CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-7QX8-R7M7-P473
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a NULL pointer, which may lead to denial of service. This affects vGPU version 12.x (prior to 12.3), version 11.x (prior to 11.5) and version 8.x (prior 8.8).
{
"affected": [],
"aliases": [
"CVE-2021-1101"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-21T03:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a NULL pointer, which may lead to denial of service. This affects vGPU version 12.x (prior to 12.3), version 11.x (prior to 11.5) and version 8.x (prior 8.8).",
"id": "GHSA-7qx8-r7m7-p473",
"modified": "2022-05-24T19:08:50Z",
"published": "2022-05-24T19:08:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1101"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5211"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7R4R-7WG2-96VJ
Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-04-15 15:30In the Linux kernel, the following vulnerability has been resolved:
net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices
The probe() function is only used for the DP83822 PHY, leaving the private data pointer uninitialized for the smaller DP83825/26 models. While all uses of the private data structure are hidden in 82822 specific callbacks, configuring the interrupt is shared across all models. This causes a NULL pointer dereference on the smaller PHYs as it accesses the private data unchecked. Verifying the pointer avoids that.
{
"affected": [],
"aliases": [
"CVE-2023-52984"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T17:15:45Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices\n\nThe probe() function is only used for the DP83822 PHY, leaving the\nprivate data pointer uninitialized for the smaller DP83825/26 models.\nWhile all uses of the private data structure are hidden in 82822 specific\ncallbacks, configuring the interrupt is shared across all models.\nThis causes a NULL pointer dereference on the smaller PHYs as it accesses\nthe private data unchecked. Verifying the pointer avoids that.",
"id": "GHSA-7r4r-7wg2-96vj",
"modified": "2025-04-15T15:30:48Z",
"published": "2025-03-27T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52984"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cd1e9c013ec56421c58921b1ddf1d2d53bd47fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/362a2f5531dc0e5b0b5b3e3a541000dbffa75461"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/422ae7d9c7221e8d4c8526d0f54106307d69d2dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78901b10522cdf6badf24acf65a892637596bccc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R7H-HW2C-CP7Q
Vulnerability from github – Published: 2025-07-09 12:31 – Updated: 2025-12-18 18:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: handle csum tree error with rescue=ibadroots correctly
[BUG] There is syzbot based reproducer that can crash the kernel, with the following call trace: (With some debug output added)
DEBUG: rescue=ibadroots parsed BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010) BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8 BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm BTRFS info (device loop0): using free-space-tree BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0 DEBUG: read tree root path failed for tree csum, ret=-5 BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0 BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0 process 'repro' launched './file2' with NULL argv: empty string added DEBUG: no csum root, idatacsums=0 ibadroots=134217728 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f] CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs] Call Trace: btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs] btrfs_submit_bbio+0x43e/0x1a80 [btrfs] submit_one_bio+0xde/0x160 [btrfs] btrfs_readahead+0x498/0x6a0 [btrfs] read_pages+0x1c3/0xb20 page_cache_ra_order+0x4b5/0xc20 filemap_get_pages+0x2d3/0x19e0 filemap_read+0x314/0xde0 __kernel_read+0x35b/0x900 bprm_execve+0x62e/0x1140 do_execveat_common.isra.0+0x3fc/0x520 __x64_sys_execveat+0xdc/0x130 do_syscall_64+0x54/0x1d0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ---[ end trace 0000000000000000 ]---
[CAUSE] Firstly the fs has a corrupted csum tree root, thus to mount the fs we have to go "ro,rescue=ibadroots" mount option.
Normally with that mount option, a bad csum tree root should set BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will ignore csum search.
But in this particular case, we have the following call trace that caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:
load_global_roots_objectid():
ret = btrfs_search_slot();
/* Succeeded */
btrfs_item_key_to_cpu()
found = true;
/* We found the root item for csum tree. */
root = read_tree_root_path();
if (IS_ERR(root)) {
if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))
/*
* Since we have rescue=ibadroots mount option,
* @ret is still 0.
*/
break;
if (!found || ret) {
/* @found is true, @ret is 0, error handling for csum
* tree is skipped.
*/
}
This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if the csum tree is corrupted, which results unexpected later csum lookup.
[FIX] If read_tree_root_path() failed, always populate @ret to the error number.
As at the end of the function, we need @ret to determine if we need to do the extra error handling for csum tree.
{
"affected": [],
"aliases": [
"CVE-2025-38260"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-09T11:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle csum tree error with rescue=ibadroots correctly\n\n[BUG]\nThere is syzbot based reproducer that can crash the kernel, with the\nfollowing call trace: (With some debug output added)\n\n DEBUG: rescue=ibadroots parsed\n BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)\n BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8\n BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm\n BTRFS info (device loop0): using free-space-tree\n BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0\n DEBUG: read tree root path failed for tree csum, ret=-5\n BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0\n BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0\n process \u0027repro\u0027 launched \u0027./file2\u0027 with NULL argv: empty string added\n DEBUG: no csum root, idatacsums=0 ibadroots=134217728\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]\n CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]\n Call Trace:\n \u003cTASK\u003e\n btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]\n btrfs_submit_bbio+0x43e/0x1a80 [btrfs]\n submit_one_bio+0xde/0x160 [btrfs]\n btrfs_readahead+0x498/0x6a0 [btrfs]\n read_pages+0x1c3/0xb20\n page_cache_ra_order+0x4b5/0xc20\n filemap_get_pages+0x2d3/0x19e0\n filemap_read+0x314/0xde0\n __kernel_read+0x35b/0x900\n bprm_execve+0x62e/0x1140\n do_execveat_common.isra.0+0x3fc/0x520\n __x64_sys_execveat+0xdc/0x130\n do_syscall_64+0x54/0x1d0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nFirstly the fs has a corrupted csum tree root, thus to mount the fs we\nhave to go \"ro,rescue=ibadroots\" mount option.\n\nNormally with that mount option, a bad csum tree root should set\nBTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will\nignore csum search.\n\nBut in this particular case, we have the following call trace that\ncaused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:\n\nload_global_roots_objectid():\n\n\t\tret = btrfs_search_slot();\n\t\t/* Succeeded */\n\t\tbtrfs_item_key_to_cpu()\n\t\tfound = true;\n\t\t/* We found the root item for csum tree. */\n\t\troot = read_tree_root_path();\n\t\tif (IS_ERR(root)) {\n\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))\n\t\t\t/*\n\t\t\t * Since we have rescue=ibadroots mount option,\n\t\t\t * @ret is still 0.\n\t\t\t */\n\t\t\tbreak;\n\tif (!found || ret) {\n\t\t/* @found is true, @ret is 0, error handling for csum\n\t\t * tree is skipped.\n\t\t */\n\t}\n\nThis means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if\nthe csum tree is corrupted, which results unexpected later csum lookup.\n\n[FIX]\nIf read_tree_root_path() failed, always populate @ret to the error\nnumber.\n\nAs at the end of the function, we need @ret to determine if we need to\ndo the extra error handling for csum tree.",
"id": "GHSA-7r7h-hw2c-cp7q",
"modified": "2025-12-18T18:30:28Z",
"published": "2025-07-09T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38260"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f5c4a996f8f4fecd24a3eb344a307c50af895c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/547e836661554dcfa15c212a3821664e85b4191a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbe9231fe611a54a447962494472f604419bad59"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8ce11903211542a61f05c02caedd2edfb4256b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc97a116dc4929905538bc0bd3af7faa51192957"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RC9-5VXF-3H3M
Vulnerability from github – Published: 2023-02-27 00:30 – Updated: 2023-03-08 00:30In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishandles a Drain call in certain situations involving truncated files. Eventually there is an assertion failure in libmpdclient because libqtappfw passes in a NULL pointer.
{
"affected": [],
"aliases": [
"CVE-2022-48363"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-617"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-26T23:15:00Z",
"severity": "HIGH"
},
"details": "In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishandles a Drain call in certain situations involving truncated files. Eventually there is an assertion failure in libmpdclient because libqtappfw passes in a NULL pointer.",
"id": "GHSA-7rc9-5vxf-3h3m",
"modified": "2023-03-08T00:30:33Z",
"published": "2023-02-27T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48363"
},
{
"type": "WEB",
"url": "https://gerrit.automotivelinux.org/gerrit/c/src/libqtappfw/+/28484"
},
{
"type": "WEB",
"url": "https://gerrit.automotivelinux.org/gerrit/c/src/libqtappfw/+/28485"
},
{
"type": "WEB",
"url": "https://gerrit.automotivelinux.org/gerrit/q/project:src%252Flibqtappfw+status:open"
},
{
"type": "WEB",
"url": "https://jira.automotivelinux.org/browse/SPEC-4661"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RCG-54W2-5P8P
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:31In the Linux kernel, the following vulnerability has been resolved:
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
When the driver calls tw68_risc_buffer() to prepare the buffer, the function call dma_alloc_coherent may fail, resulting in a empty buffer buf->cpu. Later when we free the buffer or access the buffer, null ptr deref is triggered.
This bug is similar to the following one: https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.
We believe the bug can be also dynamically triggered from user side. Similarly, we fix this by checking the return value of tw68_risc_buffer() and the value of buf->cpu before buffer free.
{
"affected": [],
"aliases": [
"CVE-2023-53244"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:51Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish\n\nWhen the driver calls tw68_risc_buffer() to prepare the buffer, the\nfunction call dma_alloc_coherent may fail, resulting in a empty buffer\nbuf-\u003ecpu. Later when we free the buffer or access the buffer, null ptr\nderef is triggered.\n\nThis bug is similar to the following one:\nhttps://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.\n\nWe believe the bug can be also dynamically triggered from user side.\nSimilarly, we fix this by checking the return value of tw68_risc_buffer()\nand the value of buf-\u003ecpu before buffer free.",
"id": "GHSA-7rcg-54w2-5p8p",
"modified": "2025-12-03T21:31:00Z",
"published": "2025-09-15T15:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53244"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1634b7adcc5bef645b3666fdd564e5952a9e24e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3715c5e9a8f96b6ed0dcbea06da443efccac1ecc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3c67f49a6643d973e83968ea35806c7b5ae68b56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dcf632bca424e6ff8c8eb89c96694e7f05cd29b6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RM9-FJ3J-7CMM
Vulnerability from github – Published: 2022-06-28 00:01 – Updated: 2022-07-07 00:00NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
{
"affected": [],
"aliases": [
"CVE-2022-2208"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.",
"id": "GHSA-7rm9-fj3j-7cmm",
"modified": "2022-07-07T00:00:24Z",
"published": "2022-06-28T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2208"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/cd38bb4d83c942c4bad596835c6766cbf32e5195"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7bfe3d5b-568f-4c34-908f-a39909638cc1"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-32"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RMM-8WR5-2665
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-8195"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-17T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-7rmm-8wr5-2665",
"modified": "2022-05-24T16:59:23Z",
"published": "2022-05-24T16:59:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8195"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155224/Adobe-Acrobat-Reader-DC-For-Windows-Malformed-JBIG2Globals-Stream-Uninitialized-Pointer.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7RQ4-PC5W-9JQ7
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-20 18:31In the Linux kernel, the following vulnerability has been resolved:
btrfs: exit after state insertion failure at btrfs_convert_extent_bit()
If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access.
So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled.
{
"affected": [],
"aliases": [
"CVE-2025-38269"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T08:15:25Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: exit after state insertion failure at btrfs_convert_extent_bit()\n\nIf insert_state() state failed it returns an error pointer and we call\nextent_io_tree_panic() which will trigger a BUG() call. However if\nCONFIG_BUG is disabled, which is an uncommon and exotic scenario, then\nwe fallthrough and call cache_state() which will dereference the error\npointer, resulting in an invalid memory access.\n\nSo jump to the \u0027out\u0027 label after calling extent_io_tree_panic(), it also\nmakes the code more clear besides dealing with the exotic scenario where\nCONFIG_BUG is disabled.",
"id": "GHSA-7rq4-pc5w-9jq7",
"modified": "2025-11-20T18:31:00Z",
"published": "2025-07-10T09:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38269"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3bf179e36da917c5d9bec71c714573ed1649b7c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58c50f45e1821a04d61b62514f9bd34afe67c622"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d9d32088e304e2bc444a3087cab0bbbd9951866"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RQH-6CCP-GVHV
Vulnerability from github – Published: 2022-05-17 00:17 – Updated: 2022-05-17 00:17The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.
{
"affected": [],
"aliases": [
"CVE-2017-14340"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-15T11:29:00Z",
"severity": "MODERATE"
},
"details": "The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.",
"id": "GHSA-7rqh-6ccp-gvhv",
"modified": "2022-05-17T00:17:52Z",
"published": "2022-05-17T00:17:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14340"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/b31ff3cdf540110da4572e3e29bd172087af65cc"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2918"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1491344"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b31ff3cdf540110da4572e3e29bd172087af65cc"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2017/q3/436"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3981"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100851"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RV3-R8MG-4WCP
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.
{
"affected": [],
"aliases": [
"CVE-2026-34339"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:17:08Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.",
"id": "GHSA-7rv3-r8mg-4wcp",
"modified": "2026-05-12T18:30:42Z",
"published": "2026-05-12T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34339"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34339"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.