Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-W9G3-HJ99-CJRW

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Null pointer dereference in Windows Image Acquisition allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:30Z",
    "severity": "HIGH"
  },
  "details": "Null pointer dereference in Windows Image Acquisition allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-w9g3-hj99-cjrw",
  "modified": "2026-07-14T18:32:15Z",
  "published": "2026-07-14T18:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50315"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50315"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9GM-5Q74-CXMG

Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2026-05-12 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/hisilicon/hibmc: fix the hibmc loaded failed bug

When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T17:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/hisilicon/hibmc: fix the hibmc loaded failed bug\n\nWhen hibmc loaded failed, the driver use hibmc_unload to free the\nresource, but the mutexes in mode.config are not init, which will\naccess an NULL pointer. Just change goto statement to return, because\nhibnc_hw_init() doesn\u0027t need to free anything.",
  "id": "GHSA-w9gm-5q74-cxmg",
  "modified": "2026-05-12T15:31:07Z",
  "published": "2025-09-11T18:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39772"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93a08f856fcc5aaeeecad01f71bef3088588216a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a4f1b9c57092c48bdc7958abd23403ccaed437b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c950e1be3a24d021475b56efdb49daa7fbba63a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3e774266c28aefab3e9db334fdf568f936cae04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddf1691f25345699296e642f0f59f2d464722fa3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f93032e5d68f459601c701f6ab087b5feb3382e8"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9RV-XC8M-CMQP

Vulnerability from github – Published: 2026-01-27 18:32 – Updated: 2026-05-12 15:31
VLAI
Details

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure.

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T16:16:34Z",
    "severity": "HIGH"
  },
  "details": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer\ndereference in the PKCS12_item_decrypt_d2i_ex() function.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to\nDenial of Service for an application processing PKCS#12 files.\n\nThe PKCS12_item_decrypt_d2i_ex() function does not check whether the oct\nparameter is NULL before dereferencing it. When called from\nPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can\nbe NULL, causing a crash. The vulnerability is limited to Denial of Service\nand cannot be escalated to achieve code execution or memory disclosure.\n\nExploiting this issue requires an attacker to provide a malformed PKCS#12 file\nto an application that processes it. For that reason the issue was assessed as\nLow severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.",
  "id": "GHSA-w9rv-xc8m-cmqp",
  "modified": "2026-05-12T15:31:14Z",
  "published": "2026-01-27T18:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69421"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20260127.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9VW-69GR-J5W3

Vulnerability from github – Published: 2021-12-03 00:00 – Updated: 2023-09-06 03:30
VLAI
Details

AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-02T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.",
  "id": "GHSA-w9vw-69gr-j5w3",
  "modified": "2023-09-06T03:30:19Z",
  "published": "2021-12-03T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36130"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/aomedia/issues/detail?id=2905\u0026q=\u0026can=1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-32"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9WH-Q8V9-3RWF

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()

On some machines the number of listed CPUs may be bigger than the actual CPUs that exist. The tracing subsystem allocates a per_cpu directory with access to the per CPU ring buffer via a cpuX file. But to save space, the ring buffer will only allocate buffers for online CPUs, even though the CPU array will be as big as the nr_cpu_ids.

With the addition of waking waiters on the ring buffer when closing the file, the ring_buffer_wake_waiters() now needs to make sure that the buffer is allocated (with the irq_work allocated with it) before trying to wake waiters, as it will cause a NULL pointer dereference.

While debugging this, I added a NULL check for the buffer itself (which is OK to do), and also NULL pointer checks against buffer->buffers (which is not fine, and will WARN) as well as making sure the CPU number passed in is within the nr_cpu_ids (which is also not fine if it isn't).

Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters()\n\nOn some machines the number of listed CPUs may be bigger than the actual\nCPUs that exist. The tracing subsystem allocates a per_cpu directory with\naccess to the per CPU ring buffer via a cpuX file. But to save space, the\nring buffer will only allocate buffers for online CPUs, even though the\nCPU array will be as big as the nr_cpu_ids.\n\nWith the addition of waking waiters on the ring buffer when closing the\nfile, the ring_buffer_wake_waiters() now needs to make sure that the\nbuffer is allocated (with the irq_work allocated with it) before trying to\nwake waiters, as it will cause a NULL pointer dereference.\n\nWhile debugging this, I added a NULL check for the buffer itself (which is\nOK to do), and also NULL pointer checks against buffer-\u003ebuffers (which is\nnot fine, and will WARN) as well as making sure the CPU number passed in\nis within the nr_cpu_ids (which is also not fine if it isn\u0027t).\n\n\nBugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1204705",
  "id": "GHSA-w9wh-q8v9-3rwf",
  "modified": "2025-05-07T15:31:26Z",
  "published": "2025-05-01T15:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49889"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49ca992f6e50d0f46ec9608f44e011cf3121f389"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7433632c9ff68a991bd0bc38cabf354e9d2de410"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5074df412bf3df9d6ce096b6fa03eb1082d05c9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9WM-69P8-G28Q

Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-05-21 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xfs: check for deleted cursors when revalidating two btrees

The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone.

However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call. His root-cause analysis is as follows (with minor corrections):

In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first for BNOBT, second for CNTBT). The cause of this issue is that the first call nullified the cursor required by the second call.

Let's first enter xrep_revalidate_allocbt() via following call chain:

xfs_file_ioctl() -> xfs_ioc_scrubv_metadata() -> xfs_scrub_metadata() -> sc->ops->repair_eval(sc) -> xrep_revalidate_allocbt()

xchk_allocbt() is called twice in this function. In the first call:

/ Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now / xchk_allocbt() -> xchk_btree() -> bs->scrub_rec(bs, recp) -> xchk_allocbt_rec() -> xchk_allocbt_xref() -> xchk_allocbt_xref_other()

since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur. Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call chain:

xfs_alloc_get_rec() -> xfs_btree_get_rec() -> xfs_btree_check_block() -> (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter is true, return -EFSCORRUPTED. This should be caused by ioctl$XFS_IOC_ERROR_INJECTION I guess.

Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this function, *curpp (points to sc->sa.cnt_cur) is nullified.

Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been nullified, it then triggered null-ptr-deref via xchk_allocbt() (second call) -> xchk_btree().

So. The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt. Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete. Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt.

Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-18T18:16:22Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check for deleted cursors when revalidating two btrees\n\nThe free space and inode btree repair functions will rebuild both btrees\nat the same time, after which it needs to evaluate both btrees to\nconfirm that the corruptions are gone.\n\nHowever, Jiaming Zhang ran syzbot and produced a crash in the second\nxchk_allocbt call.  His root-cause analysis is as follows (with minor\ncorrections):\n\n In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first\n for BNOBT, second for CNTBT). The cause of this issue is that the\n first call nullified the cursor required by the second call.\n\n Let\u0027s first enter xrep_revalidate_allocbt() via following call chain:\n\n xfs_file_ioctl() -\u003e\n xfs_ioc_scrubv_metadata() -\u003e\n xfs_scrub_metadata() -\u003e\n `sc-\u003eops-\u003erepair_eval(sc)` -\u003e\n xrep_revalidate_allocbt()\n\n xchk_allocbt() is called twice in this function. In the first call:\n\n /* Note that sc-\u003esm-\u003esm_type is XFS_SCRUB_TYPE_BNOPT now */\n xchk_allocbt() -\u003e\n xchk_btree() -\u003e\n `bs-\u003escrub_rec(bs, recp)` -\u003e\n xchk_allocbt_rec() -\u003e\n xchk_allocbt_xref() -\u003e\n xchk_allocbt_xref_other()\n\n since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to \u0026sc-\u003esa.cnt_cur.\n Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call\n chain:\n\n xfs_alloc_get_rec() -\u003e\n xfs_btree_get_rec() -\u003e\n xfs_btree_check_block() -\u003e\n (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter\n is true, return -EFSCORRUPTED. This should be caused by\n ioctl$XFS_IOC_ERROR_INJECTION I guess.\n\n Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from\n xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this\n function, *curpp (points to sc-\u003esa.cnt_cur) is nullified.\n\n Back to xrep_revalidate_allocbt(), since sc-\u003esa.cnt_cur has been\n nullified, it then triggered null-ptr-deref via xchk_allocbt() (second\n call) -\u003e xchk_btree().\n\nSo.  The bnobt revalidation failed on a cross-reference attempt, so we\ndeleted the cntbt cursor, and then crashed when we tried to revalidate\nthe cntbt.  Therefore, check for a null cntbt cursor before that\nrevalidation, and mark the repair incomplete.  Also we can ignore the\nsecond tree entirely if the first tree was rebuilt but is already\ncorrupt.\n\nApply the same fix to xrep_revalidate_iallocbt because it has the same\nproblem.",
  "id": "GHSA-w9wm-69p8-g28q",
  "modified": "2026-05-21T21:30:28Z",
  "published": "2026-03-18T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23249"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/55e03b8cbe2783ec9acfb88e8adb946ed504e117"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5991e96f2ae82df60a3e4ed00f3432d9f3502a99"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b04baa848c0543b240b1bd8aecff470382f6f154"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d69de525bc7ab27713342080bf50826df3f6a68f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W9XJ-XJ3X-QGJH

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: lag: Check for LAG device before creating debugfs

__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error occurs that is handled gracefully. Consequently, the initialization flow proceeds to call mlx5_ldev_add_debugfs() even when there is no valid LAG context.

mlx5_ldev_add_debugfs() blindly created the debugfs directory and attributes. This exposed interfaces (like the members file) that rely on a valid ldev pointer, leading to potential NULL pointer dereferences if accessed when ldev is NULL.

Add a check to verify that mlx5_lag_dev(dev) returns a valid pointer before attempting to create the debugfs entries.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:45Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: lag: Check for LAG device before creating debugfs\n\n__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error\noccurs that is handled gracefully. Consequently, the initialization\nflow proceeds to call mlx5_ldev_add_debugfs() even when there is no\nvalid LAG context.\n\nmlx5_ldev_add_debugfs() blindly created the debugfs directory and\nattributes. This exposed interfaces (like the members file) that rely on\na valid ldev pointer, leading to potential NULL pointer dereferences if\naccessed when ldev is NULL.\n\nAdd a check to verify that mlx5_lag_dev(dev) returns a valid pointer\nbefore attempting to create the debugfs entries.",
  "id": "GHSA-w9xj-xj3x-qgjh",
  "modified": "2026-05-07T21:30:24Z",
  "published": "2026-05-01T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43013"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7129632cab3e4d23510b21930aa73b8d97a859f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89c65f2fcd8801365b410f40a427cbcd7f4c28e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3db46d5f4df92630a96f7bc77b60e75c2353e06"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf16bca6653679d8a514d6c1c5a2c67065033f14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c53cf44588a93000f71817a6bb87a66353c48dee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cfa774e6c920c81e700327bf10db8cb50d5db456"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC43-284G-PQR5

Vulnerability from github – Published: 2021-12-31 00:00 – Updated: 2022-01-07 00:00
VLAI
Details

mruby is vulnerable to NULL Pointer Dereference

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-30T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "mruby is vulnerable to NULL Pointer Dereference",
  "id": "GHSA-wc43-284g-pqr5",
  "modified": "2022-01-07T00:00:57Z",
  "published": "2021-12-31T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mruby/mruby/commit/27d1e0132a0804581dca28df042e7047fd27eaa8"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/78533fb9-f3e0-47c2-86dc-d1f96d5bea28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WC54-J9WV-P9V7

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot

It is not yet clear, but it is possible to create a firmware so broken that it will send a reply message before a FW_READY message (it is not yet clear if FW_READY will arrive later). Since the reply_data is allocated only after the FW_READY message, this will lead to a NULL pointer dereference if not filtered out.

The issue was reported with IPC4 firmware but the same condition is present for IPC3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot\n\nIt is not yet clear, but it is possible to create a firmware so broken\nthat it will send a reply message before a FW_READY message (it is not\nyet clear if FW_READY will arrive later).\nSince the reply_data is allocated only after the FW_READY message, this\nwill lead to a NULL pointer dereference if not filtered out.\n\nThe issue was reported with IPC4 firmware but the same condition is present\nfor IPC3.",
  "id": "GHSA-wc54-j9wv-p9v7",
  "modified": "2025-11-14T18:31:26Z",
  "published": "2025-06-18T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50016"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/230f646085d17a008b609eb8fe8befb8811868f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/acacd9eefd0def5a83244d88e5483b5f38ee7287"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC5C-CP88-2X6Q

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-23 18:31
VLAI
Details

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP Initial UE Message packet missing an expected eNB_UE_S1AP_ID field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T23:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma \u003c= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Initial UE Message` packet missing an expected `eNB_UE_S1AP_ID` field.",
  "id": "GHSA-wc5c-cp88-2x6q",
  "modified": "2025-01-23T18:31:18Z",
  "published": "2025-01-22T00:33:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37030"
    },
    {
      "type": "WEB",
      "url": "https://cellularsecurity.org/ransacked"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.