Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-X5CJ-FGC8-52C7

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-26T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.",
  "id": "GHSA-x5cj-fgc8-52c7",
  "modified": "2022-05-13T01:34:30Z",
  "published": "2022-05-13T01:34:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14646"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3651"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3666"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3843"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14646"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f428fe4a04cc339166c8bbd489789760de3a0cee"
    },
    {
      "type": "WEB",
      "url": "https://marc.info/?l=linux-netdev\u0026m=151500466401174\u0026w=2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5FH-PC22-3JCJ

Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-04 00:00
VLAI
Details

NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-27T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV.",
  "id": "GHSA-x5fh-pc22-3jcj",
  "modified": "2022-08-04T00:00:22Z",
  "published": "2022-07-28T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2549"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/0102c5d4db7fdbf08b5b591b2a6264de33867a07"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c93083dc-177c-4ba0-ba83-9d7fb29a5537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5R6-JR56-89PV

Vulnerability from github – Published: 2026-05-04 19:45 – Updated: 2026-05-08 21:47
VLAI
Summary
Incus has Nil Dereferences on Restore via Malformed YAML
Details

Summary

Details

It was found that backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system.

ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference .Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup().

An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun.

The flow is as follows: A crafted backup archive contains a valid backup/index.yaml file together with a malformed backup/container/backup.yaml file that omits the container section. backup.GetInfo() parses backup/index.yaml successfully, so bInfo.Config is populated from the inline config. Because result.Config != nil, GetInfo() does not fall back to backup/container/backup.yaml. instances_post.go then builds the request from bInfo.Config.Container, which succeeds because the inline config is valid. Later, storage unpack extracts backup/container/backup.yaml into the instance volume as /backup.yaml. backend.go then calls backup.UpdateInstanceConfig(..., mountPath), which reparses /backup.yaml through ParseConfigYamlFile(). Because ParseConfigYamlFile() accepts YAML with no container section, backup.Container == nil, and later access to backup.Container.Devices or backup.Container.ExpandedDevices can trigger a nil-pointer dereference.

Affected Files: - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L87 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L115 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L85 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L159 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go#L809 - https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/api_internal.go#L749

The initial backup-metadata parser prefers inline backup/index.yaml content:

Affected Code:

if hdr.Name == backupIndexPath {
    err = yaml.NewDecoder(tr).Decode(&result)

The legacy backup/container/backup.yaml file is only parsed if the inline config is absent:

Affected Code:

if result.Config == nil && hdr.Name == "backup/container/backup.yaml" {
    err = yaml.NewDecoder(tr).Decode(&result.Config)

ParseConfigYamlFile() accepts an empty YAML document, or one with no container section, without validation:

Affected Code:

func ParseConfigYamlFile(path string) (*config.Config, error) {
    data, err := os.ReadFile(path)
    ...
    backupConf := config.Config{}
    err = yaml.Unmarshal(data, &backupConf)

UpdateInstanceConfig() conditionally uses backup.Container at first but later dereferences it unconditionally:

Affected Code:

if backup.Container != nil {
    backup.Container.Name = b.Name
    backup.Container.Project = b.Project
}

if updateRootDevicePool(backup.Container.Devices, pool.Name) {
    rootDiskDeviceFound = true
}

if updateRootDevicePool(backup.Container.ExpandedDevices, pool.Name) {
    rootDiskDeviceFound = true
}

Another confirmed sink is present in internalImportFromBackup():

Affected Code:

if allowNameOverride {
    backupConf.Container.Name = instName
}

if instName != backupConf.Container.Name {
    return fmt.Errorf("Instance name requested %q doesn't match instance name in backup config %q", instName, backupConf.Container.Name)
}

This was confirmed as follows:

Command:

go test ./test/fuzz -run='TestExtractedBackupYAMLMissingContainerNilDereference' -count=1 -v

Output:

=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference
=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_empty
   extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted
       backup.yaml (container is nil): runtime error: invalid memory address or nil pointer
       dereference
=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_pool_only
   extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted
       backup.yaml (container is nil): runtime error: invalid memory address or nil pointer
       dereference
=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_volume_only
   extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted
       backup.yaml (container is nil): runtime error: invalid memory address or nil pointer
       dereference
--- FAIL: TestExtractedBackupYAMLMissingContainerNilDereference (0.21s)
FAIL

It is recommended to validate the parsed legacy backup.yaml structure before any dereference and to fail with a standard error if Container is missing:

Proposed Fix:

if backup.Container == nil {
    return errors.New("No container struct in the backup file found")
}

That validation should be added at minimum in: backup.UpdateInstanceConfig() and internalImportFromBackup() before any backupConf.Container.* access

More broadly, it is recommended to centralize backup-config validation so that both inline backup/index.yaml and extracted legacy backup.yaml files are checked against the same structural requirements before any restore or import consumer uses them.

A patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.

Credit

This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lxc/incus/v6/cmd/incusd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T19:45:23Z",
    "nvd_published_at": "2026-05-07T14:16:03Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n### Details\nIt was found that backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system.\n\nParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference .Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup().\n\nAn authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun.\n\nThe flow is as follows:\nA crafted backup archive contains a valid backup/index.yaml file together with a malformed backup/container/backup.yaml file that omits the container section.\nbackup.GetInfo() parses backup/index.yaml successfully, so bInfo.Config is populated from the inline config.\nBecause result.Config != nil, GetInfo() does not fall back to backup/container/backup.yaml.\ninstances_post.go then builds the request from bInfo.Config.Container, which succeeds because the inline config is valid.\nLater, storage unpack extracts backup/container/backup.yaml into the instance volume as \u003cmountPath\u003e/backup.yaml.\nbackend.go then calls backup.UpdateInstanceConfig(..., mountPath), which reparses \u003cmountPath\u003e/backup.yaml through ParseConfigYamlFile().\nBecause ParseConfigYamlFile() accepts YAML with no container section, backup.Container == nil, and later access to backup.Container.Devices or backup.Container.ExpandedDevices can trigger a nil-pointer dereference.\n\n\nAffected Files:\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L87\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L115\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L85\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L159\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go#L809\n - https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/api_internal.go#L749\n\nThe initial backup-metadata parser prefers inline backup/index.yaml content:\n\nAffected Code:\n```\nif hdr.Name == backupIndexPath {\n    err = yaml.NewDecoder(tr).Decode(\u0026result)\n```\n\nThe legacy backup/container/backup.yaml file is only parsed if the inline config is absent:\n\nAffected Code:\n```\nif result.Config == nil \u0026\u0026 hdr.Name == \"backup/container/backup.yaml\" {\n    err = yaml.NewDecoder(tr).Decode(\u0026result.Config)\n```\n\nParseConfigYamlFile() accepts an empty YAML document, or one with no container section, without validation:\n\nAffected Code:\n```\nfunc ParseConfigYamlFile(path string) (*config.Config, error) {\n    data, err := os.ReadFile(path)\n    ...\n    backupConf := config.Config{}\n    err = yaml.Unmarshal(data, \u0026backupConf)\n```\n\nUpdateInstanceConfig() conditionally uses backup.Container at first but later dereferences it unconditionally:\n\nAffected Code:\n```\nif backup.Container != nil {\n    backup.Container.Name = b.Name\n    backup.Container.Project = b.Project\n}\n\nif updateRootDevicePool(backup.Container.Devices, pool.Name) {\n    rootDiskDeviceFound = true\n}\n\nif updateRootDevicePool(backup.Container.ExpandedDevices, pool.Name) {\n    rootDiskDeviceFound = true\n}\n```\n\nAnother confirmed sink is present in internalImportFromBackup():\n\nAffected Code:\n```\nif allowNameOverride {\n    backupConf.Container.Name = instName\n}\n\nif instName != backupConf.Container.Name {\n    return fmt.Errorf(\"Instance name requested %q doesn\u0027t match instance name in backup config %q\", instName, backupConf.Container.Name)\n}\n```\n\nThis was confirmed as follows:\n\nCommand:\n```\ngo test ./test/fuzz -run=\u0027TestExtractedBackupYAMLMissingContainerNilDereference\u0027 -count=1 -v\n```\n\nOutput:\n\n```\n=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference\n=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_empty\n   extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted\n       backup.yaml (container is nil): runtime error: invalid memory address or nil pointer\n       dereference\n=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_pool_only\n   extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted\n       backup.yaml (container is nil): runtime error: invalid memory address or nil pointer\n       dereference\n=== RUN   TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_volume_only\n   extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted\n       backup.yaml (container is nil): runtime error: invalid memory address or nil pointer\n       dereference\n--- FAIL: TestExtractedBackupYAMLMissingContainerNilDereference (0.21s)\nFAIL\n```\n\nIt is recommended to validate the parsed legacy backup.yaml structure before any dereference and to fail with a standard error if Container is missing:\n\nProposed Fix:\n```\nif backup.Container == nil {\n    return errors.New(\"No container struct in the backup file found\")\n}\n```\n\nThat validation should be added at minimum in: backup.UpdateInstanceConfig() and internalImportFromBackup() before any backupConf.Container.* access\n\nMore broadly, it is recommended to centralize backup-config validation so that both inline backup/index.yaml and extracted legacy backup.yaml files are checked against the same structural requirements before any restore or import consumer uses them.\n\nA patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.\n\n### Credit\nThis issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)",
  "id": "GHSA-x5r6-jr56-89pv",
  "modified": "2026-05-08T21:47:19Z",
  "published": "2026-05-04T19:45:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-x5r6-jr56-89pv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41684"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxc/incus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/releases/tag/v7.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incus has Nil Dereferences on Restore via Malformed YAML"
}

GHSA-X5XR-8RHW-QPR4

Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-12-30 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mlxbf_gige: call request_irq() after NAPI initialized

The mlxbf_gige driver encounters a NULL pointer exception in mlxbf_gige_open() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbf_gige module e) the mlxbf_gige module runs its open() as the the "oob_net0" interface is brought up f) mlxbf_gige module will experience an exception during its open(), something like:

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 Mem abort info:
   ESR = 0x0000000086000004
   EC = 0x21: IABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x04: level 0 translation fault
 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000
 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
 Internal error: Oops: 0000000086000004 [#1] SMP
 CPU: 0 PID: 812 Comm: NetworkManager Tainted: G           OE     5.15.0-1035-bluefield #37-Ubuntu
 Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024
 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : 0x0
 lr : __napi_poll+0x40/0x230
 sp : ffff800008003e00
 x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff
 x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8
 x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000
 x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000
 x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0
 x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c
 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398
 x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2
 x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100
 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238
 Call trace:
  0x0
  net_rx_action+0x178/0x360
  __do_softirq+0x15c/0x428
  __irq_exit_rcu+0xac/0xec
  irq_exit+0x18/0x2c
  handle_domain_irq+0x6c/0xa0
  gic_handle_irq+0xec/0x1b0
  call_on_irq_stack+0x20/0x2c
  do_interrupt_handler+0x5c/0x70
  el1_interrupt+0x30/0x50
  el1h_64_irq_handler+0x18/0x2c
  el1h_64_irq+0x7c/0x80
  __setup_irq+0x4c0/0x950
  request_threaded_irq+0xf4/0x1bc
  mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]
  mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]
  __dev_open+0x100/0x220
  __dev_change_flags+0x16c/0x1f0
  dev_change_flags+0x2c/0x70
  do_setlink+0x220/0xa40
  __rtnl_newlink+0x56c/0x8a0
  rtnl_newlink+0x58/0x84
  rtnetlink_rcv_msg+0x138/0x3c4
  netlink_rcv_skb+0x64/0x130
  rtnetlink_rcv+0x20/0x30
  netlink_unicast+0x2ec/0x360
  netlink_sendmsg+0x278/0x490
  __sock_sendmsg+0x5c/0x6c
  ____sys_sendmsg+0x290/0x2d4
  ___sys_sendmsg+0x84/0xd0
  __sys_sendmsg+0x70/0xd0
  __arm64_sys_sendmsg+0x2c/0x40
  invoke_syscall+0x78/0x100
  el0_svc_common.constprop.0+0x54/0x184
  do_el0_svc+0x30/0xac
  el0_svc+0x48/0x160
  el0t_64_sync_handler+0xa4/0x12c
  el0t_64_sync+0x1a4/0x1a8
 Code: bad PC value
 ---[ end trace 7d1c3f3bf9d81885 ]---
 Kernel panic - not syncing: Oops: Fatal exception in interrupt
 Kernel Offset: 0x2870a7a00000 from 0xffff800008000000
 PHYS_OFFSET: 0x80000000
 CPU features: 0x0,000005c1,a3332a5a
 Memory Limit: none
 ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

The exception happens because there is a pending RX interrupt before the call to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this request_irq() completes. The ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled.  The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c \u003e /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n   the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n   during its open(), something like:\n\n     Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n     Mem abort info:\n       ESR = 0x0000000086000004\n       EC = 0x21: IABT (current EL), IL = 32 bits\n       SET = 0, FnV = 0\n       EA = 0, S1PTW = 0\n       FSC = 0x04: level 0 translation fault\n     user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n     [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n     Internal error: Oops: 0000000086000004 [#1] SMP\n     CPU: 0 PID: 812 Comm: NetworkManager Tainted: G           OE     5.15.0-1035-bluefield #37-Ubuntu\n     Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n     pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n     pc : 0x0\n     lr : __napi_poll+0x40/0x230\n     sp : ffff800008003e00\n     x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n     x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n     x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n     x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n     x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n     x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n     x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n     x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n     x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n     x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n     Call trace:\n      0x0\n      net_rx_action+0x178/0x360\n      __do_softirq+0x15c/0x428\n      __irq_exit_rcu+0xac/0xec\n      irq_exit+0x18/0x2c\n      handle_domain_irq+0x6c/0xa0\n      gic_handle_irq+0xec/0x1b0\n      call_on_irq_stack+0x20/0x2c\n      do_interrupt_handler+0x5c/0x70\n      el1_interrupt+0x30/0x50\n      el1h_64_irq_handler+0x18/0x2c\n      el1h_64_irq+0x7c/0x80\n      __setup_irq+0x4c0/0x950\n      request_threaded_irq+0xf4/0x1bc\n      mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n      mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n      __dev_open+0x100/0x220\n      __dev_change_flags+0x16c/0x1f0\n      dev_change_flags+0x2c/0x70\n      do_setlink+0x220/0xa40\n      __rtnl_newlink+0x56c/0x8a0\n      rtnl_newlink+0x58/0x84\n      rtnetlink_rcv_msg+0x138/0x3c4\n      netlink_rcv_skb+0x64/0x130\n      rtnetlink_rcv+0x20/0x30\n      netlink_unicast+0x2ec/0x360\n      netlink_sendmsg+0x278/0x490\n      __sock_sendmsg+0x5c/0x6c\n      ____sys_sendmsg+0x290/0x2d4\n      ___sys_sendmsg+0x84/0xd0\n      __sys_sendmsg+0x70/0xd0\n      __arm64_sys_sendmsg+0x2c/0x40\n      invoke_syscall+0x78/0x100\n      el0_svc_common.constprop.0+0x54/0x184\n      do_el0_svc+0x30/0xac\n      el0_svc+0x48/0x160\n      el0t_64_sync_handler+0xa4/0x12c\n      el0t_64_sync+0x1a4/0x1a8\n     Code: bad PC value\n     ---[ end trace 7d1c3f3bf9d81885 ]---\n     Kernel panic - not syncing: Oops: Fatal exception in interrupt\n     Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n     PHYS_OFFSET: 0x80000000\n     CPU features: 0x0,000005c1,a3332a5a\n     Memory Limit: none\n     ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes.  Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---",
  "id": "GHSA-x5xr-8rhw-qpr4",
  "modified": "2024-12-30T21:30:45Z",
  "published": "2024-05-19T09:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X625-MMF4-V9RQ

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-20222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-18T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
  "id": "GHSA-x625-mmf4-v9rq",
  "modified": "2022-05-24T19:02:41Z",
  "published": "2022-05-24T19:02:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20222"
    },
    {
      "type": "WEB",
      "url": "https://mikrotik.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162513/Mikrotik-RouterOS-6.46.5-Memory-Corruption-Assertion-Failure.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/May/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X63Q-5MXW-X3P4

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-23 18:31
VLAI
Details

OpenAirInterface CN5G AMF (oai-cn5g-amf) <= 2.0.0 contains a null dereference in its handling of unsupported NGAP protocol messages which allows an attacker with network-adjacent access to the AMF to carry out denial of service. When a procedure code/presence field tuple is received that is unsupported, OAI indexes into a null function pointer and subsequently dereferences it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "OpenAirInterface CN5G AMF (oai-cn5g-amf) \u003c= 2.0.0 contains a null dereference in its handling of unsupported NGAP protocol messages which allows an attacker with network-adjacent access to the AMF to carry out denial of service. When a procedure code/presence field tuple is received that is unsupported, OAI indexes into a null function pointer and subsequently dereferences it.",
  "id": "GHSA-x63q-5mxw-x3p4",
  "modified": "2025-01-23T18:31:18Z",
  "published": "2025-01-22T00:33:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24445"
    },
    {
      "type": "WEB",
      "url": "https://cellularsecurity.org/ransacked"
    },
    {
      "type": "WEB",
      "url": "http://openairinterface.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X63X-QRG6-GGCJ

Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2022-01-26 00:03
VLAI
Details

There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-18T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.",
  "id": "GHSA-x63x-qrg6-ggcj",
  "modified": "2022-01-26T00:03:28Z",
  "published": "2022-01-19T00:01:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/Allwinner%20R818%20SoC%EF%BC%9ACamera%20Driver%20has%20Null%20Pointer%20Dereference%20Vulnerability.md"
    },
    {
      "type": "WEB",
      "url": "https://vul.wangan.com/a/CNVD-2021-49170"
    },
    {
      "type": "WEB",
      "url": "https://www.allwinnertech.com/index.php?c=product\u0026a=index\u0026id=92"
    },
    {
      "type": "WEB",
      "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-49170"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X64C-PWXP-R95W

Vulnerability from github – Published: 2022-05-14 02:19 – Updated: 2022-05-14 02:19
VLAI
Details

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-18T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.",
  "id": "GHSA-x64c-pwxp-r95w",
  "modified": "2022-05-14T02:19:49Z",
  "published": "2022-05-14T02:19:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/embedthis/appweb/issues/605"
    },
    {
      "type": "WEB",
      "url": "https://github.com/embedthis/goahead/issues/264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/embedthis/appweb/commit/66067ae6d1fa08b37a270e7dc1821df52ed2daef"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/s/article/2019-07-Security-Bulletin-Junos-OS-J-Web-Denial-of-Service-due-to-multiple-vulnerabilities-in-Embedthis-Appweb-Server"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X664-JH9H-XWCQ

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-05-09T22:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.",
  "id": "GHSA-x664-jh9h-xwcq",
  "modified": "2022-05-13T01:24:48Z",
  "published": "2022-05-13T01:24:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1598"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=698057"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c6914a6f261aca0c9f715f883a353ae7ff51fe83"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c6914a6f261aca0c9f715f883a353ae7ff51fe83"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/20/2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/20/6"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/20/7"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/21/1"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/21/2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/21/7"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/22/2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/04/25/4"
    },
    {
      "type": "WEB",
      "url": "http://permalink.gmane.org/gmane.linux.network/192898"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.39-rc6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/47503"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X66F-V9WW-9C9P

Vulnerability from github – Published: 2024-08-17 09:30 – Updated: 2024-09-03 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Check for NULL pointer

[why & how] Need to make sure plane_state is initialized before accessing its members.

(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T09:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check for NULL pointer\n\n[why \u0026 how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\n\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)",
  "id": "GHSA-x66f-v9ww-9c9p",
  "modified": "2024-09-03T15:30:38Z",
  "published": "2024-08-17T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42308"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.