b3581c1fb77150c467ab92864"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/438f9a303ea8b55162b2d5376490c2ab3ec165a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/86183153c299e8bb1839e717286d6c6f39508a59"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93bdf715d33cf5ee01c58e8546c2469c71ce082a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b7d77cb046b4487e8e511e04e62b6f416ce845c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0def811ad8d642dca9b6d31a198cc39f5f90837"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dfaf235d5a6b60cbf115a14a656946303ad007b7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C98-4WPW-92JQ

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointer dereference during the parsing of the Binding DN could allow an unauthenticated attacker to crash the 389-ds-base directory server. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-20T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointer dereference during the parsing of the Binding DN could allow an unauthenticated attacker to crash the 389-ds-base directory server. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-7c98-4wpw-92jq",
  "modified": "2022-05-24T19:02:53Z",
  "published": "2022-05-24T19:02:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3480"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944640"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVQCDRQRFHXVR3Z3FQYM3UMC7QZUDDRJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXMOMPTZTGOVFOZUUNXHOVCAYIPST74W"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7CCR-WGH4-75WX

Vulnerability from github – Published: 2022-05-14 03:57 – Updated: 2022-05-14 03:57
VLAI
Details

The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-06T20:59:00Z",
    "severity": "HIGH"
  },
  "details": "The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel before 4.4 improperly interacts with mm/migrate.c, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move.",
  "id": "GHSA-7ccr-wgh4-75wx",
  "modified": "2022-05-14T03:57:46Z",
  "published": "2022-05-14T03:57:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/42cb14b110a5698ccf26ce59c4441722605a3743"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:2574"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:2584"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-3070"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1308846"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2016-3070"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=42cb14b110a5698ccf26ce59c4441722605a3743"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2574.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2584.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3607"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/90518"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3034-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3034-2"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3035-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3035-2"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3035-3"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3036-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3037-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.