CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-VQ44-QFG4-MFGG
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2024-03-01 03:30A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-13578"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T20:15:00Z",
"severity": "HIGH"
},
"details": "A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.",
"id": "GHSA-vq44-qfg4-mfgg",
"modified": "2024-03-01T03:30:34Z",
"published": "2022-05-24T17:41:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13578"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ8H-GHH5-4H7F
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().
syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0]
Since the cited commit, udp_lib_init_sock() can fail, as can udp_init_sock() and udpv6_init_sock().
Let's handle the error in udplite_sk_init() and udplitev6_sk_init().
[0]: BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 Read of size 4 at addr 0000000000000008 by task syz.2.18/2944
CPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 kasan_report+0xa2/0xe0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:82 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline] udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906 udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064 ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438 ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6149 [inline] __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262 process_backlog+0x4d6/0x1160 net/core/dev.c:6614 __napi_poll+0xae/0x320 net/core/dev.c:7678 napi_poll net/core/dev.c:7741 [inline] net_rx_action+0x60d/0xdc0 net/core/dev.c:7893 handle_softirqs+0x209/0x8d0 kernel/softirq.c:622 do_softirq+0x52/0x90 kernel/softirq.c:523 __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246 ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984 udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442 udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469 udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3eb/0x580 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f67b4d9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8
{
"affected": [],
"aliases": [
"CVE-2026-43164"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:34Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nudplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().\n\nsyzbot reported null-ptr-deref of udp_sk(sk)-\u003eudp_prod_queue. [0]\n\nSince the cited commit, udp_lib_init_sock() can fail, as can\nudp_init_sock() and udpv6_init_sock().\n\nLet\u0027s handle the error in udplite_sk_init() and udplitev6_sk_init().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\nBUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719\nRead of size 4 at addr 0000000000000008 by task syz.2.18/2944\n\nCPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n kasan_report+0xa2/0xe0 mm/kasan/report.c:595\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200\n instrument_atomic_read include/linux/instrumented.h:82 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719\n __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline]\n udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906\n udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064\n ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489\n NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318\n ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500\n NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6149 [inline]\n __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262\n process_backlog+0x4d6/0x1160 net/core/dev.c:6614\n __napi_poll+0xae/0x320 net/core/dev.c:7678\n napi_poll net/core/dev.c:7741 [inline]\n net_rx_action+0x60d/0xdc0 net/core/dev.c:7893\n handle_softirqs+0x209/0x8d0 kernel/softirq.c:622\n do_softirq+0x52/0x90 kernel/softirq.c:523\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]\n __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246\n ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984\n udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442\n udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469\n udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xe5/0x270 net/socket.c:742\n __sys_sendto+0x3eb/0x580 net/socket.c:2206\n __do_sys_sendto net/socket.c:2213 [inline]\n __se_sys_sendto net/socket.c:2209 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2209\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f67b4d9c629\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8\n \u003c/TASK\u003e",
"id": "GHSA-vq8h-ghh5-4h7f",
"modified": "2026-05-08T15:31:16Z",
"published": "2026-05-06T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43164"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f13fa087ead642ea1eb5fdb6eb092c913ef06b7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/470c7ca2b4c3e3a51feeb952b7f97a775b5c49cd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f27030ac5bef47d997cfac05a3d188aa69f4df7f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQF7-574H-2GF3
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
{
"affected": [],
"aliases": [
"CVE-2020-13632"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.",
"id": "GHSA-vqf7-574h-2gf3",
"modified": "2022-05-24T17:18:44Z",
"published": "2022-05-24T17:18:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13632"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/chromium/issues/detail?id=1080459"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7KXQWHIY2MQP4LNM6ODWJENMXYYQYBN"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-26"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200608-0002"
},
{
"type": "WEB",
"url": "https://sqlite.org/src/info/a4dd148928ea65bd"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4394-1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQJ7-84PW-WC4R
Vulnerability from github – Published: 2022-05-17 02:26 – Updated: 2022-05-17 02:26Microsoft Windows 10 Gold, 1511, and 1607; Windows 8.1; Windows RT 8.1; Windows Server 2012 R2, and Windows Server 2016 do not properly handle certain requests in SMBv2 and SMBv3 packets, which allows remote attackers to execute arbitrary code via a crafted SMBv2 or SMBv3 packet to the Server service, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2017-0016"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-17T00:59:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows 10 Gold, 1511, and 1607; Windows 8.1; Windows RT 8.1; Windows Server 2012 R2, and Windows Server 2016 do not properly handle certain requests in SMBv2 and SMBv3 packets, which allows remote attackers to execute arbitrary code via a crafted SMBv2 or SMBv3 packet to the Server service, aka \"SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability.\"",
"id": "GHSA-vqj7-84pw-wc4r",
"modified": "2022-05-17T02:26:44Z",
"published": "2022-05-17T02:26:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0016"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0016"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95969"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037767"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQPV-2JR8-2HMP
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-15 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()
In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it may be NULL:
if (!jdi) mipi_dsi_detach(dsi);
However, when jdi is NULL, the function does not return and continues by calling jdi_panel_disable():
err = jdi_panel_disable(&jdi->base);
Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can lead to a NULL-pointer dereference:
struct jdi_panel *jdi = to_panel_jdi(panel); backlight_disable(jdi->backlight);
To prevent such a potential NULL-pointer dereference, return early from jdi_panel_dsi_remove() when jdi is NULL.
{
"affected": [],
"aliases": [
"CVE-2026-43300"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T14:16:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()\n\nIn jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it\nmay be NULL:\n\n if (!jdi)\n mipi_dsi_detach(dsi);\n\nHowever, when jdi is NULL, the function does not return and continues by\ncalling jdi_panel_disable():\n\n err = jdi_panel_disable(\u0026jdi-\u003ebase);\n\nInside jdi_panel_disable(), jdi is dereferenced unconditionally, which can\nlead to a NULL-pointer dereference:\n\n struct jdi_panel *jdi = to_panel_jdi(panel);\n backlight_disable(jdi-\u003ebacklight);\n\nTo prevent such a potential NULL-pointer dereference, return early from\njdi_panel_dsi_remove() when jdi is NULL.",
"id": "GHSA-vqpv-2jr8-2hmp",
"modified": "2026-05-15T15:30:33Z",
"published": "2026-05-08T15:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43300"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f5427d8726b22b807beec248d7d6bf88e291e0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/83ce0085fabf757b039322928188ad78e962d609"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95eed73b871111123a8b1d31cb1fce7e902e49ea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec2f37bbb733cdd7ed7d04171fca728a532414d5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQQW-285R-PW6X
Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-04-23 21:31In the Linux kernel, the following vulnerability has been resolved:
arm_mpam: Fix null pointer dereference when restoring bandwidth counters
When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to restore the configuration of the bandwidth counters. It doesn't care about the value read, mbwu_arg.val, and doesn't set it leading to a null pointer dereference when __ris_msmon_read() adds to it. This results in a kernel oops with a call trace such as:
Call trace: __ris_msmon_read+0x19c/0x64c (P) mpam_restore_mbwu_state+0xa0/0xe8 smp_call_on_cpu_callback+0x1c/0x38 process_one_work+0x154/0x4b4 worker_thread+0x188/0x310 kthread+0x11c/0x130 ret_from_fork+0x10/0x20
Provide a local variable for val to avoid __ris_msmon_read() dereferencing a null pointer when adding to val.
{
"affected": [],
"aliases": [
"CVE-2026-23433"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T16:16:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm_mpam: Fix null pointer dereference when restoring bandwidth counters\n\nWhen an MSC supporting memory bandwidth monitoring is brought offline and\nthen online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to\nrestore the configuration of the bandwidth counters. It doesn\u0027t care about\nthe value read, mbwu_arg.val, and doesn\u0027t set it leading to a null pointer\ndereference when __ris_msmon_read() adds to it. This results in a kernel\noops with a call trace such as:\n\nCall trace:\n__ris_msmon_read+0x19c/0x64c (P)\nmpam_restore_mbwu_state+0xa0/0xe8\nsmp_call_on_cpu_callback+0x1c/0x38\nprocess_one_work+0x154/0x4b4\nworker_thread+0x188/0x310\nkthread+0x11c/0x130\nret_from_fork+0x10/0x20\n\nProvide a local variable for val to avoid __ris_msmon_read() dereferencing\na null pointer when adding to val.",
"id": "GHSA-vqqw-285r-pw6x",
"modified": "2026-04-23T21:31:18Z",
"published": "2026-04-03T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23433"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac3e12bc195786d3d44d730b5b2259fd36191848"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQXQ-CHHR-677M
Vulnerability from github – Published: 2025-07-07 03:30 – Updated: 2025-07-07 03:30Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.
{
"affected": [],
"aliases": [
"CVE-2025-53182"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T03:15:29Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference vulnerability in the PDF preview module\nImpact: Successful exploitation of this vulnerability may affect function stability.",
"id": "GHSA-vqxq-chhr-677m",
"modified": "2025-07-07T03:30:23Z",
"published": "2025-07-07T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53182"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR29-W5CG-Q4XV
Vulnerability from github – Published: 2024-12-07 00:31 – Updated: 2024-12-12 03:33Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble was discovered to contain a NULL pointer dereference via the component computeControl().
{
"affected": [],
"aliases": [
"CVE-2024-44853"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T22:15:21Z",
"severity": "HIGH"
},
"details": "Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble was discovered to contain a NULL pointer dereference via the component computeControl().",
"id": "GHSA-vr29-w5cg-q4xv",
"modified": "2024-12-12T03:33:00Z",
"published": "2024-12-07T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44853"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/issues/4547"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/pull/4548"
},
{
"type": "WEB",
"url": "https://github.com/GoesM/ROS-CVE-CNVDs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR35-F6M3-RH89
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-01-06 21:30In the Linux kernel, the following vulnerability has been resolved:
tls: fix NULL deref on tls_sw_splice_eof() with empty record
syzkaller discovered that if tls_sw_splice_eof() is executed as part of
sendfile() when the plaintext/ciphertext sk_msg are empty, the send path
gets confused because the empty ciphertext buffer does not have enough
space for the encryption overhead. This causes tls_push_record() to go on
the split = true path (which is only supposed to be used when interacting
with an attached BPF program), and then get further confused and hit the
tls_merge_open_record() path, which then assumes that there must be at
least one populated buffer element, leading to a NULL deref.
It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path. tls_sw_push_pending_record() already handles this case correctly; let's do the same check in tls_sw_splice_eof().
{
"affected": [],
"aliases": [
"CVE-2023-52767"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let\u0027s do\nthe same check in tls_sw_splice_eof().",
"id": "GHSA-vr35-f6m3-rh89",
"modified": "2025-01-06T21:30:49Z",
"published": "2024-05-21T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52767"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR4R-JM4F-GRC9
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2023-01-27 21:31Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-15689"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-13T14:15:00Z",
"severity": "MODERATE"
},
"details": "Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.",
"id": "GHSA-vr4r-jm4f-grc9",
"modified": "2023-01-27T21:31:11Z",
"published": "2022-05-24T17:22:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15689"
},
{
"type": "WEB",
"url": "https://github.com/embedthis/appweb-gpl/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/embedthis/appweb-gpl/issues/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.