Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-X2WH-V69V-X2W9

Vulnerability from github – Published: 2024-02-22 18:30 – Updated: 2024-03-18 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

The following case can cause a crash due to missing attach_btf:

1) load rawtp program 2) load fentry program with rawtp as target_fd 3) create tracing link for fentry program with target_fd = 0 4) repeat 3

In the end we have:

  • prog->aux->dst_trampoline == NULL
  • tgt_prog == NULL (because we did not provide target_fd to link_create)
  • prog->aux->attach_btf == NULL (the program was loaded with attach_prog_fd=X)
  • the program was loaded for tgt_prog but we have no way to find out which one

    BUG: kernel NULL pointer dereference, address: 0000000000000058 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x15b/0x430 ? fixup_exception+0x22/0x330 ? exc_page_fault+0x6f/0x170 ? asm_exc_page_fault+0x22/0x30 ? bpf_tracing_prog_attach+0x279/0x560 ? btf_obj_id+0x5/0x10 bpf_tracing_prog_attach+0x439/0x560 __sys_bpf+0x1cf4/0x2de0 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x41/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76

Return -EINVAL in this situation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-22T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix re-attachment branch in bpf_tracing_prog_attach\n\nThe following case can cause a crash due to missing attach_btf:\n\n1) load rawtp program\n2) load fentry program with rawtp as target_fd\n3) create tracing link for fentry program with target_fd = 0\n4) repeat 3\n\nIn the end we have:\n\n- prog-\u003eaux-\u003edst_trampoline == NULL\n- tgt_prog == NULL (because we did not provide target_fd to link_create)\n- prog-\u003eaux-\u003eattach_btf == NULL (the program was loaded with attach_prog_fd=X)\n- the program was loaded for tgt_prog but we have no way to find out which one\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000058\n    Call Trace:\n     \u003cTASK\u003e\n     ? __die+0x20/0x70\n     ? page_fault_oops+0x15b/0x430\n     ? fixup_exception+0x22/0x330\n     ? exc_page_fault+0x6f/0x170\n     ? asm_exc_page_fault+0x22/0x30\n     ? bpf_tracing_prog_attach+0x279/0x560\n     ? btf_obj_id+0x5/0x10\n     bpf_tracing_prog_attach+0x439/0x560\n     __sys_bpf+0x1cf4/0x2de0\n     __x64_sys_bpf+0x1c/0x30\n     do_syscall_64+0x41/0xf0\n     entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nReturn -EINVAL in this situation.",
  "id": "GHSA-x2wh-v69v-x2w9",
  "modified": "2024-03-18T18:32:18Z",
  "published": "2024-02-22T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26591"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50ae82f080cf87e84828f066c31723b781d68f5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6cc9c0af0aa06f781fa515a1734b1a4239dfd2c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/715d82ba636cb3629a6e18a33bb9dbe53f9936ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c8bcd45e9b10eef12321f08d2e5be33d615509c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7b98aa10f895e2569403896f2d19b73b6c95653"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2WJ-4R98-4867

Vulnerability from github – Published: 2026-06-09 15:32 – Updated: 2026-06-09 15:32
VLAI
Details

A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T14:16:36Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.",
  "id": "GHSA-x2wj-4r98-4867",
  "modified": "2026-06-09T15:32:18Z",
  "published": "2026-06-09T15:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11788"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-11788"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485423"
    },
    {
      "type": "WEB",
      "url": "https://redhat.atlassian.net/browse/PSIRTSUPT-7600"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2XX-JW5M-5J86

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-20 22:06
VLAI
Summary
LIEF contains segmentation violation
Details

LIEF commit 5d1d643 was discovered to contain a segmentation violation via the function LIEF::MachO::SegmentCommand::file_offset() at /MachO/SegmentCommand.cpp. Commit 7acf0bc4224081d4f425fcc8b2e361b95291d878 contains a patch.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lief"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-38307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-20T22:06:28Z",
    "nvd_published_at": "2022-09-13T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "LIEF commit 5d1d643 was discovered to contain a segmentation violation via the function `LIEF::MachO::SegmentCommand::file_offset()` at `/MachO/SegmentCommand.cpp`. Commit 7acf0bc4224081d4f425fcc8b2e361b95291d878 contains a patch.",
  "id": "GHSA-x2xx-jw5m-5j86",
  "modified": "2022-09-20T22:06:28Z",
  "published": "2022-09-14T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lief-project/LIEF/issues/764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lief-project/LIEF/commit/7acf0bc4224081d4f425fcc8b2e361b95291d878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lief/PYSEC-2022-275.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LIEF contains segmentation violation"
}

GHSA-X32J-25W6-P7M4

Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2025-02-03 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

selinux: avoid dereference of garbage after mount failure

In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer.

While on it drop the never read static variable selinuxfs_mount.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.",
  "id": "GHSA-x32j-25w6-p7m4",
  "modified": "2025-02-03T18:30:36Z",
  "published": "2024-05-19T09:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35904"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/05/30/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/05/30/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X33G-396Q-PW6P

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-11-25 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: add NULL check in xfrm_update_ae_params

Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below.

BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x1e8/0x500 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? fixup_exception+0x36/0x460 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? exc_page_fault+0x5e/0xc0 ? asm_exc_page_fault+0x26/0x30 ? xfrm_update_ae_params+0xd1/0x260 ? memcpy_orig+0xad/0x140 ? __pfx__raw_spin_lock_bh+0x10/0x10 xfrm_update_ae_params+0xe7/0x260 xfrm_new_ae+0x298/0x4e0 ? __pfx_xfrm_new_ae+0x10/0x10 ? __pfx_xfrm_new_ae+0x10/0x10 xfrm_user_rcv_msg+0x25a/0x410 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __alloc_skb+0xcf/0x210 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1c/0x70 ? __stack_depot_save+0x39/0x4e0 ? __kasan_slab_free+0x10a/0x190 ? kmem_cache_free+0x9c/0x340 ? netlink_recvmsg+0x23c/0x660 ? sock_recvmsg+0xeb/0xf0 ? __sys_recvfrom+0x13c/0x1f0 ? __x64_sys_recvfrom+0x71/0x90 ? do_syscall_64+0x3f/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc ? copyout+0x3e/0x50 netlink_rcv_skb+0xd6/0x210 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_sock_has_perm+0x10/0x10 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 xfrm_netlink_rcv+0x44/0x50 netlink_unicast+0x36f/0x4c0 ? __pfx_netlink_unicast+0x10/0x10 ? netlink_recvmsg+0x500/0x660 netlink_sendmsg+0x3b7/0x700

This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit adds additional NULL check in xfrm_update_ae_params to fix the NPD.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T14:15:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: add NULL check in xfrm_update_ae_params\n\nNormally, x-\u003ereplay_esn and x-\u003epreplay_esn should be allocated at\nxfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the\nxfrm_update_ae_params(...) is okay to update them. However, the current\nimplementation of xfrm_new_ae(...) allows a malicious user to directly\ndereference a NULL pointer and crash the kernel like below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0\nOops: 0002 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4\nRIP: 0010:memcpy_orig+0xad/0x140\nCode: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c\nRSP: 0018:ffff888008f57658 EFLAGS: 00000202\nRAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571\nRDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818\nR13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000\nFS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x1f/0x70\n ? page_fault_oops+0x1e8/0x500\n ? __pfx_is_prefetch.constprop.0+0x10/0x10\n ? __pfx_page_fault_oops+0x10/0x10\n ? _raw_spin_unlock_irqrestore+0x11/0x40\n ? fixup_exception+0x36/0x460\n ? _raw_spin_unlock_irqrestore+0x11/0x40\n ? exc_page_fault+0x5e/0xc0\n ? asm_exc_page_fault+0x26/0x30\n ? xfrm_update_ae_params+0xd1/0x260\n ? memcpy_orig+0xad/0x140\n ? __pfx__raw_spin_lock_bh+0x10/0x10\n xfrm_update_ae_params+0xe7/0x260\n xfrm_new_ae+0x298/0x4e0\n ? __pfx_xfrm_new_ae+0x10/0x10\n ? __pfx_xfrm_new_ae+0x10/0x10\n xfrm_user_rcv_msg+0x25a/0x410\n ? __pfx_xfrm_user_rcv_msg+0x10/0x10\n ? __alloc_skb+0xcf/0x210\n ? stack_trace_save+0x90/0xd0\n ? filter_irq_stacks+0x1c/0x70\n ? __stack_depot_save+0x39/0x4e0\n ? __kasan_slab_free+0x10a/0x190\n ? kmem_cache_free+0x9c/0x340\n ? netlink_recvmsg+0x23c/0x660\n ? sock_recvmsg+0xeb/0xf0\n ? __sys_recvfrom+0x13c/0x1f0\n ? __x64_sys_recvfrom+0x71/0x90\n ? do_syscall_64+0x3f/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n ? copyout+0x3e/0x50\n netlink_rcv_skb+0xd6/0x210\n ? __pfx_xfrm_user_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? __pfx_sock_has_perm+0x10/0x10\n ? mutex_lock+0x8d/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n xfrm_netlink_rcv+0x44/0x50\n netlink_unicast+0x36f/0x4c0\n ? __pfx_netlink_unicast+0x10/0x10\n ? netlink_recvmsg+0x500/0x660\n netlink_sendmsg+0x3b7/0x700\n\nThis Null-ptr-deref bug is assigned CVE-2023-3772. And this commit\nadds additional NULL check in xfrm_update_ae_params to fix the NPD.",
  "id": "GHSA-x33g-396q-pw6p",
  "modified": "2025-11-25T18:32:21Z",
  "published": "2025-09-15T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53147"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/00374d9b6d9f932802b55181be9831aa948e5b7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/075448a2eb753f813fe873cfa52853e9fef8eedb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44f69c96f8a147413c23c68cda4d6fb5e23137cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53df4be4f5221e90dc7aa9ce745a9a21bb7024f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8046beb890ebc83c5820188c650073e1c6066e67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87b655f4936b6fc01f3658aa88a22c923b379ebd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd30aa9c7febb6e709670cd5154194189ca3b7b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ed1cba039309c80b49719fcff3e3d7cdddb73d96"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X36F-6QHH-53J9

Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-23 18:31
VLAI
Details

A NULL pointer dereference in the sub_41773C function of TOTOLINK N600R v4.3.0cu.7866_B20220506 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T18:15:34Z",
    "severity": "HIGH"
  },
  "details": "A NULL pointer dereference in the sub_41773C function of TOTOLINK N600R v4.3.0cu.7866_B20220506 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.",
  "id": "GHSA-x36f-6qhh-53j9",
  "modified": "2025-10-23T18:31:14Z",
  "published": "2025-10-22T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60336"
    },
    {
      "type": "WEB",
      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/TOTOLink/sub_41773C/sub_41773C.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X37M-Q3CW-3J2C

Vulnerability from github – Published: 2025-05-27 18:30 – Updated: 2025-05-27 21:32
VLAI
Details

In the function process_crypto_cmd, the values of ptrs[i] can be potentially equal to NULL which is valid value after calling slice_map_array(). Later this values will be derefenced without prior NULL check, which can lead to local Temporary DoS or OOB Read, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-27T16:15:31Z",
    "severity": "MODERATE"
  },
  "details": "In the function process_crypto_cmd, the values of ptrs[i] can be potentially equal to NULL which is valid value after calling slice_map_array(). Later this values will be derefenced without prior NULL check, which can lead to local Temporary DoS or OOB Read, leading to information disclosure.",
  "id": "GHSA-x37m-q3cw-3j2c",
  "modified": "2025-05-27T21:32:16Z",
  "published": "2025-05-27T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27701"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2025-05-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X39P-4HJ3-P7VG

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:50
VLAI
Details

libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG parser in parser.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-29T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG parser in parser.c.",
  "id": "GHSA-x39p-4hj3-p7vg",
  "modified": "2024-04-04T01:50:42Z",
  "published": "2022-05-24T16:55:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15757"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/andreafioraldi/343d9ba64060b548c02362a5e61ec932"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/cdemu/bugs/118"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00037.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3FM-X4JG-JW2H

Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Don't crash in stack_top() for tasks without vDSO

Not all tasks have a vDSO mapped, for example kthreads never do. If such a task ever ends up calling stack_top(), it will derefence the NULL vdso pointer and crash.

This can for example happen when using kunit:

[<9000000000203874>] stack_top+0x58/0xa8
[<90000000002956cc>] arch_pick_mmap_layout+0x164/0x220
[<90000000003c284c>] kunit_vm_mmap_init+0x108/0x12c
[<90000000003c1fbc>] __kunit_add_resource+0x38/0x8c
[<90000000003c2704>] kunit_vm_mmap+0x88/0xc8
[<9000000000410b14>] usercopy_test_init+0xbc/0x25c
[<90000000003c1db4>] kunit_try_run_case+0x5c/0x184
[<90000000003c3d54>] kunit_generic_run_threadfn_adapter+0x24/0x48
[<900000000022e4bc>] kthread+0xc8/0xd4
[<9000000000200ce8>] ret_from_kernel_thread+0xc/0xa4
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Don\u0027t crash in stack_top() for tasks without vDSO\n\nNot all tasks have a vDSO mapped, for example kthreads never do. If such\na task ever ends up calling stack_top(), it will derefence the NULL vdso\npointer and crash.\n\nThis can for example happen when using kunit:\n\n\t[\u003c9000000000203874\u003e] stack_top+0x58/0xa8\n\t[\u003c90000000002956cc\u003e] arch_pick_mmap_layout+0x164/0x220\n\t[\u003c90000000003c284c\u003e] kunit_vm_mmap_init+0x108/0x12c\n\t[\u003c90000000003c1fbc\u003e] __kunit_add_resource+0x38/0x8c\n\t[\u003c90000000003c2704\u003e] kunit_vm_mmap+0x88/0xc8\n\t[\u003c9000000000410b14\u003e] usercopy_test_init+0xbc/0x25c\n\t[\u003c90000000003c1db4\u003e] kunit_try_run_case+0x5c/0x184\n\t[\u003c90000000003c3d54\u003e] kunit_generic_run_threadfn_adapter+0x24/0x48\n\t[\u003c900000000022e4bc\u003e] kthread+0xc8/0xd4\n\t[\u003c9000000000200ce8\u003e] ret_from_kernel_thread+0xc/0xa4",
  "id": "GHSA-x3fm-x4jg-jw2h",
  "modified": "2025-11-04T00:31:55Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50133"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/041cc3860b06770357876d1114d615333b0fbf31"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/134475a9ab8487527238d270639a8cb74c10aab2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a67d4a02bf43e15544179895ede7d5f97b84b550"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a94c197d4d749954dfaa37e907fcc8c04e4aad7e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3J5-9GHR-8CWM

Vulnerability from github – Published: 2026-03-26 12:30 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

icmp: fix NULL pointer dereference in icmp_tag_validation()

icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561)

Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T11:16:19Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n  \u003cIRQ\u003e\n  icmp_rcv (net/ipv4/icmp.c:1527)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n  ip_local_deliver (net/ipv4/ip_input.c:262)\n  ip_rcv (net/ipv4/ip_input.c:573)\n  __netif_receive_skb_one_core (net/core/dev.c:6164)\n  process_backlog (net/core/dev.c:6628)\n  handle_softirqs (kernel/softirq.c:561)\n  \u003c/IRQ\u003e\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation.",
  "id": "GHSA-x3j5-9ghr-8cwm",
  "modified": "2026-07-14T15:31:44Z",
  "published": "2026-03-26T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23398"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.