Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-VHHV-WFQV-M6P9

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-09-08T20:00:00Z",
    "severity": "HIGH"
  },
  "details": "The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.",
  "id": "GHSA-vhhv-wfqv-m6p9",
  "modified": "2022-05-13T01:23:35Z",
  "published": "2022-05-13T01:23:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2798"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2010:0660"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2010:0670"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2010:0723"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2010-2798"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=620300"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=728a756b8fcd22d80e2dbba8117a8a3aafd3f203"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=728a756b8fcd22d80e2dbba8117a8a3aafd3f203"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/46397"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1024386"
    },
    {
      "type": "WEB",
      "url": "http://support.avaya.com/css/P8/documents/100113326"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2094"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:198"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/08/02/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/08/02/10"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0660.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0670.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0723.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/42124"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1000-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHJ2-4H8C-JC8M

Vulnerability from github – Published: 2025-04-29 03:30 – Updated: 2025-04-29 15:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, watchOS 11.4, visionOS 2.4. An attacker on the local network may cause an unexpected app termination.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T03:15:34Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, watchOS 11.4, visionOS 2.4. An attacker on the local network may cause an unexpected app termination.",
  "id": "GHSA-vhj2-4h8c-jc8m",
  "modified": "2025-04-29T15:31:50Z",
  "published": "2025-04-29T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24251"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122371"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122372"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122374"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122375"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122376"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122377"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHJQ-V866-4C7F

Vulnerability from github – Published: 2026-06-29 06:31 – Updated: 2026-07-06 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

agp/amd64: Fix broken error propagation in agp_amd64_probe()

A NULL pointer dereference was observed in the AMD64 AGP driver when running in a virtualized environment (e.g. qemu/kvm) without a physical AMD northbridge. The crash occurs in amd64_fetch_size() when attempting to dereference the pointer returned by node_to_amd_nb(0).

The root cause of this crash is broken error propagation in agp_amd64_probe(): When no AMD northbridges are found, cache_nbs() correctly returns -ENODEV. However, the probe function erroneously checks the return value against exactly -1, rather than < 0.

As a result, the hardware absence error is masked, allowing the driver to improperly proceed with initialization. It eventually calls agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware does not exist, node_to_amd_nb(0) returns NULL, leading to a General Protection Fault (GPF) when accessing its ->misc member.

Fix the issue by correcting the error check in agp_amd64_probe() to abort properly when cache_nbs() returns any negative error code. This prevents the driver from erroneously proceeding without hardware, thereby avoiding the subsequent NULL pointer dereference at its source.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T06:16:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nagp/amd64: Fix broken error propagation in agp_amd64_probe()\n\nA NULL pointer dereference was observed in the AMD64 AGP driver when\nrunning in a virtualized environment (e.g. qemu/kvm) without a physical\nAMD northbridge. The crash occurs in amd64_fetch_size() when attempting\nto dereference the pointer returned by node_to_amd_nb(0).\n\nThe root cause of this crash is broken error propagation in\nagp_amd64_probe(): When no AMD northbridges are found, cache_nbs()\ncorrectly returns -ENODEV. However, the probe function erroneously\nchecks the return value against exactly -1, rather than \u003c 0.\n\nAs a result, the hardware absence error is masked, allowing the driver\nto improperly proceed with initialization. It eventually calls\nagp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware\ndoes not exist, node_to_amd_nb(0) returns NULL, leading to a General\nProtection Fault (GPF) when accessing its -\u003emisc member.\n\nFix the issue by correcting the error check in agp_amd64_probe() to\nabort properly when cache_nbs() returns any negative error code. This\nprevents the driver from erroneously proceeding without hardware, thereby\navoiding the subsequent NULL pointer dereference at its source.",
  "id": "GHSA-vhjq-v866-4c7f",
  "modified": "2026-07-06T21:30:27Z",
  "published": "2026-06-29T06:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53325"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0aa9b27c454c53074cde592eaceb442d30341585"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d7d45050e14083c1de1460c93f4063c1f0bca7b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e844a63668d1c3d10a9d347d7ebf161b2f91c84"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53483a9f4ee9eeb18aa866ec16cce79e136987e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/564b3b3f6565313eb6fa5355ffd037d6fb27897f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b08472db93b1ccff84a7adec5779d47f0e9d3a30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce800993af477fc24187349c6a20d3073140b759"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cefe535a60a2e00e09f4b2689b0c8ffc6912459a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb045714bc6a2bbb0befb7a31b996a196e188869"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHQ6-QFMV-QF42

Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-05-28 21:32
VLAI
Details

Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T19:16:42Z",
    "severity": "MODERATE"
  },
  "details": "Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.",
  "id": "GHSA-vhq6-qfmv-qf42",
  "modified": "2026-05-28T21:32:03Z",
  "published": "2026-05-28T21:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47335"
    },
    {
      "type": "WEB",
      "url": "https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=406571d530ccdbae6119fe64ce9cf5c74160f20b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHQV-QJVQ-7XPF

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2023-02-01 21:30
VLAI
Details

ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a NULL pointer dereference. A remote unauthenticated attacker can crash the ELOG server by sending a crafted HTTP GET request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-17T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "ELOG 3.1.4-57bea22 and below is affected by a denial of service vulnerability due to a NULL pointer dereference. A remote unauthenticated attacker can crash the ELOG server by sending a crafted HTTP GET request.",
  "id": "GHSA-vhqv-qjvq-7xpf",
  "modified": "2023-02-01T21:30:23Z",
  "published": "2022-05-24T17:03:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3995"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IN3FP6VXYSD4OMUCFZNOL7MKPWRQFAL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IAS4HI24H2ERKBZTDEVJ3LEQEFWYSCT"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2019-53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHRF-W875-H9VR

Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2024-08-27 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401

When users run the command:

cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log

The following NULL pointer dereference happens:

[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL [ +0.000005] #PF: supervisor instruction fetch in kernel mode [ +0.000002] #PF: error_code(0x0010) - not-present page [ +0.000002] PGD 0 P4D 0 [ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI [ +0.000003] RIP: 0010:0x0 [ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [...] [ +0.000002] PKRU: 55555554 [ +0.000002] Call Trace: [ +0.000002] [ +0.000003] ? show_regs+0x65/0x70 [ +0.000006] ? __die+0x24/0x70 [ +0.000004] ? page_fault_oops+0x160/0x470 [ +0.000006] ? do_user_addr_fault+0x2b5/0x690 [ +0.000003] ? prb_read_valid+0x1c/0x30 [ +0.000005] ? exc_page_fault+0x8c/0x1a0 [ +0.000005] ? asm_exc_page_fault+0x27/0x30 [ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu] [ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000003] ? vsnprintf+0x2fb/0x600 [ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu] [ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170 [ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? debug_smp_processor_id+0x17/0x20 [ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? set_ptes.isra.0+0x2b/0x90 [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? _raw_spin_unlock+0x19/0x40 [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? do_anonymous_page+0x337/0x700 [ +0.000004] dtn_log_read+0x82/0x120 [amdgpu] [ +0.000207] full_proxy_read+0x66/0x90 [ +0.000007] vfs_read+0xb0/0x340 [ +0.000005] ? __count_memcg_events+0x79/0xe0 [ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40 [ +0.000003] ? handle_mm_fault+0xb2/0x370 [ +0.000003] ksys_read+0x6b/0xf0 [ +0.000004] __x64_sys_read+0x19/0x20 [ +0.000003] do_syscall_64+0x60/0x130 [ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ +0.000003] RIP: 0033:0x7fdf32f147e2 [...]

This error happens when the color log tries to read the gamut remap information from DCN401 which is not initialized in the dcn401_dpp_funcs which leads to a null pointer dereference. This commit addresses this issue by adding a proper guard to access the gamut_remap callback in case the specific ASIC did not implement this function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-26T11:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[  +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[  +0.000005] #PF: supervisor instruction fetch in kernel mode\n[  +0.000002] #PF: error_code(0x0010) - not-present page\n[  +0.000002] PGD 0 P4D 0\n[  +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[  +0.000003] RIP: 0010:0x0\n[  +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[  +0.000002] PKRU: 55555554\n[  +0.000002] Call Trace:\n[  +0.000002]  \u003cTASK\u003e\n[  +0.000003]  ? show_regs+0x65/0x70\n[  +0.000006]  ? __die+0x24/0x70\n[  +0.000004]  ? page_fault_oops+0x160/0x470\n[  +0.000006]  ? do_user_addr_fault+0x2b5/0x690\n[  +0.000003]  ? prb_read_valid+0x1c/0x30\n[  +0.000005]  ? exc_page_fault+0x8c/0x1a0\n[  +0.000005]  ? asm_exc_page_fault+0x27/0x30\n[  +0.000012]  dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[  +0.000306]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000003]  ? vsnprintf+0x2fb/0x600\n[  +0.000009]  dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[  +0.000218]  ? __mod_memcg_lruvec_state+0xe8/0x170\n[  +0.000008]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000002]  ? debug_smp_processor_id+0x17/0x20\n[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000002]  ? set_ptes.isra.0+0x2b/0x90\n[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000002]  ? _raw_spin_unlock+0x19/0x40\n[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000002]  ? do_anonymous_page+0x337/0x700\n[  +0.000004]  dtn_log_read+0x82/0x120 [amdgpu]\n[  +0.000207]  full_proxy_read+0x66/0x90\n[  +0.000007]  vfs_read+0xb0/0x340\n[  +0.000005]  ? __count_memcg_events+0x79/0xe0\n[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  +0.000003]  ? count_memcg_events.constprop.0+0x1e/0x40\n[  +0.000003]  ? handle_mm_fault+0xb2/0x370\n[  +0.000003]  ksys_read+0x6b/0xf0\n[  +0.000004]  __x64_sys_read+0x19/0x20\n[  +0.000003]  do_syscall_64+0x60/0x130\n[  +0.000004]  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[  +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.",
  "id": "GHSA-vhrf-w875-h9vr",
  "modified": "2024-08-27T15:32:44Z",
  "published": "2024-08-26T12:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43901"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHWP-83W8-M7PM

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-13 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: felix: suppress non-changes to the tagging protocol

The way in which dsa_tree_change_tag_proto() works is that when dsa_tree_notify() fails, it doesn't know whether the operation failed mid way in a multi-switch tree, or it failed for a single-switch tree. So even though drivers need to fail cleanly in ds->ops->change_tag_protocol(), DSA will still call dsa_tree_notify() again, to restore the old tag protocol for potential switches in the tree where the change did succeeed (before failing for others).

This means for the felix driver that if we report an error in felix_change_tag_protocol(), we'll get another call where proto_ops == old_proto_ops. If we proceed to act upon that, we may do unexpected things. For example, we will call dsa_tag_8021q_register() twice in a row, without any dsa_tag_8021q_unregister() in between. Then we will actually call dsa_tag_8021q_unregister() via old_proto_ops->teardown, which (if it manages to run at all, after walking through corrupted data structures) will leave the ports inoperational anyway.

The bug can be readily reproduced if we force an error while in tag_8021q mode; this crashes the kernel.

echo ocelot-8021q > /sys/class/net/eno2/dsa/tagging echo edsa > /sys/class/net/eno2/dsa/tagging # -EPROTONOSUPPORT

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000014 Call trace: vcap_entry_get+0x24/0x124 ocelot_vcap_filter_del+0x198/0x270 felix_tag_8021q_vlan_del+0xd4/0x21c dsa_switch_tag_8021q_vlan_del+0x168/0x2cc dsa_switch_event+0x68/0x1170 dsa_tree_notify+0x14/0x34 dsa_port_tag_8021q_vlan_del+0x84/0x110 dsa_tag_8021q_unregister+0x15c/0x1c0 felix_tag_8021q_teardown+0x16c/0x180 felix_change_tag_protocol+0x1bc/0x230 dsa_switch_event+0x14c/0x1170 dsa_tree_change_tag_proto+0x118/0x1c0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: suppress non-changes to the tagging protocol\n\nThe way in which dsa_tree_change_tag_proto() works is that when\ndsa_tree_notify() fails, it doesn\u0027t know whether the operation failed\nmid way in a multi-switch tree, or it failed for a single-switch tree.\nSo even though drivers need to fail cleanly in\nds-\u003eops-\u003echange_tag_protocol(), DSA will still call dsa_tree_notify()\nagain, to restore the old tag protocol for potential switches in the\ntree where the change did succeeed (before failing for others).\n\nThis means for the felix driver that if we report an error in\nfelix_change_tag_protocol(), we\u0027ll get another call where proto_ops ==\nold_proto_ops. If we proceed to act upon that, we may do unexpected\nthings. For example, we will call dsa_tag_8021q_register() twice in a\nrow, without any dsa_tag_8021q_unregister() in between. Then we will\nactually call dsa_tag_8021q_unregister() via old_proto_ops-\u003eteardown,\nwhich (if it manages to run at all, after walking through corrupted data\nstructures) will leave the ports inoperational anyway.\n\nThe bug can be readily reproduced if we force an error while in\ntag_8021q mode; this crashes the kernel.\n\necho ocelot-8021q \u003e /sys/class/net/eno2/dsa/tagging\necho edsa \u003e /sys/class/net/eno2/dsa/tagging # -EPROTONOSUPPORT\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000014\nCall trace:\n vcap_entry_get+0x24/0x124\n ocelot_vcap_filter_del+0x198/0x270\n felix_tag_8021q_vlan_del+0xd4/0x21c\n dsa_switch_tag_8021q_vlan_del+0x168/0x2cc\n dsa_switch_event+0x68/0x1170\n dsa_tree_notify+0x14/0x34\n dsa_port_tag_8021q_vlan_del+0x84/0x110\n dsa_tag_8021q_unregister+0x15c/0x1c0\n felix_tag_8021q_teardown+0x16c/0x180\n felix_change_tag_protocol+0x1bc/0x230\n dsa_switch_event+0x14c/0x1170\n dsa_tree_change_tag_proto+0x118/0x1c0",
  "id": "GHSA-vhwp-83w8-m7pm",
  "modified": "2025-11-13T18:31:01Z",
  "published": "2025-06-18T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50063"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c46bb49460ee14c69629e813640d8b929e88941"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e432f157c3edc5a97a7244c666589a438f5e4d4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHWR-495G-JRF6

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01
VLAI
Details

Null pointer dereference vulnerability in parser_ispe function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-11T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Null pointer dereference vulnerability in parser_ispe function in libsimba library prior to SMR Apr-2022 Release 1 allows out of bounds write by remote attacker.",
  "id": "GHSA-vhwr-495g-jrf6",
  "modified": "2022-04-19T00:01:18Z",
  "published": "2022-04-12T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26096"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ54-FF4J-GQ2V

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:05
VLAI
Details

A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-18378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference was discovered in SExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen 1.38.26. A crafted wasm input can cause a segmentation fault, leading to denial-of-service, as demonstrated by wasm-as.",
  "id": "GHSA-vj54-ff4j-gq2v",
  "modified": "2024-04-04T07:05:25Z",
  "published": "2023-08-22T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WebAssembly/binaryen/issues/1900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ5W-QQ78-7XG8

Vulnerability from github – Published: 2026-01-02 15:30 – Updated: 2026-01-05 21:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-02T15:16:01Z",
    "severity": "LOW"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3256 build 20250913 and later\nQuTS hero h5.2.7.3256 build 20250913 and later\nQuTS hero h5.3.1.3250 build 20250912 and later",
  "id": "GHSA-vj5w-qq78-7xg8",
  "modified": "2026-01-05T21:30:30Z",
  "published": "2026-01-02T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53592"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.