Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-WQF5-7884-7H3F

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-30T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.",
  "id": "GHSA-wqf5-7884-7h3f",
  "modified": "2022-05-13T01:16:23Z",
  "published": "2022-05-13T01:16:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uclouvain/openjpeg/issues/859"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201710-26"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93975"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQG8-C24W-4MWH

Vulnerability from github – Published: 2024-08-17 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

s390/dasd: fix error checks in dasd_copy_pair_store()

dasd_add_busid() can return an error via ERR_PTR() if an allocation fails. However, two callsites in dasd_copy_pair_store() do not check the result, potentially resulting in a NULL pointer dereference. Fix this by checking the result with IS_ERR() and returning the error up the stack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T09:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix error checks in dasd_copy_pair_store()\n\ndasd_add_busid() can return an error via ERR_PTR() if an allocation\nfails. However, two callsites in dasd_copy_pair_store() do not check\nthe result, potentially resulting in a NULL pointer dereference. Fix\nthis by checking the result with IS_ERR() and returning the error up\nthe stack.",
  "id": "GHSA-wqg8-c24w-4mwh",
  "modified": "2025-11-04T00:31:14Z",
  "published": "2024-08-17T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42320"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68d4c3722290ad300c295fb3435e835d200d5cb2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e64d2356cbc800b4cd0e3e614797f76bcf0cdb8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc8b7284d5076722e0b8062373b68d8e47c3bace"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e511167e65d332d07b3c7a3d5a741ee9c19a8c27"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQJ5-2HRG-W494

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix NULL deref in bond_debug_rlb_hash_show

rlb_clear_slave intentionally keeps RLB hash-table entries on the rx_hashtbl_used_head list with slave set to NULL when no replacement slave is available. However, bond_debug_rlb_hash_show visites client_info->slave without checking if it's NULL.

Other used-list iterators in bond_alb.c already handle this NULL-slave state safely:

  • rlb_update_client returns early on !client_info->slave
  • rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance compare slave values before visiting
  • lb_req_update_subnet_clients continues if slave is NULL

The following NULL deref crash can be trigger in bond_debug_rlb_hash_show:

[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) [ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 [ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 [ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 [ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 [ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 [ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 [ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 [ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 [ 1.295897] Call Trace: [ 1.296134] seq_read_iter (fs/seq_file.c:231) [ 1.296341] seq_read (fs/seq_file.c:164) [ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) [ 1.296658] vfs_read (fs/read_write.c:572) [ 1.296981] ksys_read (fs/read_write.c:717) [ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Add a NULL check and print "(none)" for entries with no assigned slave.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info-\u003eslave without checking if it\u0027s NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info-\u003eslave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[    1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[    1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[    1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[    1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[    1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[    1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[    1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[    1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[    1.294864] FS:  0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[    1.295239] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[    1.295897] Call Trace:\n[    1.296134]  seq_read_iter (fs/seq_file.c:231)\n[    1.296341]  seq_read (fs/seq_file.c:164)\n[    1.296493]  full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[    1.296658]  vfs_read (fs/read_write.c:572)\n[    1.296981]  ksys_read (fs/read_write.c:717)\n[    1.297132]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[    1.297325]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave.",
  "id": "GHSA-wqj5-2hrg-w494",
  "modified": "2026-07-14T15:31:53Z",
  "published": "2026-04-24T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31546"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/017d674cf6930e9586a29ee808c7ca09d1396d07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a3f8cd3f370247ded14d38d216b49dd30eade76"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19f0fd87df0e5746b24f5caa465a66a8c6e6e241"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ec2c777f357a83c3d503d8d9370c90b60f0ae63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/605b52497bf89b3b154674deb135da98f916e390"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a3bb74e25d79cbb15f67ef80f71e2b2bfe27ff4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec9762f0df2f9fbe3f40a3bfa8aab8b2f721466c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/edacf1613f7b26423ebfa8b2892e7453c4235354"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQM6-PPVQ-V664

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix null pointer dereference in svc_rqst_free()

When alloc_pages_node() returns null in svc_rqst_alloc(), the null rq_scratch_page pointer will be dereferenced when calling put_page() in svc_rqst_free(). Fix it by adding a null check.

Addresses-Coverity: ("Dereference after null check")

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix null pointer dereference in svc_rqst_free()\n\nWhen alloc_pages_node() returns null in svc_rqst_alloc(), the\nnull rq_scratch_page pointer will be dereferenced when calling\nput_page() in svc_rqst_free(). Fix it by adding a null check.\n\nAddresses-Coverity: (\"Dereference after null check\")",
  "id": "GHSA-wqm6-ppvq-v664",
  "modified": "2026-05-12T12:31:35Z",
  "published": "2024-02-28T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47002"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e10f58f1c9a6b667b045513c7a4e6111c24fe7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3de81c1e84bf84803308da3272a829a7655c5336"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9f83ffaa0c096b4c832a43964fe6bff3acffe10"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c664aaec9aee544538a78ba4893a44bc73a6d742"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQMF-HVR2-555C

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-30T09:29:00Z",
    "severity": "MODERATE"
  },
  "details": "NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files.",
  "id": "GHSA-wqmf-hvr2-555c",
  "modified": "2022-05-13T01:16:22Z",
  "published": "2022-05-13T01:16:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uclouvain/openjpeg/issues/776"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uclouvain/openjpeg/issues/784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uclouvain/openjpeg/issues/785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uclouvain/openjpeg/issues/792"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201710-26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR22-WHP2-2CCM

Vulnerability from github – Published: 2022-05-14 01:18 – Updated: 2022-05-14 01:18
VLAI
Details

An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LEADER at dwg.spec.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-14T09:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LEADER at dwg.spec.",
  "id": "GHSA-wr22-whp2-2ccm",
  "modified": "2022-05-14T01:18:19Z",
  "published": "2022-05-14T01:18:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9772"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibreDWG/libredwg/issues/99"
    },
    {
      "type": "WEB",
      "url": "https://savannah.gnu.org/bugs/index.php?55893"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00045.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107447"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR42-H5M2-QMX6

Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-12-23 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

backlight: hx8357: Fix potential NULL pointer dereference

The "im" pins are optional. Add missing check in the hx8357_probe().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T13:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: hx8357: Fix potential NULL pointer dereference\n\nThe \"im\" pins are optional. Add missing check in the hx8357_probe().",
  "id": "GHSA-wr42-h5m2-qmx6",
  "modified": "2024-12-23T15:30:47Z",
  "published": "2024-05-01T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27071"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67e578c8ff2d7df03bf8ca9a7f5436b1796f6ad1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b1ba8bcb2d1ffce11b308ce166c9cc28d989e3b9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR8J-6CHW-GM6P

Vulnerability from github – Published: 2026-05-08 22:39 – Updated: 2026-06-08 23:47
VLAI
Summary
free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference
Details

Summary

free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running.

The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In v4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware (see free5gc/free5gc#844). So in the validation lab the trigger is fully unauthenticated.

Details

Validated against the PCF container in the official Docker compose lab. - free5GC version: v4.1.0 (originally reported on v4.1.0; same defect present in v4.2.1) - PCF endpoint: http://10.100.200.9:8000

Vulnerable handler path (paraphrased from the captured stack trace):

[INFO][PCF][SMpolicy] Handle CreateSmPolicy
[ERRO][PCF][Consumer] openapi error: 404, Not Found
[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
  github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandleCreateSmPolicyRequest
      /go/src/free5gc/NFs/pcf/internal/sbi/processor/smpolicy.go:82 +0x562
  github.com/free5gc/pcf/internal/sbi.(*Server).HTTPCreateSMPolicy
      /go/src/free5gc/NFs/pcf/internal/sbi/api_smpolicy.go:86 +0x405

The handler's UDR-failure branch logs the OpenAPI error but does not return; the next line dereferences the nil response struct.

Code evidence (paths in free5gc/pcf): - Panic site: - NFs/pcf/internal/sbi/processor/smpolicy.go:82 - Route dispatch: - NFs/pcf/internal/sbi/api_smpolicy.go:86

PoC

Reproduced end-to-end against the running PCF at http://10.100.200.9:8000.

Send a single POST whose dnn is unknown to UDR -- this drives the downstream OpenAPI call to return 404 Not Found, which then triggers the nil-deref panic:

curl -sS -X POST 'http://10.100.200.9:8000/npcf-smpolicycontrol/v1/sm-policies' \
  -H 'Content-Type: application/json' \
  -d '{
    "supi":"imsi-208930000000003",
    "pduSessionId":1,
    "dnn":"internet-bad",
    "sliceInfo":{"sst":1,"sd":"010203"},
    "servingNetwork":{"mcc":"208","mnc":"93"},
    "accessType":"3GPP_ACCESS",
    "notificationUri":"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify"
  }'

Observed response: HTTP 500 Internal Server Error with empty body.

PCF container logs show:

[INFO][PCF][SMpolicy] Handle CreateSmPolicy
[ERRO][PCF][Consumer] openapi error: 404, Not Found
[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
  ...HandleCreateSmPolicyRequest at smpolicy.go:82...

The Gin recovery middleware catches the panic (the captured stack trace runs inside ginRecover.func2.1), so the PCF process keeps serving other requests; the realized impact is per-request HTTP 500 on this endpoint whenever the downstream lookup fails.

Impact

NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the UDR-failure branch logs the OpenAPI error but does not return, then dereferences the nil response struct. The intended behavior is to return a controlled 4xx/5xx ProblemDetails and stop processing.

Gin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any unauthenticated POST that drives the downstream UDR lookup to a 404 returns HTTP 500 (with empty body and a stack trace in PCF logs) instead of a controlled error response.

No Confidentiality impact (the response is 500 with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. The endpoint remains reachable to unauthenticated attackers via the route-group auth gap separately tracked in free5gc/free5gc#844.

Affected: free5gc v4.2.1 (originally reported against v4.1.0; same defect present).

Upstream issue: https://github.com/free5gc/free5gc/issues/803 Upstream fix: https://github.com/free5gc/pcf/pull/62

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/pcf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:39:43Z",
    "nvd_published_at": "2026-05-27T17:16:36Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nfree5GC\u0027s PCF `POST /npcf-smpolicycontrol/v1/sm-policies` handler (`HandleCreateSmPolicyRequest`) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns `404 Not Found` and the consumer wrapper returns `err != nil` together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into `HTTP 500`, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running.\n\nThe trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In v4.2.1 this endpoint is also reachable WITHOUT an `Authorization` header because the PCF `Npcf_SMPolicyControl` route group is mounted without inbound auth middleware (see free5gc/free5gc#844). So in the validation lab the trigger is fully unauthenticated.\n\n### Details\nValidated against the PCF container in the official Docker compose lab.\n- free5GC version: `v4.1.0` (originally reported on v4.1.0; same defect present in v4.2.1)\n- PCF endpoint: `http://10.100.200.9:8000`\n\nVulnerable handler path (paraphrased from the captured stack trace):\n```\n[INFO][PCF][SMpolicy] Handle CreateSmPolicy\n[ERRO][PCF][Consumer] openapi error: 404, Not Found\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n  github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandleCreateSmPolicyRequest\n      /go/src/free5gc/NFs/pcf/internal/sbi/processor/smpolicy.go:82 +0x562\n  github.com/free5gc/pcf/internal/sbi.(*Server).HTTPCreateSMPolicy\n      /go/src/free5gc/NFs/pcf/internal/sbi/api_smpolicy.go:86 +0x405\n```\n\nThe handler\u0027s UDR-failure branch logs the OpenAPI error but does not return; the next line dereferences the nil response struct.\n\nCode evidence (paths in `free5gc/pcf`):\n- Panic site:\n  - `NFs/pcf/internal/sbi/processor/smpolicy.go:82`\n- Route dispatch:\n  - `NFs/pcf/internal/sbi/api_smpolicy.go:86`\n\n### PoC\nReproduced end-to-end against the running PCF at `http://10.100.200.9:8000`.\n\nSend a single POST whose `dnn` is unknown to UDR -- this drives the downstream OpenAPI call to return `404 Not Found`, which then triggers the nil-deref panic:\n```\ncurl -sS -X POST \u0027http://10.100.200.9:8000/npcf-smpolicycontrol/v1/sm-policies\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"supi\":\"imsi-208930000000003\",\n    \"pduSessionId\":1,\n    \"dnn\":\"internet-bad\",\n    \"sliceInfo\":{\"sst\":1,\"sd\":\"010203\"},\n    \"servingNetwork\":{\"mcc\":\"208\",\"mnc\":\"93\"},\n    \"accessType\":\"3GPP_ACCESS\",\n    \"notificationUri\":\"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify\"\n  }\u0027\n```\n\nObserved response: `HTTP 500 Internal Server Error` with empty body.\n\nPCF container logs show:\n```\n[INFO][PCF][SMpolicy] Handle CreateSmPolicy\n[ERRO][PCF][Consumer] openapi error: 404, Not Found\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n  ...HandleCreateSmPolicyRequest at smpolicy.go:82...\n```\n\nThe Gin recovery middleware catches the panic (the captured stack trace runs inside `ginRecover.func2.1`), so the PCF process keeps serving other requests; the realized impact is per-request `HTTP 500` on this endpoint whenever the downstream lookup fails.\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the UDR-failure branch logs the OpenAPI error but does not return, then dereferences the nil response struct. The intended behavior is to return a controlled `4xx`/`5xx` `ProblemDetails` and stop processing.\n\nGin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any unauthenticated POST that drives the downstream UDR lookup to a `404` returns `HTTP 500` (with empty body and a stack trace in PCF logs) instead of a controlled error response.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. The endpoint remains reachable to unauthenticated attackers via the route-group auth gap separately tracked in free5gc/free5gc#844.\n\nAffected: free5gc v4.2.1 (originally reported against v4.1.0; same defect present).\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/803\nUpstream fix: https://github.com/free5gc/pcf/pull/62",
  "id": "GHSA-wr8j-6chw-gm6p",
  "modified": "2026-06-08T23:47:04Z",
  "published": "2026-05-08T22:39:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wr8j-6chw-gm6p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/pcf/pull/62"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference"
}

GHSA-WR95-7J53-J5C2

Vulnerability from github – Published: 2026-03-26 09:30 – Updated: 2026-03-26 15:30
VLAI
Details

On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.

An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T07:16:20Z",
    "severity": "HIGH"
  },
  "details": "On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.\n\nAn attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.",
  "id": "GHSA-wr95-7j53-j5c2",
  "modified": "2026-03-26T15:30:36Z",
  "published": "2026-03-26T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4652"
    },
    {
      "type": "WEB",
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRCH-R746-JF7C

Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Keep write operations atomic

syzbot reported a NULL pointer dereference in __generic_file_write_iter. [1]

Before the write operation is completed, the user executes ioctl[2] to clear the compress flag of the file, which causes the is_compressed() judgment to return 0, further causing the program to enter the wrong process and call the wrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of write_begin.

Use inode lock to synchronize ioctl and write to avoid this case.

[1] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000 [0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055 sp : ffff80009d4978a0 x29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8 x26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68 x23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000 x20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c x17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001 x14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0 x11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000 x2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0 Call trace: 0x0 (P) __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156 ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267 new_sync_write fs/read_write.c:586 [inline] vfs_write+0x920/0xcf4 fs/read_write.c:679 ksys_write+0x15c/0x26c fs/read_write.c:731 __do_sys_write fs/read_write.c:742 [inline] __se_sys_write fs/read_write.c:739 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762

[2] ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000000c0)=0x20)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T07:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Keep write operations atomic\n\nsyzbot reported a NULL pointer dereference in __generic_file_write_iter. [1]\n\nBefore the write operation is completed, the user executes ioctl[2] to clear\nthe compress flag of the file, which causes the is_compressed() judgment to\nreturn 0, further causing the program to enter the wrong process and call the\nwrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of\nwrite_begin.\n\nUse inode lock to synchronize ioctl and write to avoid this case.\n\n[1]\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n  ESR = 0x0000000086000006\n  EC = 0x21: IABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x06: level 2 translation fault\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000\n[0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000\nInternal error: Oops: 0000000086000006 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : 0x0\nlr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055\nsp : ffff80009d4978a0\nx29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8\nx26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68\nx23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000\nx20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c\nx17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001\nx14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0\nx11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000\nx2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0\nCall trace:\n 0x0 (P)\n __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156\n ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267\n new_sync_write fs/read_write.c:586 [inline]\n vfs_write+0x920/0xcf4 fs/read_write.c:679\n ksys_write+0x15c/0x26c fs/read_write.c:731\n __do_sys_write fs/read_write.c:742 [inline]\n __se_sys_write fs/read_write.c:739 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n\n[2]\nioctl$FS_IOC_SETFLAGS(r0, 0x40086602, \u0026(0x7f00000000c0)=0x20)",
  "id": "GHSA-wrch-r746-jf7c",
  "modified": "2025-11-10T18:30:31Z",
  "published": "2025-05-08T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37806"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/285cec318bf5a7a6c8ba999b2b6ec96f9a20590f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/464139e18f619aa14fb921a61721862f43421c54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8db49e89a7f8b48ee59fa9ad32b6ed0879747df8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.