Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-WP48-4JF2-3V5V

Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix potential NULL pointer dereference

Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate pointer before dereferencing the pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix potential NULL pointer dereference\n\nKlocwork tool reported \u0027cur_dsd\u0027 may be dereferenced.  Add fix to validate\npointer before dereferencing the pointer.",
  "id": "GHSA-wp48-4jf2-3v5v",
  "modified": "2026-01-16T21:30:29Z",
  "published": "2025-10-01T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53451"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/02405f4023866ae91a611b5b85cb2e074ec2de5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bea9c1c983152c5411f5a2f1113cb790ce1389d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/464ea494a40c6e3e0e8f91dd325408aaf21515ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f90a8b0481615622bd0558aa8cf361bea872045"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a52a2e14fe866541bbc0033058e44bf0bf0c580"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af7affc0f6b82a5bde430fc4f0dcf70963442fbc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce2cdbe530b0066bae1f98dbab590a232d507eaa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee4c9a93238b9ce3703942500cb1aeacf77090d2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP4P-9PXH-CGX2

Vulnerability from github – Published: 2025-09-30 18:28 – Updated: 2025-10-23 20:22
VLAI
Summary
argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload
Details

Summary

Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients.

With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null.

Details

Users can access /api/webhook without authentication, and when accessing this endpoint, the Handler function parses webhook type messages according to the header (e.g. X-Gogs-Event) and body parameters provided by the user. The Parse function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.

The affectedRevisionInfo function parses data according to webhook event types(e.g. gogsclient.PushPayload). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.

func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {
    switch payload := payloadIf.(type) {
        // ...
        case gogsclient.PushPayload:
            webURLs = append(webURLs, payload.Repo.HTMLURL) // bug
            // ...
        }
    return webURLs, revision, change, touchedHead, changedFiles
}

PoC

payload-gogs.json

{
  "ref": "refs/heads/master",
  "before": "0000000000000000000000000000000000000000",
  "after": "0a05129851238652bf806a400af89fa974ade739",
  "commits": [{}]
}
curl -k -v https://argocd.example.com/api/webhook \
  -H 'X-Gogs-Event: push' \
  -H 'Content-Type: application/json' \
  --data-binary @/tmp/payload-gogs.json

An attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to /api/webhook.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]

goroutine 302 [running]:
github.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38
github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60
created by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1
    /go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28

Mitigation

If you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.

If you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
type: Opaque
data:
+  webhook.gogs.secret: <your base64-encoded secret here>

For more information

Credit

Sangjun Song (s0ngsari) at Theori (theori.io)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "last_affected": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.14.19"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc1"
            },
            {
              "fixed": "2.14.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0-rc1"
            },
            {
              "fixed": "3.2.0-rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.2.0-rc1"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0-rc1"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.18"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc1"
            },
            {
              "fixed": "3.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-30T18:28:38Z",
    "nvd_published_at": "2025-10-01T21:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nUnpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. \n\nWith the default configuration, no `webhook.gogs.secret` set, Argo CD\u2019s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field `commits[].repo` is not set or is null.\n\n### Details\n\nUsers can access `/api/webhook` without authentication, and when accessing this endpoint, the `Handler` function parses webhook type messages according to the `header (e.g. X-Gogs-Event)` and `body` parameters provided by the user. The `Parse` function simply unmarshals JSON-type messages. In other words, it returns a data structure even if the data structure is not exactly matched.\n\nThe `affectedRevisionInfo` function parses data according to webhook event types(e.g. `gogsclient.PushPayload`). However, due to the lack of data structure validation corresponding to these events, an attacker can cause a Denial of Service (DoS) attack by sending maliciously crafted data. because of Repository is Pointer Type.\n\n```go\nfunc affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {\n    switch payload := payloadIf.(type) {\n        // ...\n        case gogsclient.PushPayload:\n            webURLs = append(webURLs, payload.Repo.HTMLURL) // bug\n            // ...\n        }\n    return webURLs, revision, change, touchedHead, changedFiles\n}\n\n```\n### PoC\n\npayload-gogs.json\n\n```json\n{\n  \"ref\": \"refs/heads/master\",\n  \"before\": \"0000000000000000000000000000000000000000\",\n  \"after\": \"0a05129851238652bf806a400af89fa974ade739\",\n  \"commits\": [{}]\n}\n```\n\n```shell\ncurl -k -v https://argocd.example.com/api/webhook \\\n  -H \u0027X-Gogs-Event: push\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data-binary @/tmp/payload-gogs.json\n```\n\nAn attacker can cause a DoS and make the argo-cd service unavailable by continuously sending unauthenticated requests to `/api/webhook`.\n\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x68 pc=0x280f494]\n\ngoroutine 302 [running]:\ngithub.com/argoproj/argo-cd/v2/util/webhook.affectedRevisionInfo({0x3bd8240?, 0x40005a7030?})\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:233 +0x594\ngithub.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).HandleEvent(0x40000f9140, {0x3bd8240?, 0x40005a7030?})\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:254 +0x38\ngithub.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool.func1()\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:128 +0x60\ncreated by github.com/argoproj/argo-cd/v2/util/webhook.(*ArgoCDWebhookHandler).startWorkerPool in goroutine 1\n\t/go/src/github.com/argoproj/argo-cd/util/webhook/webhook.go:121 +0x28\n```\n\n### Mitigation\n\nIf you use Gogs and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Gogs, you can set the webhook secret to a long, random value to effectively disable webhook handling for Gogs payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n  name: argocd-secret\ntype: Opaque\ndata:\n+  webhook.gogs.secret: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credit\n\nSangjun Song (s0ngsari) at Theori (theori.io)",
  "id": "GHSA-wp4p-9pxh-cgx2",
  "modified": "2025-10-23T20:22:30Z",
  "published": "2025-09-30T18:28:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-wp4p-9pxh-cgx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/761fc27068d2d4cd24e1f784eb2a9033b5ee7f43"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-39896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload"
}

GHSA-WP5W-R3X6-PMQH

Vulnerability from github – Published: 2024-03-15 21:30 – Updated: 2025-01-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: track AF_XDP ZC enabled queues in bitmap

Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") silently introduced a regression and broke the Tx side of AF_XDP in copy mode. xsk_pool on ice_ring is set only based on the existence of the XDP prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. That is not something that should happen for copy mode as it should use the regular data path ice_clean_tx_irq.

This results in a following splat when xdpsock is run in txonly or l2fwd scenarios in copy mode:

[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 [ 106.057269] #PF: supervisor read access in kernel mode [ 106.062493] #PF: error_code(0x0000) - not-present page [ 106.067709] PGD 0 P4D 0 [ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 [ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 [ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 [ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 [ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 [ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 [ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 [ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff [ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 [ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 [ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 [ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 106.192898] PKRU: 55555554 [ 106.195653] Call Trace: [ 106.198143] [ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] [ 106.205087] ice_napi_poll+0x3e/0x590 [ice] [ 106.209356] __napi_poll+0x2a/0x160 [ 106.212911] net_rx_action+0xd6/0x200 [ 106.216634] __do_softirq+0xbf/0x29b [ 106.220274] irq_exit_rcu+0x88/0xc0 [ 106.223819] common_interrupt+0x7b/0xa0 [ 106.227719] [ 106.229857] asm_common_interrupt+0x1e/0x40

Fix this by introducing the bitmap of queues that are zero-copy enabled, where each bit, corresponding to a queue id that xsk pool is being configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and checked within ice_xsk_pool(). The latter is a function used for deciding which napi poll routine is executed. Idea is being taken from our other drivers such as i40e and ixgbe.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T21:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: track AF_XDP ZC enabled queues in bitmap\n\nCommit c7a219048e45 (\"ice: Remove xsk_buff_pool from VSI structure\")\nsilently introduced a regression and broke the Tx side of AF_XDP in copy\nmode. xsk_pool on ice_ring is set only based on the existence of the XDP\nprog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed.\nThat is not something that should happen for copy mode as it should use\nthe regular data path ice_clean_tx_irq.\n\nThis results in a following splat when xdpsock is run in txonly or l2fwd\nscenarios in copy mode:\n\n\u003csnip\u003e\n[  106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[  106.057269] #PF: supervisor read access in kernel mode\n[  106.062493] #PF: error_code(0x0000) - not-present page\n[  106.067709] PGD 0 P4D 0\n[  106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45\n[  106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[  106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50\n[  106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c \u003c48\u003e 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00\n[  106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206\n[  106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800\n[  106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800\n[  106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800\n[  106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff\n[  106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018\n[  106.157117] FS:  0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000\n[  106.165332] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0\n[  106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  106.192898] PKRU: 55555554\n[  106.195653] Call Trace:\n[  106.198143]  \u003cIRQ\u003e\n[  106.200196]  ice_clean_tx_irq_zc+0x183/0x2a0 [ice]\n[  106.205087]  ice_napi_poll+0x3e/0x590 [ice]\n[  106.209356]  __napi_poll+0x2a/0x160\n[  106.212911]  net_rx_action+0xd6/0x200\n[  106.216634]  __do_softirq+0xbf/0x29b\n[  106.220274]  irq_exit_rcu+0x88/0xc0\n[  106.223819]  common_interrupt+0x7b/0xa0\n[  106.227719]  \u003c/IRQ\u003e\n[  106.229857]  asm_common_interrupt+0x1e/0x40\n\u003c/snip\u003e\n\nFix this by introducing the bitmap of queues that are zero-copy enabled,\nwhere each bit, corresponding to a queue id that xsk pool is being\nconfigured on, will be set/cleared within ice_xsk_pool_{en,dis}able and\nchecked within ice_xsk_pool(). The latter is a function used for\ndeciding which napi poll routine is executed.\nIdea is being taken from our other drivers such as i40e and ixgbe.",
  "id": "GHSA-wp5w-r3x6-pmqh",
  "modified": "2025-01-07T18:30:39Z",
  "published": "2024-03-15T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47127"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d34fa4fcf06649036ba0c97854fcf7a741ee18c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e102db780e1c14f10c70dafa7684af22a745b51d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP77-4GMM-7CQ8

Vulnerability from github – Published: 2021-08-25 14:43 – Updated: 2024-11-13 17:23
VLAI
Summary
Incorrect validation of `SaveV2` inputs
Details

Impact

The code for tf.raw_ops.SaveV2 does not properly validate the inputs and an attacker can trigger a null pointer dereference:

import tensorflow as tf

tf.raw_ops.SaveV2(
  prefix=['tensorflow'],
  tensor_name=['v'],
  shape_and_slices=[],
  tensors=[1,2,3])

The implementation uses ValidateInputs to check that the input arguments are valid. This validation would have caught the illegal state represented by the reproducer above.

However, the validation uses OP_REQUIRES which translates to setting the Status object of the current OpKernelContext to an error status, followed by an empty return statement which just terminates the execution of the function it is present in. However, this does not mean that the kernel execution is finalized: instead, execution continues from the next line in Compute that follows the call to ValidateInputs. This is equivalent to lacking the validation.

Patches

We have patched the issue in GitHub commit 9728c60e136912a12d99ca56e106b7cce7af5986.

The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T21:12:17Z",
    "nvd_published_at": "2021-08-12T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe code for `tf.raw_ops.SaveV2` does not properly validate the inputs and an attacker can trigger a null pointer dereference:\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.SaveV2(\n  prefix=[\u0027tensorflow\u0027],\n  tensor_name=[\u0027v\u0027],\n  shape_and_slices=[],\n  tensors=[1,2,3])\n```\n  \nThe [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/save_restore_v2_ops.cc) uses `ValidateInputs` to  check that the input arguments are valid. This validation would have caught the illegal state represented by the reproducer  above.\n\nHowever, the validation uses `OP_REQUIRES` which translates to setting the `Status` object of the current `OpKernelContext` to an error status, followed by an empty `return` statement which just terminates the execution of the function it is present in. However, this does not mean that the kernel execution is finalized: instead, execution continues from the next line in `Compute` that follows the call to `ValidateInputs`. This is equivalent to lacking the validation.\n      \n### Patches\nWe have patched the issue in GitHub commit [9728c60e136912a12d99ca56e106b7cce7af5986](https://github.com/tensorflow/tensorflow/commit/9728c60e136912a12d99ca56e106b7cce7af5986).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.                                                                                                                                                                                                                                               \n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
  "id": "GHSA-wp77-4gmm-7cq8",
  "modified": "2024-11-13T17:23:03Z",
  "published": "2021-08-25T14:43:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wp77-4gmm-7cq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/9728c60e136912a12d99ca56e106b7cce7af5986"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-561.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-759.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-270.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Incorrect validation of `SaveV2` inputs"
}

GHSA-WP7W-8WPC-RMX3

Vulnerability from github – Published: 2025-09-02 21:30 – Updated: 2025-09-02 21:30
VLAI
Details

An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Null pointer dereference vulnerability in the dump() method allows an attacker to cause a denial of service. The vulnerability exists because the method fails to check the return value of avfilter_graph_dump() for NULL, leading to a crash if the underlying memory allocation fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-02T16:15:39Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Null pointer dereference vulnerability in the dump() method allows an attacker to cause a denial of service. The vulnerability exists because the method fails to check the return value of avfilter_graph_dump() for NULL, leading to a crash if the underlying memory allocation fails.",
  "id": "GHSA-wp7w-8wpc-rmx3",
  "modified": "2025-09-02T21:30:58Z",
  "published": "2025-09-02T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/meh/rust-ffmpeg/issues/192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP84-QF9P-3VP8

Vulnerability from github – Published: 2023-01-12 15:30 – Updated: 2023-01-20 21:30
VLAI
Details

A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference issue was discovered in \u0027FFmpeg\u0027 in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.",
  "id": "GHSA-wp84-qf9p-3vp8",
  "modified": "2023-01-20T21:30:28Z",
  "published": "2023-01-12T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2157054"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP8Q-76MH-G25X

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2026-04-18 09:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

driver: iio: add missing checks on iio_info's callback access

Some callbacks from iio_info structure are accessed without any check, so if a driver doesn't implement them trying to access the corresponding sysfs entries produce a kernel oops such as:

[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute [...] [ 2203.783416] Call trace: [ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48 [ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120 [ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4 [ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0 [ 2203.802236] vfs_read from ksys_read+0xa4/0xd4 [ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54 [ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0) [ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000 [ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000 [ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0 [ 2203.830363] Code: bad PC value [ 2203.832695] ---[ end trace 0000000000000000 ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T07:15:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: iio: add missing checks on iio_info\u0027s callback access\n\nSome callbacks from iio_info structure are accessed without any check, so\nif a driver doesn\u0027t implement them trying to access the corresponding\nsysfs entries produce a kernel oops such as:\n\n[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute\n[...]\n[ 2203.783416] Call trace:\n[ 2203.783429]  iio_read_channel_info_avail from dev_attr_show+0x18/0x48\n[ 2203.789807]  dev_attr_show from sysfs_kf_seq_show+0x90/0x120\n[ 2203.794181]  sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4\n[ 2203.798555]  seq_read_iter from vfs_read+0x238/0x2a0\n[ 2203.802236]  vfs_read from ksys_read+0xa4/0xd4\n[ 2203.805385]  ksys_read from ret_fast_syscall+0x0/0x54\n[ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0)\n[ 2203.812880] dfa0:                   00000003 b6f10f80 00000003 b6eab000 00020000 00000000\n[ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000\n[ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0\n[ 2203.830363] Code: bad PC value\n[ 2203.832695] ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-wp8q-76mh-g25x",
  "modified": "2026-04-18T09:30:16Z",
  "published": "2024-09-18T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46715"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0cc7e0ee31e5c44904e98e2229d591e093282a70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b961d5786b4b31c367c719a2f918569b444c007"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72f022ebb9deac28663fa4c04ba315ed5d6654d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4ec8dedca961db056ec85cb7ca8c9f7e2e92252"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc537a72f64890d883d24ae4ac58733fc5bc523d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP8X-2WQ9-8F64

Vulnerability from github – Published: 2023-03-16 00:32 – Updated: 2025-05-05 18:32
VLAI
Details

do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-16T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).",
  "id": "GHSA-wp8x-2wq9-8f64",
  "modified": "2025-05-05T18:32:34Z",
  "published": "2023-03-16T00:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28466"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230427-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WP9J-XG76-9M98

Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22
VLAI
Details

An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file could lead to a NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-06T02:59:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file could lead to a NULL pointer dereference.",
  "id": "GHSA-wp9j-xg76-9m98",
  "modified": "2022-05-14T01:22:02Z",
  "published": "2022-05-14T01:22:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/d31fec57e9dfb0516deead2053a856e3c71e9751"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/856881"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96589"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPFC-GX92-F98V

Vulnerability from github – Published: 2024-11-07 12:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Avoid NULL dereference in msm_disp_state_print_regs()

If the allocation in msm_disp_state_dump_regs() failed then block->state can be NULL. The msm_disp_state_print_regs() function does have code to try to handle it with:

if (reg) dump_addr = reg;

...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference dump_addr.

Make the function print "Registers not stored" when it sees a NULL to solve this. Since we're touching the code, fix msm_disp_state_print_regs() not to pointlessly take a double-pointer and properly mark the pointer as const.

Patchwork: https://patchwork.freedesktop.org/patch/619657/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-07T10:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Avoid NULL dereference in msm_disp_state_print_regs()\n\nIf the allocation in msm_disp_state_dump_regs() failed then\n`block-\u003estate` can be NULL. The msm_disp_state_print_regs() function\n_does_ have code to try to handle it with:\n\n  if (*reg)\n    dump_addr = *reg;\n\n...but since \"dump_addr\" is initialized to NULL the above is actually\na noop. The code then goes on to dereference `dump_addr`.\n\nMake the function print \"Registers not stored\" when it sees a NULL to\nsolve this. Since we\u0027re touching the code, fix\nmsm_disp_state_print_regs() not to pointlessly take a double-pointer\nand properly mark the pointer as `const`.\n\nPatchwork: https://patchwork.freedesktop.org/patch/619657/",
  "id": "GHSA-wpfc-gx92-f98v",
  "modified": "2025-11-04T00:31:57Z",
  "published": "2024-11-07T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50156"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/293f53263266bc4340d777268ab4328a97f041fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42cf045086feae77b212f0f66e742b91a5b566b7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/563aa81fd66a4e7e6e551a0e02bcc23957cafe2f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8e9f2a12a6214080c8ea83220a596f6e1dedc6c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7ad916273483748582d97cfa31054ccb19224f3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.