Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-7RXW-GV4W-F8W6

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-01-06 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()

It is possible that typec_register_partner() returns ERR_PTR on failure. When port->partner is an error, a NULL pointer dereference may occur as shown below.

[91222.095236][ T319] typec port0: failed to register partner (-17) ... [91225.061491][ T319] Unable to handle kernel NULL pointer dereference at virtual address 000000000000039f [91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc [91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc [91225.308067][ T319] Call trace: [91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc [91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8 [91225.355900][ T319] kthread_worker_fn+0x178/0x58c [91225.355902][ T319] kthread+0x150/0x200 [91225.355905][ T319] ret_from_fork+0x10/0x30

Add a check for port->partner to avoid dereferencing a NULL pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:24Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()\n\nIt is possible that typec_register_partner() returns ERR_PTR on failure.\nWhen port-\u003epartner is an error, a NULL pointer dereference may occur as\nshown below.\n\n[91222.095236][  T319] typec port0: failed to register partner (-17)\n...\n[91225.061491][  T319] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000039f\n[91225.274642][  T319] pc : tcpm_pd_data_request+0x310/0x13fc\n[91225.274646][  T319] lr : tcpm_pd_data_request+0x298/0x13fc\n[91225.308067][  T319] Call trace:\n[91225.308070][  T319]  tcpm_pd_data_request+0x310/0x13fc\n[91225.308073][  T319]  tcpm_pd_rx_handler+0x100/0x9e8\n[91225.355900][  T319]  kthread_worker_fn+0x178/0x58c\n[91225.355902][  T319]  kthread+0x150/0x200\n[91225.355905][  T319]  ret_from_fork+0x10/0x30\n\nAdd a check for port-\u003epartner to avoid dereferencing a NULL pointer.",
  "id": "GHSA-7rxw-gv4w-f8w6",
  "modified": "2025-01-06T21:30:49Z",
  "published": "2024-05-21T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52877"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4987daf86c152ff882d51572d154ad12e4ff3a4b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ee038590d808a95d16adf92818dcd4752273c08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b37a168c0137156042a0ca9626651b5a789e822b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e5f53a68a596e04df3fde3099273435a30b6fdac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7a802447c491903aa7cb45967aa2a934a4e63fc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7V3X-C3W3-H992

Vulnerability from github – Published: 2023-06-16 12:30 – Updated: 2024-04-04 04:54
VLAI
Details

A null pointer dereference in Fortinet FortiOS before 7.2.5, before 7.0.11 and before 6.4.13, FortiProxy before 7.2.4 and before 7.0.10 allows attacker to denial of sslvpn service via specifically crafted request in bookmark parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-16T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference in Fortinet FortiOS before 7.2.5,  before 7.0.11 and before 6.4.13, FortiProxy before 7.2.4 and before 7.0.10 allows attacker to denial of sslvpn service via specifically crafted request in bookmark parameter.",
  "id": "GHSA-7v3x-c3w3-h992",
  "modified": "2024-04-04T04:54:42Z",
  "published": "2023-06-16T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33306"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VCW-F2GC-3G39

Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules

Check the pointer value to fix potential null pointer dereference

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-26T11:15:05Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules\n\nCheck the pointer value to fix potential null pointer\ndereference",
  "id": "GHSA-7vcw-f2gc-3g39",
  "modified": "2025-11-04T00:31:18Z",
  "published": "2024-08-26T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43907"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c065e50445aea2e0a1815f12e97ee49e02cbaac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13937a40aae4efe64592ba48c057ac3c72f7fe82"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a01bf2ca9f860fdc88c358567b8fa3033efcf30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1749313f35b98e2e655479f037db37f19756622"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d19fb10085a49b77578314f69fff21562f7cd054"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e04d18c29954441aa1054af649f957ffad90a201"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VFX-9973-F38H

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-06 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check

The function dpu_plane_virtual_atomic_check was dereferencing pointers returned by drm_atomic_get_plane_state without checking for errors. This could lead to undefined behavior if the function returns an error pointer.

This commit adds checks using IS_ERR to ensure that plane_state is valid before dereferencing them.

Similar to commit da29abe71e16 ("drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed").

Patchwork: https://patchwork.freedesktop.org/patch/643132/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T14:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check\n\nThe function dpu_plane_virtual_atomic_check was dereferencing pointers\nreturned by drm_atomic_get_plane_state without checking for errors. This\ncould lead to undefined behavior if the function returns an error pointer.\n\nThis commit adds checks using IS_ERR to ensure that plane_state is\nvalid before dereferencing them.\n\nSimilar to commit da29abe71e16\n(\"drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed\").\n\nPatchwork: https://patchwork.freedesktop.org/patch/643132/",
  "id": "GHSA-7vfx-9973-f38h",
  "modified": "2025-11-06T18:32:43Z",
  "published": "2025-05-01T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37783"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cb1b130e1cd04239cc9c26a98279f4660dce583"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9670ed1cce3216778c89936d3ae91cf0d436035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VG8-G6PX-4578

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a denial of service (invalid pointer dereference and hypervisor crash) via the SAHF instruction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-12-27T01:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a denial of service (invalid pointer dereference and hypervisor crash) via the SAHF instruction.",
  "id": "GHSA-7vg8-g6px-4578",
  "modified": "2022-05-13T01:12:21Z",
  "published": "2022-05-13T01:12:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2519"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=718882"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2011-1212.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/08/30/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/hg/xen-3.1-testing.hg/rev/15644"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7VGH-484P-PV5R

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-02 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe

rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires while the SMC call is still pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND_RSU_STATUS path.

Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared.

While at it, clean up stratix10_rsu_probe() in two ways without changing behavior:

  • Drop redundant zero-initialization of fields already cleared by devm_kzalloc(): client.receive_cb, status.* and spt0/1_address (INVALID_SPT_ADDRESS is 0x0).

  • Replace five identical 3-line error-cleanup blocks (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() + return ret) with goto labels (remove_async_client, free_channel), matching the standard kernel resource-unwinding pattern and making it easier to extend the probe sequence without forgetting matching cleanup.

Also move init_completion() next to mutex_init() so sync-primitive initialization is grouped before anything that could trigger a callback.


v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a centralize exit for all the rsu_send_async_msg() and rsu_send_msg().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe\n\nrsu_send_msg() can return -ETIMEDOUT when\nwait_for_completion_interruptible_timeout() fires while the SMC call is still\npending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION,\nCOMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE\ncall stratix10_svc_free_channel() - which sets chan-\u003escl to NULL - but then\nfall through and queue the next request on the same channel. The next svc\nkthread that runs will dereference pdata-\u003echan-\u003escl in its receive callback\npath, triggering a NULL pointer dereference identical to the one fixed by\ncommit c45f7263100c (\"firmware: stratix10-rsu: Fix NULL pointer dereference\nwhen RSU is disabled\") for the COMMAND_RSU_STATUS path.\n\nApply the same cleanup pattern to the remaining failure paths: remove the\nasync client, free the channel, and return early so no further messages are\nqueued on a channel whose scl has been cleared.\n\nWhile at it, clean up stratix10_rsu_probe() in two ways without changing\nbehavior:\n\n- Drop redundant zero-initialization of fields already cleared by\n  devm_kzalloc(): client.receive_cb, status.* and spt0/1_address\n  (INVALID_SPT_ADDRESS is 0x0).\n\n- Replace five identical 3-line error-cleanup blocks\n  (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() +\n  return ret) with goto labels (remove_async_client, free_channel),\n  matching the standard kernel resource-unwinding pattern and making it\n  easier to extend the probe sequence without forgetting matching\n  cleanup.\n\nAlso move init_completion() next to mutex_init() so sync-primitive\ninitialization is grouped before anything that could trigger a\ncallback.\n\n---\nv2: Add a minor clean-up of the function stratix10_rsu_probe() to have a\n    centralize exit for all the rsu_send_async_msg() and rsu_send_msg().",
  "id": "GHSA-7vgh-484p-pv5r",
  "modified": "2026-07-02T21:32:04Z",
  "published": "2026-06-25T09:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53204"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bc249d324241c64118a3018124798c28e2950f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VJQ-M92P-42WP

Vulnerability from github – Published: 2023-12-25 09:30 – Updated: 2023-12-29 21:30
VLAI
Details

C-blosc2 before 2.9.3 was discovered to contain a NULL pointer dereference in ndlz/ndlz8x8.c via a NULL pointer to memset.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-25T07:15:08Z",
    "severity": "HIGH"
  },
  "details": "C-blosc2 before 2.9.3 was discovered to contain a NULL pointer dereference in ndlz/ndlz8x8.c via a NULL pointer to memset.",
  "id": "GHSA-7vjq-m92p-42wp",
  "modified": "2023-12-29T21:30:46Z",
  "published": "2023-12-25T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Blosc/c-blosc2/issues/522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Blosc/c-blosc2/commit/d55bfcd6804699e1435dc3e233fd76c8a5d3f9e3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Blosc/c-blosc2/compare/v2.9.2...v2.9.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VM4-FP9Q-W3P6

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-12-17 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/tls: fix kernel panic when alloc_page failed

We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called.

This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T10:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix kernel panic when alloc_page failed\n\nWe cannot set frag_list to NULL pointer when alloc_page failed.\nIt will be used in tls_strp_check_queue_ok when the next time\ntls_strp_read_sock is called.\n\nThis is because we don\u0027t reset full_len in tls_strp_flush_anchor_copy()\nso the recv path will try to continue handling the partial record\non the next call but we dettached the rcvq from the frag list.\nAlternative fix would be to reset full_len.\n\nUnable to handle kernel NULL pointer dereference\nat virtual address 0000000000000028\n Call trace:\n tls_strp_check_rcv+0x128/0x27c\n tls_strp_data_ready+0x34/0x44\n tls_data_ready+0x3c/0x1f0\n tcp_data_ready+0x9c/0xe4\n tcp_data_queue+0xf6c/0x12d0\n tcp_rcv_established+0x52c/0x798",
  "id": "GHSA-7vm4-fp9q-w3p6",
  "modified": "2025-12-17T21:30:30Z",
  "published": "2025-06-18T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38018"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/406d05da26835943568e61bb751c569efae071d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/491deb9b8c4ad12fe51d554a69b8165b9ef9429f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f1f833cb388592bb46104463a1ec1b7c41975b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f7f96549bc55e4ef3a6b499bc5011e5de2f46c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a11b8c0be6acd0505a58ff40d474bd778b25b93a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VMR-3F3W-FC3W

Vulnerability from github – Published: 2022-05-17 03:42 – Updated: 2022-05-17 03:42
VLAI
Details

libmedia in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 has certain incorrect declarations, which allows remote attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference or memory corruption) via a crafted media file, aka internal bug 28166152.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-05T20:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "libmedia in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 has certain incorrect declarations, which allows remote attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference or memory corruption) via a crafted media file, aka internal bug 28166152.",
  "id": "GHSA-7vmr-3f3w-fc3w",
  "modified": "2022-05-17T03:42:17Z",
  "published": "2022-05-17T03:42:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3821"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/av/+/42a25c46b844518ff0d0b920c20c519e1417be69"
    },
    {
      "type": "WEB",
      "url": "http://source.android.com/security/bulletin/2016-08-01.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92228"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7VV8-23MH-RQFJ

Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-08-27 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: fix segfault in nfc_genl_dump_devices_done

When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-19T15:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix segfault in nfc_genl_dump_devices_done\n\nWhen kmalloc in nfc_genl_dump_devices() fails then\nnfc_genl_dump_devices_done() segfaults as below\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:klist_iter_exit+0x26/0x80\nCall Trace:\n\u003cTASK\u003e\nclass_dev_iter_exit+0x15/0x20\nnfc_genl_dump_devices_done+0x3b/0x50\ngenl_lock_done+0x84/0xd0\nnetlink_sock_destruct+0x8f/0x270\n__sk_destruct+0x64/0x3b0\nsk_destruct+0xa8/0xd0\n__sk_free+0x2e8/0x3d0\nsk_free+0x51/0x90\nnetlink_sock_destruct_work+0x1c/0x20\nprocess_one_work+0x411/0x710\nworker_thread+0x6fd/0xa80",
  "id": "GHSA-7vv8-23mh-rqfj",
  "modified": "2024-08-27T18:31:35Z",
  "published": "2024-06-19T15:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47612"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/214af18abbe39db05beb305b2d11e87d09a6529c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a8845b9603c545fddd17862282dc4c4ce0971e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6644989642844de830f9b072cd65c553cb55946c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c602863ad28ec86794cb4ab4edea5324f555f181"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d731ecc6f2eaec68f4ad1542283bbc7d07bd0112"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d89e4211b51752daf063d638af50abed2fd5f96d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea55b3797878752aa076b118afb727dcf79cac34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd79a0cbf0b2e34bcc45b13acf962e2032a82203"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.