Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-WM6M-R6VF-23QH

Vulnerability from github – Published: 2025-07-22 18:30 – Updated: 2025-11-03 21:34
VLAI
Details

A null pointer dereference vulnerability exists in the Distributed Transaction component of Bloomberg Comdb2 8.1 when processing a number of fields used for coordination. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T16:15:29Z",
    "severity": "HIGH"
  },
  "details": "A null pointer dereference vulnerability exists in the Distributed Transaction component of Bloomberg Comdb2 8.1 when processing a number of fields used for coordination. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability.",
  "id": "GHSA-wm6m-r6vf-23qh",
  "modified": "2025-11-03T21:34:10Z",
  "published": "2025-07-22T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48498"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2199"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2199"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM6X-77V8-PPG5

Vulnerability from github – Published: 2022-05-14 01:06 – Updated: 2022-05-14 01:06
VLAI
Details

The readEncUInt30 function in util/read.c in libming 0.4.8 mishandles memory allocation. A crafted input will lead to a remote denial of service (NULL pointer dereference) attack against parser.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-28T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The readEncUInt30 function in util/read.c in libming 0.4.8 mishandles memory allocation. A crafted input will lead to a remote denial of service (NULL pointer dereference) attack against parser.c.",
  "id": "GHSA-wm6x-77v8-ppg5",
  "modified": "2022-05-14T01:06:50Z",
  "published": "2022-05-14T01:06:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libming/libming/issues/85"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201904-24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMCC-JCCV-479C

Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2023-05-27 06:30
VLAI
Details

A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_hinter_finalize function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-10T14:11:00Z",
    "severity": "MODERATE"
  },
  "details": "A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_hinter_finalize function.",
  "id": "GHSA-wmcc-jccv-479c",
  "modified": "2023-05-27T06:30:37Z",
  "published": "2022-01-11T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/2008"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMF9-7MPH-R64C

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2024-03-01 03:30
VLAI
Details

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.",
  "id": "GHSA-wmf9-7mph-r64c",
  "modified": "2024-03-01T03:30:34Z",
  "published": "2022-05-24T17:41:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13577"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMHH-C8HM-26VQ

Vulnerability from github – Published: 2026-01-02 15:30 – Updated: 2026-01-05 21:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-02T15:16:01Z",
    "severity": "LOW"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3256 build 20250913 and later\nQuTS hero h5.2.7.3256 build 20250913 and later\nQuTS hero h5.3.1.3250 build 20250912 and later",
  "id": "GHSA-wmhh-c8hm-26vq",
  "modified": "2026-01-05T21:30:30Z",
  "published": "2026-01-02T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53589"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WMPP-P439-V4X7

Vulnerability from github – Published: 2025-09-23 06:30 – Updated: 2025-12-11 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error

The function move_dirty_folio_in_page_array() was created by commit ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method") by moving code from ceph_writepages_start() to this function.

This new function is supposed to return an error code which is checked by the caller (now ceph_process_folio_batch()), and on error, the caller invokes redirty_page_for_writepage() and then breaks from the loop.

However, the refactoring commit has gone wrong, and it by accident, it always returns 0 (= success) because it first NULLs the pointer and then returns PTR_ERR(NULL) which is always 0. This means errors are silently ignored, leaving NULL entries in the page array, which may later crash the kernel.

The simple solution is to call PTR_ERR() before clearing the pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-23T06:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix crash after fscrypt_encrypt_pagecache_blocks() error\n\nThe function move_dirty_folio_in_page_array() was created by commit\nce80b76dd327 (\"ceph: introduce ceph_process_folio_batch() method\") by\nmoving code from ceph_writepages_start() to this function.\n\nThis new function is supposed to return an error code which is checked\nby the caller (now ceph_process_folio_batch()), and on error, the\ncaller invokes redirty_page_for_writepage() and then breaks from the\nloop.\n\nHowever, the refactoring commit has gone wrong, and it by accident, it\nalways returns 0 (= success) because it first NULLs the pointer and\nthen returns PTR_ERR(NULL) which is always 0.  This means errors are\nsilently ignored, leaving NULL entries in the page array, which may\nlater crash the kernel.\n\nThe simple solution is to call PTR_ERR() before clearing the pointer.",
  "id": "GHSA-wmpp-p439-v4x7",
  "modified": "2025-12-11T21:31:26Z",
  "published": "2025-09-23T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39878"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/249e0a47cdb46bb9eae65511c569044bd8698d7d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd1616ecbea920d228c56729461ed223cc501425"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMPW-GFMR-GV4V

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in yasm_expr__copy_except() in libyasm/expr.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in yasm_expr__copy_except() in libyasm/expr.c.",
  "id": "GHSA-wmpw-gfmr-gv4v",
  "modified": "2022-07-29T00:00:34Z",
  "published": "2022-07-27T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yasm/yasm/issues/174"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMQH-98VP-WHH4

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:01
VLAI
Details

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-wmqh-98vp-whh4",
  "modified": "2022-01-22T00:01:56Z",
  "published": "2022-01-15T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44740"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WMR5-8RGC-R7P9

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ublk: fix handling recovery & reissue in ublk_abort_queue()

Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command.

If it is one zc request, the request can be freed before io_uring returns the zc buffer back, then cause kernel panic:

[ 126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8 [ 126.773657] #PF: supervisor read access in kernel mode [ 126.774052] #PF: error_code(0x0000) - not-present page [ 126.774455] PGD 0 P4D 0 [ 126.774698] Oops: Oops: 0000 [#1] SMP NOPTI [ 126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full) [ 126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 [ 126.776275] Workqueue: iou_exit io_ring_exit_work [ 126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]

Fixes it by always grabbing request reference for aborting the request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T13:15:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix handling recovery \u0026 reissue in ublk_abort_queue()\n\nCommit 8284066946e6 (\"ublk: grab request reference when the request is handled\nby userspace\") doesn\u0027t grab request reference in case of recovery reissue.\nThen the request can be requeued \u0026 re-dispatch \u0026 failed when canceling\nuring command.\n\nIf it is one zc request, the request can be freed before io_uring\nreturns the zc buffer back, then cause kernel panic:\n\n[  126.773061] BUG: kernel NULL pointer dereference, address: 00000000000000c8\n[  126.773657] #PF: supervisor read access in kernel mode\n[  126.774052] #PF: error_code(0x0000) - not-present page\n[  126.774455] PGD 0 P4D 0\n[  126.774698] Oops: Oops: 0000 [#1] SMP NOPTI\n[  126.775034] CPU: 13 UID: 0 PID: 1612 Comm: kworker/u64:55 Not tainted 6.14.0_blk+ #182 PREEMPT(full)\n[  126.775676] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014\n[  126.776275] Workqueue: iou_exit io_ring_exit_work\n[  126.776651] RIP: 0010:ublk_io_release+0x14/0x130 [ublk_drv]\n\nFixes it by always grabbing request reference for aborting the request.",
  "id": "GHSA-wmr5-8rgc-r7p9",
  "modified": "2025-11-07T00:30:26Z",
  "published": "2025-05-01T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37759"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a21d259ca4d6310fdfcc0284ebbc000e66cbf70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d34a30efac9c9c93e150130caa940c0df6053c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6ee6bd5d4fce502a5b5a2ea805e9ff16e6aa890f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/caa5c8a2358604f38bf0a4afaa5eacda13763067"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMWF-43VQ-QHQ2

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58
VLAI
Details

In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-14T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.",
  "id": "GHSA-wmwf-43vq-qhq2",
  "modified": "2022-05-24T16:58:44Z",
  "published": "2022-05-24T16:58:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/8df6884832ec413cf032dfaa45c23b1c7876670c"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15733"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-65"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4431-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.