Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-7QCM-JXMH-7CVF

Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-12-18 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()

devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference.

Add NULL check after devm_kasprintf() to prevent this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:31Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Add NULL check in raspberrypi_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nraspberrypi_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.",
  "id": "GHSA-7qcm-jxmh-7cvf",
  "modified": "2025-12-18T21:31:33Z",
  "published": "2025-07-03T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38160"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a2712cd24ecfeb520af60f6f859b442c7ab01ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3c1adc2f8c732ea09e8c4bce5941fec019c6205d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52562161df3567cdaedada46834a7a8d8c4ab737"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54ce9bcdaee59d4ef0703f390d55708557818f9e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/73c46d9a93d071ca69858dea3f569111b03e549e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/938f625bd3364cfdc93916739add3b637ff90368"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QCM-QX74-J7HR

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

rose: Fix NULL pointer dereference in rose_send_frame()

The syzkaller reported an issue:

KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387] CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: rcu_gp srcu_invoke_callbacks RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101 Call Trace: rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255 rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009 rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111 call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 __run_timers kernel/time/timer.c:1768 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571 [...]

It triggers NULL pointer dereference when 'neigh->dev->dev_addr' is called in the rose_send_frame(). It's the first occurrence of the neigh is in rose_loopback_timer() as `rose_loopback_neigh', and the 'dev' in 'rose_loopback_neigh' is initialized sa nullptr.

It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf ("rose: Fix Null pointer dereference in rose_send_frame()") ever. But it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ("rose: check NULL rose_loopback_neigh->loopback") again.

We fix it by add NULL check in rose_transmit_clear_request(). When the 'dev' in 'neigh' is NULL, we don't reply the request and just clear it.

syzkaller don't provide repro, and I provide a syz repro like: r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201}) r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0) bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40) connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: Fix NULL pointer dereference in rose_send_frame()\n\nThe syzkaller reported an issue:\n\nKASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]\nCPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: rcu_gp srcu_invoke_callbacks\nRIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101\nCall Trace:\n \u003cIRQ\u003e\n rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255\n rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009\n rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111\n call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474\n expire_timers kernel/time/timer.c:1519 [inline]\n __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790\n __run_timers kernel/time/timer.c:1768 [inline]\n run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803\n __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571\n [...]\n \u003c/IRQ\u003e\n\nIt triggers NULL pointer dereference when \u0027neigh-\u003edev-\u003edev_addr\u0027 is\ncalled in the rose_send_frame(). It\u0027s the first occurrence of the\n`neigh` is in rose_loopback_timer() as `rose_loopback_neigh\u0027, and\nthe \u0027dev\u0027 in \u0027rose_loopback_neigh\u0027 is initialized sa nullptr.\n\nIt had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf\n(\"rose: Fix Null pointer dereference in rose_send_frame()\") ever.\nBut it\u0027s introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8\n(\"rose: check NULL rose_loopback_neigh-\u003eloopback\") again.\n\nWe fix it by add NULL check in rose_transmit_clear_request(). When\nthe \u0027dev\u0027 in \u0027neigh\u0027 is NULL, we don\u0027t reply the request and just\nclear it.\n\nsyzkaller don\u0027t provide repro, and I provide a syz repro like:\nr0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)\nioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, \u0026(0x7f0000000180)={\u0027rose0\\x00\u0027, 0x201})\nr1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)\nbind$rose(r1, \u0026(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)\nconnect$rose(r1, \u0026(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)",
  "id": "GHSA-7qcm-qx74-j7hr",
  "modified": "2025-05-07T15:31:26Z",
  "published": "2025-05-01T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49916"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01b9c68c121847d05a4ccef68244dadf82bfa331"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e2129c67daca21043a26575108f6286c85e71f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b46adfbee1e429f33b10a88d6c00fa88f3d6c77"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a601e5eded33bb88b8a42743db8fef3ad41dd97e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b13be5e852b03f376058027e462fad4230240891"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bbc03d74e641e824754443b908454ca9e203773e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e97c089d7a49f67027395ddf70bf327eeac2611e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f06186e5271b980bac03f5c97276ed0146ddc9b0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QH4-CC67-W444

Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-07-08 06:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda/conexant: Fix missing error check for jack detection

In cx_probe(), the return value of snd_hda_jack_detect_enable_callback() is ignored. This function returns a pointer, and if it fails (e.g., due to memory allocation failure), it returns an error pointer which must be checked using IS_ERR().

If the registration fails, the driver continues to probe, but the jack detection callback will not be registered. This can lead to a kernel crash later when the driver attempts to handle jack events or accesses the uninitialized structure.

Check the return value using IS_ERR() and propagate the error via PTR_ERR() to the probe caller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T20:17:21Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/conexant: Fix missing error check for jack detection\n\nIn cx_probe(), the return value of snd_hda_jack_detect_enable_callback()\nis ignored. This function returns a pointer, and if it fails (e.g., due\nto memory allocation failure), it returns an error pointer which must\nbe checked using IS_ERR().\n\nIf the registration fails, the driver continues to probe, but the jack\ndetection callback will not be registered. This can lead to a kernel\ncrash later when the driver attempts to handle jack events or accesses\nthe uninitialized structure.\n\nCheck the return value using IS_ERR() and propagate the error via\nPTR_ERR() to the probe caller.",
  "id": "GHSA-7qh4-cc67-w444",
  "modified": "2026-07-08T06:31:35Z",
  "published": "2026-06-26T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53291"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1da5c73f3793b224696617a2a21def7500ba18d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49c2c5924552e1d2f8b635dee663abebbb7cf63b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2a33e87a2ffce3046c574d24eec4390c27c9365"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0e2333a231107adedd38c6fcfe1adc6162716fc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d68f753d89f4ef6e410d7e8b7e8ab2fdde921b80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd110cc00cf854a8ecd8d003127a4178c28574ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f837c7b85143a7c54140ff41ad5c076b73cd9933"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QHC-3PHP-2C6M

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-31 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iwlwifi: mvm: Fix possible NULL dereference

In __iwl_mvm_remove_time_event() check that 'te_data->vif' is NULL before dereferencing it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: mvm: Fix possible NULL dereference\n\nIn __iwl_mvm_remove_time_event() check that \u0027te_data-\u003evif\u0027 is NULL\nbefore dereferencing it.",
  "id": "GHSA-7qhc-3php-2c6m",
  "modified": "2024-12-31T21:30:44Z",
  "published": "2024-05-21T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47415"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24d5f16e407b75bc59d5419b957a9cab423b2681"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/432d8185e9ffce97e3866ca71c39b0807a456920"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QQC-HW29-JP6R

Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2022-05-17 02:46
VLAI
Details

In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by issuing the 'fastboot oem dump ' fastboot command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-25T16:59:00Z",
    "severity": "MODERATE"
  },
  "details": "In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except \u0027keystore\u0027) by issuing the \u0027fastboot oem dump \u003cpartition\u003e\u0027 fastboot command.",
  "id": "GHSA-7qqc-hw29-jp6r",
  "modified": "2022-05-17T02:46:54Z",
  "published": "2022-05-17T02:46:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5625"
    },
    {
      "type": "WEB",
      "url": "https://alephsecurity.com/vulns/aleph-2017006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QQR-H7VR-JR47

Vulnerability from github – Published: 2022-05-14 03:41 – Updated: 2022-05-14 03:41
VLAI
Details

A remote denial of service vulnerability in HPE System Management Homepage for Windows and Linux version prior to v7.6.1 was found.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-15T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote denial of service vulnerability in HPE System Management Homepage for Windows and Linux version prior to v7.6.1 was found.",
  "id": "GHSA-7qqr-h7vr-jr47",
  "modified": "2022-05-14T03:41:02Z",
  "published": "2022-05-14T03:41:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12545"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbmu03753en_us"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2017-30"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101029"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039437"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QR6-7J77-6PRP

Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: handle hdr_first_de() return value

The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently.

Additionally, error handling for the return value already exists at other points where this function is called.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle hdr_first_de() return value\n\nThe hdr_first_de() function returns a pointer to a struct NTFS_DE. This\npointer may be NULL. To handle the NULL error effectively, it is important\nto implement an error handler. This will help manage potential errors\nconsistently.\n\nAdditionally, error handling for the return value already exists at other\npoints where this function is called.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
  "id": "GHSA-7qr6-7j77-6prp",
  "modified": "2026-05-12T15:30:54Z",
  "published": "2025-07-03T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38167"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d5879f64554181b89f44d4817b9ea86e8e913e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ecd0cde89feee26525ccdf1af0c1ae156ca010b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5390b3d4c6d41d05bb9149d094d504cbc9ea85bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/701340a25b1ad210e6b8192195be21fd3fcc22c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83cd0aa74793384dbdffc140500b200e9776a302"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QV5-68GM-JF96

Vulnerability from github – Published: 2023-03-01 21:30 – Updated: 2023-03-13 15:30
VLAI
Details

In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-01T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).",
  "id": "GHSA-7qv5-68gm-jf96",
  "modified": "2023-03-13T15:30:18Z",
  "published": "2023-03-01T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23004"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/15342f930ebebcfe36f2415049736a77d7d2e045"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QV9-42RG-QH56

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential null-ptr-deref in decode_choose_args()

A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an array of max_buckets CRUSH buckets is decoded, where some indices may not refer to actual buckets and are therefore set to NULL. The received CRUSH map may optionally contain choose_args that get decoded in decode_choose_args(). When decoding a crush_choose_arg_map, a series of choose_args for different buckets is decoded, with the bucket_index being read from the incoming message. It is only checked that the bucket index does not exceed max_buckets, but not that it doesn't point to an index with a NULL bucket. If a (potentially corrupted) message contains a crush_choose_arg_map including such a bucket_index, a null pointer dereference may occur in the subsequent processing when attempting to access the bucket with the given index.

This patch fixes the issue by extending the affected check. Now, it is only attempted to access the bucket if it is not NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential null-ptr-deref in decode_choose_args()\n\nA message of type CEPH_MSG_OSD_MAP contains an OSD map that itself\ncontains a CRUSH map. When decoding this CRUSH map in crush_decode(), an\narray of max_buckets CRUSH buckets is decoded, where some indices may\nnot refer to actual buckets and are therefore set to NULL. The received\nCRUSH map may optionally contain choose_args that get decoded in\ndecode_choose_args(). When decoding a crush_choose_arg_map, a series of\nchoose_args for different buckets is decoded, with the bucket_index\nbeing read from the incoming message. It is only checked that the bucket\nindex does not exceed max_buckets, but not that it doesn\u0027t point to an\nindex with a NULL bucket. If a (potentially corrupted) message contains\na crush_choose_arg_map including such a bucket_index, a null pointer\ndereference may occur in the subsequent processing when attempting to\naccess the bucket with the given index.\n\nThis patch fixes the issue by extending the affected check. Now, it is\nonly attempted to access the bucket if it is not NULL.",
  "id": "GHSA-7qv9-42rg-qh56",
  "modified": "2026-06-28T09:31:37Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52957"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/301286c0ccd37d66b0e40786fd35a4f19cdbd88a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/312ec973efac0efb9b9ed64214235910e9ecbaa8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7169f326a23d0f547fcd90e68b72fd387622e126"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a20e16ebfe2fa65348eb4b2dc7deac330ce03e9c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d55ffad8d422b5d1cc44dad32bd3d25f4471cd9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7a65a34d2453f8cd3e0cc0e1319740af7e24276"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f2f95e6d4b97e70bb876139b0583fc8079983f85"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QW8-3VMF-GJ32

Vulnerability from github – Published: 2025-07-31 18:31 – Updated: 2025-08-01 18:36
VLAI
Summary
MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
Details

Summary

When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.

Details

In source/MaterialXCore/Material.cpp, the following code extracts the output nodes for a given implementation graph:

   InterfaceElementPtr impl = materialNodeDef->getImplementation();
            if (impl && impl->isA<NodeGraph>())
            {
                NodeGraphPtr implGraph = impl->asA<NodeGraph>();
                for (OutputPtr defOutput : materialNodeDef->getOutputs())
                {
                    if (defOutput->getType() == MATERIAL_TYPE_STRING)
                    {
                        OutputPtr implGraphOutput = implGraph->getOutput(defOutput->getName());
                        for (GraphIterator it = implGraphOutput->traverseGraph().begin(); it != GraphIterator::end(); ++it)
                        {
                            ElementPtr upstreamElem = it.getUpstreamElement();
                            if (!upstreamElem)
                            {
                                it.setPruneSubgraph(true);
                                continue;
                            }
                            NodePtr upstreamNode = upstreamElem->asA<Node>();
                            if (upstreamNode && upstream

However, when defining the implGraphOutput variable by getting the output node, the code doesn't check whether its value is null before accessing its iterator traverseGraph(). This leads to a potential null pointer dereference.

PoC

Please download nullptr_implgraph.mtlx from the following link:

https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011

build/bin/MaterialXView --material nullptr_implgraph.mtlx

Impact

An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "MaterialX"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.39.2"
            },
            {
              "fixed": "1.39.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.39.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-31T18:31:23Z",
    "nvd_published_at": "2025-08-01T18:15:54Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nWhen parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files.\n\n### Details\n\nIn `source/MaterialXCore/Material.cpp`, the following code extracts the output nodes for a given implementation graph:\n\n```cpp\n   InterfaceElementPtr impl = materialNodeDef-\u003egetImplementation();\n            if (impl \u0026\u0026 impl-\u003eisA\u003cNodeGraph\u003e())\n            {\n                NodeGraphPtr implGraph = impl-\u003easA\u003cNodeGraph\u003e();\n                for (OutputPtr defOutput : materialNodeDef-\u003egetOutputs())\n                {\n                    if (defOutput-\u003egetType() == MATERIAL_TYPE_STRING)\n                    {\n                        OutputPtr implGraphOutput = implGraph-\u003egetOutput(defOutput-\u003egetName());\n                        for (GraphIterator it = implGraphOutput-\u003etraverseGraph().begin(); it != GraphIterator::end(); ++it)\n                        {\n                            ElementPtr upstreamElem = it.getUpstreamElement();\n                            if (!upstreamElem)\n                            {\n                                it.setPruneSubgraph(true);\n                                continue;\n                            }\n                            NodePtr upstreamNode = upstreamElem-\u003easA\u003cNode\u003e();\n                            if (upstreamNode \u0026\u0026 upstream\n```\n\nHowever, when defining the `implGraphOutput` variable by getting the output node, the code doesn\u0027t check whether its value is null before accessing its iterator `traverseGraph()`. This leads to a potential null pointer dereference.\n\n### PoC\n\nPlease download `nullptr_implgraph.mtlx` from the following link:\n\nhttps://github.com/ShielderSec/poc/tree/main/CVE-2025-53011\n\n`build/bin/MaterialXView --material nullptr_implgraph.mtlx`\n\n### Impact\n\nAn attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file.",
  "id": "GHSA-7qw8-3vmf-gj32",
  "modified": "2025-08-01T18:36:10Z",
  "published": "2025-07-31T18:31:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-7qw8-3vmf-gj32"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/commit/7ac1c71de5187dc29793292b5a8dc6d784192ecf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ShielderSec/poc/tree/main/CVE-2025-53011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput"
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.