Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-VMC2-J3GF-MVPP

Vulnerability from github – Published: 2023-05-09 03:30 – Updated: 2024-04-04 03:54
VLAI
Details

In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-09T02:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.",
  "id": "GHSA-vmc2-j3gf-mvpp",
  "modified": "2024-04-04T03:54:15Z",
  "published": "2023-05-09T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48241"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1654776866982133761"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMHM-G2HV-X7WJ

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-06 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM

We currently assume that there is at least one VMA in a MM, which isn't true.

So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL.

This fixes the report:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 Code: ... RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

[akpm@linux-foundation.org: add unlikely()]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:20Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM\n\nWe currently assume that there is at least one VMA in a MM, which isn\u0027t\ntrue.\n\nSo we might end up having find_vma() return NULL, to then de-reference\nNULL.  So properly handle find_vma() returning NULL.\n\nThis fixes the report:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024\nRIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline]\nRIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194\nCode: ...\nRSP: 0018:ffffc9000375fd08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000\nRDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044\nRBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1\nR10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003\nR13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8\nFS:  00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709\n __do_sys_migrate_pages mm/mempolicy.c:1727 [inline]\n __se_sys_migrate_pages mm/mempolicy.c:1723 [inline]\n __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[akpm@linux-foundation.org: add unlikely()]",
  "id": "GHSA-vmhm-g2hv-x7wj",
  "modified": "2025-01-06T18:31:00Z",
  "published": "2024-12-27T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56611"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/091c1dd2d4df6edd1beebe0e5863d4034ade9572"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42d9fe2adf8613f9eea1f0c2619c9e2611eae0ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a13b2b9b0b0b04612c7d81e3b3dfb485c5f7abc3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMPQ-WPXG-R7RP

Vulnerability from github – Published: 2024-02-22 18:30 – Updated: 2024-03-18 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: netdevsim: don't try to destroy PHC on VFs

PHC gets initialized in nsim_init_netdevsim(), which is only called if (nsim_dev_port_is_pf()).

Create a counterpart of nsim_init_netdevsim() and move the mock_phc_destroy() there.

This fixes a crash trying to destroy netdevsim with VFs instantiated, as caught by running the devlink.sh test:

BUG: kernel NULL pointer dereference, address: 00000000000000b8
RIP: 0010:mock_phc_destroy+0xd/0x30
Call Trace:
 <TASK>
 nsim_destroy+0x4a/0x70 [netdevsim]
 __nsim_dev_port_del+0x47/0x70 [netdevsim]
 nsim_dev_reload_destroy+0x105/0x120 [netdevsim]
 nsim_drv_remove+0x2f/0xb0 [netdevsim]
 device_release_driver_internal+0x1a1/0x210
 bus_remove_device+0xd5/0x120
 device_del+0x159/0x490
 device_unregister+0x12/0x30
 del_device_store+0x11a/0x1a0 [netdevsim]
 kernfs_fop_write_iter+0x130/0x1d0
 vfs_write+0x30b/0x4b0
 ksys_write+0x69/0xf0
 do_syscall_64+0xcc/0x1e0
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-22T17:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netdevsim: don\u0027t try to destroy PHC on VFs\n\nPHC gets initialized in nsim_init_netdevsim(), which\nis only called if (nsim_dev_port_is_pf()).\n\nCreate a counterpart of nsim_init_netdevsim() and\nmove the mock_phc_destroy() there.\n\nThis fixes a crash trying to destroy netdevsim with\nVFs instantiated, as caught by running the devlink.sh test:\n\n    BUG: kernel NULL pointer dereference, address: 00000000000000b8\n    RIP: 0010:mock_phc_destroy+0xd/0x30\n    Call Trace:\n     \u003cTASK\u003e\n     nsim_destroy+0x4a/0x70 [netdevsim]\n     __nsim_dev_port_del+0x47/0x70 [netdevsim]\n     nsim_dev_reload_destroy+0x105/0x120 [netdevsim]\n     nsim_drv_remove+0x2f/0xb0 [netdevsim]\n     device_release_driver_internal+0x1a1/0x210\n     bus_remove_device+0xd5/0x120\n     device_del+0x159/0x490\n     device_unregister+0x12/0x30\n     del_device_store+0x11a/0x1a0 [netdevsim]\n     kernfs_fop_write_iter+0x130/0x1d0\n     vfs_write+0x30b/0x4b0\n     ksys_write+0x69/0xf0\n     do_syscall_64+0xcc/0x1e0\n     entry_SYSCALL_64_after_hwframe+0x6f/0x77",
  "id": "GHSA-vmpq-wpxg-r7rp",
  "modified": "2024-03-18T18:32:17Z",
  "published": "2024-02-22T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26587"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08aca65997fb6f233066883b1f1e653bcb1f26ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5068e442eed063d2f1658e6b6d3c1c6fcf1e588"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea937f77208323d35ffe2f8d8fc81b00118bfcda"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMQ7-2PQH-RJ6G

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-27 00:00
VLAI
Details

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating multicast DNS (mDNS) queries. An attacker could exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, which would flow through and be processed by the wireless controller. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating multicast DNS (mDNS) queries. An attacker could exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, which would flow through and be processed by the wireless controller. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition.",
  "id": "GHSA-vmq7-2pqh-rj6g",
  "modified": "2022-04-27T00:00:35Z",
  "published": "2022-04-16T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20682"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMVF-F857-43V5

Vulnerability from github – Published: 2025-02-12 15:31 – Updated: 2025-02-14 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

platform/x86: dell-uart-backlight: fix serdev race

The dell_uart_bl_serdev_probe() function calls devm_serdev_device_open() before setting the client ops via serdev_device_set_client_ops(). This ordering can trigger a NULL pointer dereference in the serdev controller's receive_buf handler, as it assumes serdev->ops is valid when SERPORT_ACTIVE is set.

This is similar to the issue fixed in commit 5e700b384ec1 ("platform/chrome: cros_ec_uart: properly fix race condition") where devm_serdev_device_open() was called before fully initializing the device.

Fix the race by ensuring client ops are set before enabling the port via devm_serdev_device_open().

Note, serdev_device_set_baudrate() and serdev_device_set_flow_control() calls should be after the devm_serdev_device_open() call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-uart-backlight: fix serdev race\n\nThe dell_uart_bl_serdev_probe() function calls devm_serdev_device_open()\nbefore setting the client ops via serdev_device_set_client_ops(). This\nordering can trigger a NULL pointer dereference in the serdev controller\u0027s\nreceive_buf handler, as it assumes serdev-\u003eops is valid when\nSERPORT_ACTIVE is set.\n\nThis is similar to the issue fixed in commit 5e700b384ec1\n(\"platform/chrome: cros_ec_uart: properly fix race condition\") where\ndevm_serdev_device_open() was called before fully initializing the\ndevice.\n\nFix the race by ensuring client ops are set before enabling the port via\ndevm_serdev_device_open().\n\nNote, serdev_device_set_baudrate() and serdev_device_set_flow_control()\ncalls should be after the devm_serdev_device_open() call.",
  "id": "GHSA-vmvf-f857-43v5",
  "modified": "2025-02-14T18:30:49Z",
  "published": "2025-02-12T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21695"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b2128aa2d45ab20b22548dcf4b48906298ca7fd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3a24d923333f75aaece9acb051d676edc0afb75"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMWG-3CWG-GCCP

Vulnerability from github – Published: 2025-04-29 03:30 – Updated: 2025-04-29 18:30
VLAI
Details

A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4. An attacker on the local network may be able to cause a denial-of-service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T03:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4, visionOS 2.4. An attacker on the local network may be able to cause a denial-of-service.",
  "id": "GHSA-vmwg-3cwg-gccp",
  "modified": "2025-04-29T18:30:57Z",
  "published": "2025-04-29T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31202"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122371"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122377"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP37-F5JX-GPCX

Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: spi-imx: Add check for spi_imx_setupxfer()

Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T07:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-imx: Add check for spi_imx_setupxfer()\n\nAdd check for the return value of spi_imx_setupxfer().\nspi_imx-\u003erx and spi_imx-\u003etx function pointer can be NULL when\nspi_imx_setupxfer() return error, and make NULL pointer dereference.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n  0x0\n  spi_imx_pio_transfer+0x50/0xd8\n  spi_imx_transfer_one+0x18c/0x858\n  spi_transfer_one_message+0x43c/0x790\n  __spi_pump_transfer_message+0x238/0x5d4\n  __spi_sync+0x2b0/0x454\n  spi_write_then_read+0x11c/0x200",
  "id": "GHSA-vp37-f5jx-gpcx",
  "modified": "2025-11-03T21:33:47Z",
  "published": "2025-05-08T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37801"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/055ef73bb1afc3f783a9a13b496770a781964a07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/185d376875ea6fb4256b9dc97ee0b4d2b0fdd399"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b4479eb462ecb39001b38dfb331fc6028dedac8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2fea0d6d7b5d27fbf55512d51851ba0a346ede52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/951a04ab3a2db4029debfa48d380ef834b93207e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP64-5QR9-M88V

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-12-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix dereferencing invalid pmd migration entry

When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target.

Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for."

BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e

The bug is found by syzkaller on an internal kernel, then confirmed on upstream.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:34Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below.  To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early.  In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio.  Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream.",
  "id": "GHSA-vp64-5qr9-m88v",
  "modified": "2025-12-16T21:30:49Z",
  "published": "2025-05-20T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37958"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP7V-X8X5-FJ5P

Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2026-01-07 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtl818x: Kill URBs before clearing tx status queue

In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb.

BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] Call Trace: rtl8187_tx_cb+0x116/0x150 [rtl8187] __usb_hcd_giveback_urb+0x9d/0x120 usb_giveback_urb_bh+0xbb/0x140 process_one_work+0x19b/0x3c0 bh_worker+0x1a7/0x210 tasklet_action+0x10/0x30 handle_softirqs+0xf0/0x340 __irq_exit_rcu+0xcd/0xf0 common_interrupt+0x85/0xa0

Tested on RTL8187BvE device.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n  \u003cIRQ\u003e\n  rtl8187_tx_cb+0x116/0x150 [rtl8187]\n  __usb_hcd_giveback_urb+0x9d/0x120\n  usb_giveback_urb_bh+0xbb/0x140\n  process_one_work+0x19b/0x3c0\n  bh_worker+0x1a7/0x210\n  tasklet_action+0x10/0x30\n  handle_softirqs+0xf0/0x340\n  __irq_exit_rcu+0xcd/0xf0\n  common_interrupt+0x85/0xa0\n  \u003c/IRQ\u003e\n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
  "id": "GHSA-vp7v-x8x5-fj5p",
  "modified": "2026-01-07T21:31:39Z",
  "published": "2025-08-19T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38604"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP8C-VQQ5-23J3

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-02 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: check for null return of devm_kzalloc() in dpu_writeback_init()

Because of the possilble failure of devm_kzalloc(), dpu_wb_conn might be NULL and will cause null pointer dereference later.

Therefore, it might be better to check it and directly return -ENOMEM.

Patchwork: https://patchwork.freedesktop.org/patch/512277/ [DB: fixed typo in commit message]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T08:15:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for null return of devm_kzalloc() in dpu_writeback_init()\n\nBecause of the possilble failure of devm_kzalloc(), dpu_wb_conn might\nbe NULL and will cause null pointer dereference later.\n\nTherefore, it might be better to check it and directly return -ENOMEM.\n\nPatchwork: https://patchwork.freedesktop.org/patch/512277/\n[DB: fixed typo in commit message]",
  "id": "GHSA-vp8c-vqq5-23j3",
  "modified": "2025-12-02T21:31:26Z",
  "published": "2025-09-16T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21e9a838f505178e109ccb3bf19d7808eb0326f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3723c4dbcd14cc96771000ce0b0540801e6ba059"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ee51b19855c5dd72aca57b8014f3b70d7798733"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.