CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-X5CJ-FGC8-52C7
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.
{
"affected": [],
"aliases": [
"CVE-2018-14646"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-26T19:29:00Z",
"severity": "MODERATE"
},
"details": "The Linux kernel before 4.15-rc8 was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.",
"id": "GHSA-x5cj-fgc8-52c7",
"modified": "2022-05-13T01:34:30Z",
"published": "2022-05-13T01:34:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14646"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3651"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3666"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3843"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14646"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f428fe4a04cc339166c8bbd489789760de3a0cee"
},
{
"type": "WEB",
"url": "https://marc.info/?l=linux-netdev\u0026m=151500466401174\u0026w=2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5FH-PC22-3JCJ
Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-04 00:00NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV.
{
"affected": [],
"aliases": [
"CVE-2022-2549"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV.",
"id": "GHSA-x5fh-pc22-3jcj",
"modified": "2022-08-04T00:00:22Z",
"published": "2022-07-28T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2549"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/0102c5d4db7fdbf08b5b591b2a6264de33867a07"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/c93083dc-177c-4ba0-ba83-9d7fb29a5537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5R6-JR56-89PV
Vulnerability from github – Published: 2026-05-04 19:45 – Updated: 2026-05-08 21:47Summary
Details
It was found that backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system.
ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference .Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup().
An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun.
The flow is as follows: A crafted backup archive contains a valid backup/index.yaml file together with a malformed backup/container/backup.yaml file that omits the container section. backup.GetInfo() parses backup/index.yaml successfully, so bInfo.Config is populated from the inline config. Because result.Config != nil, GetInfo() does not fall back to backup/container/backup.yaml. instances_post.go then builds the request from bInfo.Config.Container, which succeeds because the inline config is valid. Later, storage unpack extracts backup/container/backup.yaml into the instance volume as /backup.yaml. backend.go then calls backup.UpdateInstanceConfig(..., mountPath), which reparses /backup.yaml through ParseConfigYamlFile(). Because ParseConfigYamlFile() accepts YAML with no container section, backup.Container == nil, and later access to backup.Container.Devices or backup.Container.ExpandedDevices can trigger a nil-pointer dereference.
Affected Files: - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L87 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L115 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L85 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L159 - https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go#L809 - https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/api_internal.go#L749
The initial backup-metadata parser prefers inline backup/index.yaml content:
Affected Code:
if hdr.Name == backupIndexPath {
err = yaml.NewDecoder(tr).Decode(&result)
The legacy backup/container/backup.yaml file is only parsed if the inline config is absent:
Affected Code:
if result.Config == nil && hdr.Name == "backup/container/backup.yaml" {
err = yaml.NewDecoder(tr).Decode(&result.Config)
ParseConfigYamlFile() accepts an empty YAML document, or one with no container section, without validation:
Affected Code:
func ParseConfigYamlFile(path string) (*config.Config, error) {
data, err := os.ReadFile(path)
...
backupConf := config.Config{}
err = yaml.Unmarshal(data, &backupConf)
UpdateInstanceConfig() conditionally uses backup.Container at first but later dereferences it unconditionally:
Affected Code:
if backup.Container != nil {
backup.Container.Name = b.Name
backup.Container.Project = b.Project
}
if updateRootDevicePool(backup.Container.Devices, pool.Name) {
rootDiskDeviceFound = true
}
if updateRootDevicePool(backup.Container.ExpandedDevices, pool.Name) {
rootDiskDeviceFound = true
}
Another confirmed sink is present in internalImportFromBackup():
Affected Code:
if allowNameOverride {
backupConf.Container.Name = instName
}
if instName != backupConf.Container.Name {
return fmt.Errorf("Instance name requested %q doesn't match instance name in backup config %q", instName, backupConf.Container.Name)
}
This was confirmed as follows:
Command:
go test ./test/fuzz -run='TestExtractedBackupYAMLMissingContainerNilDereference' -count=1 -v
Output:
=== RUN TestExtractedBackupYAMLMissingContainerNilDereference
=== RUN TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_empty
extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted
backup.yaml (container is nil): runtime error: invalid memory address or nil pointer
dereference
=== RUN TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_pool_only
extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted
backup.yaml (container is nil): runtime error: invalid memory address or nil pointer
dereference
=== RUN TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_volume_only
extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted
backup.yaml (container is nil): runtime error: invalid memory address or nil pointer
dereference
--- FAIL: TestExtractedBackupYAMLMissingContainerNilDereference (0.21s)
FAIL
It is recommended to validate the parsed legacy backup.yaml structure before any dereference and to fail with a standard error if Container is missing:
Proposed Fix:
if backup.Container == nil {
return errors.New("No container struct in the backup file found")
}
That validation should be added at minimum in: backup.UpdateInstanceConfig() and internalImportFromBackup() before any backupConf.Container.* access
More broadly, it is recommended to centralize backup-config validation so that both inline backup/index.yaml and extracted legacy backup.yaml files are checked against the same structural requirements before any restore or import consumer uses them.
A patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.
Credit
This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lxc/incus/v6/cmd/incusd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41684"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T19:45:23Z",
"nvd_published_at": "2026-05-07T14:16:03Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n### Details\nIt was found that backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system.\n\nParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference .Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup().\n\nAn authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun.\n\nThe flow is as follows:\nA crafted backup archive contains a valid backup/index.yaml file together with a malformed backup/container/backup.yaml file that omits the container section.\nbackup.GetInfo() parses backup/index.yaml successfully, so bInfo.Config is populated from the inline config.\nBecause result.Config != nil, GetInfo() does not fall back to backup/container/backup.yaml.\ninstances_post.go then builds the request from bInfo.Config.Container, which succeeds because the inline config is valid.\nLater, storage unpack extracts backup/container/backup.yaml into the instance volume as \u003cmountPath\u003e/backup.yaml.\nbackend.go then calls backup.UpdateInstanceConfig(..., mountPath), which reparses \u003cmountPath\u003e/backup.yaml through ParseConfigYamlFile().\nBecause ParseConfigYamlFile() accepts YAML with no container section, backup.Container == nil, and later access to backup.Container.Devices or backup.Container.ExpandedDevices can trigger a nil-pointer dereference.\n\n\nAffected Files:\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L87\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_info.go#L115\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L85\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/backup/backup_config_utils.go#L159\n - https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go#L809\n - https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/api_internal.go#L749\n\nThe initial backup-metadata parser prefers inline backup/index.yaml content:\n\nAffected Code:\n```\nif hdr.Name == backupIndexPath {\n err = yaml.NewDecoder(tr).Decode(\u0026result)\n```\n\nThe legacy backup/container/backup.yaml file is only parsed if the inline config is absent:\n\nAffected Code:\n```\nif result.Config == nil \u0026\u0026 hdr.Name == \"backup/container/backup.yaml\" {\n err = yaml.NewDecoder(tr).Decode(\u0026result.Config)\n```\n\nParseConfigYamlFile() accepts an empty YAML document, or one with no container section, without validation:\n\nAffected Code:\n```\nfunc ParseConfigYamlFile(path string) (*config.Config, error) {\n data, err := os.ReadFile(path)\n ...\n backupConf := config.Config{}\n err = yaml.Unmarshal(data, \u0026backupConf)\n```\n\nUpdateInstanceConfig() conditionally uses backup.Container at first but later dereferences it unconditionally:\n\nAffected Code:\n```\nif backup.Container != nil {\n backup.Container.Name = b.Name\n backup.Container.Project = b.Project\n}\n\nif updateRootDevicePool(backup.Container.Devices, pool.Name) {\n rootDiskDeviceFound = true\n}\n\nif updateRootDevicePool(backup.Container.ExpandedDevices, pool.Name) {\n rootDiskDeviceFound = true\n}\n```\n\nAnother confirmed sink is present in internalImportFromBackup():\n\nAffected Code:\n```\nif allowNameOverride {\n backupConf.Container.Name = instName\n}\n\nif instName != backupConf.Container.Name {\n return fmt.Errorf(\"Instance name requested %q doesn\u0027t match instance name in backup config %q\", instName, backupConf.Container.Name)\n}\n```\n\nThis was confirmed as follows:\n\nCommand:\n```\ngo test ./test/fuzz -run=\u0027TestExtractedBackupYAMLMissingContainerNilDereference\u0027 -count=1 -v\n```\n\nOutput:\n\n```\n=== RUN TestExtractedBackupYAMLMissingContainerNilDereference\n=== RUN TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_empty\n extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted\n backup.yaml (container is nil): runtime error: invalid memory address or nil pointer\n dereference\n=== RUN TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_pool_only\n extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted\n backup.yaml (container is nil): runtime error: invalid memory address or nil pointer\n dereference\n=== RUN TestExtractedBackupYAMLMissingContainerNilDereference/legacy_backup_volume_only\n extracted_backup_yaml_poc_test.go:70: UpdateInstanceConfig panicked on malformed extracted\n backup.yaml (container is nil): runtime error: invalid memory address or nil pointer\n dereference\n--- FAIL: TestExtractedBackupYAMLMissingContainerNilDereference (0.21s)\nFAIL\n```\n\nIt is recommended to validate the parsed legacy backup.yaml structure before any dereference and to fail with a standard error if Container is missing:\n\nProposed Fix:\n```\nif backup.Container == nil {\n return errors.New(\"No container struct in the backup file found\")\n}\n```\n\nThat validation should be added at minimum in: backup.UpdateInstanceConfig() and internalImportFromBackup() before any backupConf.Container.* access\n\nMore broadly, it is recommended to centralize backup-config validation so that both inline backup/index.yaml and extracted legacy backup.yaml files are checked against the same structural requirements before any restore or import consumer uses them.\n\nA patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.\n\n### Credit\nThis issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)",
"id": "GHSA-x5r6-jr56-89pv",
"modified": "2026-05-08T21:47:19Z",
"published": "2026-05-04T19:45:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxc/incus/security/advisories/GHSA-x5r6-jr56-89pv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41684"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxc/incus"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/releases/tag/v7.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incus has Nil Dereferences on Restore via Malformed YAML"
}
GHSA-X5XR-8RHW-QPR4
Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-12-30 21:30In the Linux kernel, the following vulnerability has been resolved:
mlxbf_gige: call request_irq() after NAPI initialized
The mlxbf_gige driver encounters a NULL pointer exception in mlxbf_gige_open() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbf_gige module e) the mlxbf_gige module runs its open() as the the "oob_net0" interface is brought up f) mlxbf_gige module will experience an exception during its open(), something like:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000086000004
EC = 0x21: IABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000
[0000000000000000] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000086000004 [#1] SMP
CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu
Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024
pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : 0x0
lr : __napi_poll+0x40/0x230
sp : ffff800008003e00
x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff
x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8
x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000
x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000
x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0
x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c
x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398
x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2
x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238
Call trace:
0x0
net_rx_action+0x178/0x360
__do_softirq+0x15c/0x428
__irq_exit_rcu+0xac/0xec
irq_exit+0x18/0x2c
handle_domain_irq+0x6c/0xa0
gic_handle_irq+0xec/0x1b0
call_on_irq_stack+0x20/0x2c
do_interrupt_handler+0x5c/0x70
el1_interrupt+0x30/0x50
el1h_64_irq_handler+0x18/0x2c
el1h_64_irq+0x7c/0x80
__setup_irq+0x4c0/0x950
request_threaded_irq+0xf4/0x1bc
mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]
mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]
__dev_open+0x100/0x220
__dev_change_flags+0x16c/0x1f0
dev_change_flags+0x2c/0x70
do_setlink+0x220/0xa40
__rtnl_newlink+0x56c/0x8a0
rtnl_newlink+0x58/0x84
rtnetlink_rcv_msg+0x138/0x3c4
netlink_rcv_skb+0x64/0x130
rtnetlink_rcv+0x20/0x30
netlink_unicast+0x2ec/0x360
netlink_sendmsg+0x278/0x490
__sock_sendmsg+0x5c/0x6c
____sys_sendmsg+0x290/0x2d4
___sys_sendmsg+0x84/0xd0
__sys_sendmsg+0x70/0xd0
__arm64_sys_sendmsg+0x2c/0x40
invoke_syscall+0x78/0x100
el0_svc_common.constprop.0+0x54/0x184
do_el0_svc+0x30/0xac
el0_svc+0x48/0x160
el0t_64_sync_handler+0xa4/0x12c
el0t_64_sync+0x1a4/0x1a8
Code: bad PC value
---[ end trace 7d1c3f3bf9d81885 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
Kernel Offset: 0x2870a7a00000 from 0xffff800008000000
PHYS_OFFSET: 0x80000000
CPU features: 0x0,000005c1,a3332a5a
Memory Limit: none
---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
The exception happens because there is a pending RX interrupt before the call to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this request_irq() completes. The ---truncated---
{
"affected": [],
"aliases": [
"CVE-2024-35907"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T09:15:11Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c \u003e /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---",
"id": "GHSA-x5xr-8rhw-qpr4",
"modified": "2024-12-30T21:30:45Z",
"published": "2024-05-19T09:34:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X625-MMF4-V9RQ
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
{
"affected": [],
"aliases": [
"CVE-2020-20222"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-18T19:15:00Z",
"severity": "MODERATE"
},
"details": "Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/sniffer process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).",
"id": "GHSA-x625-mmf4-v9rq",
"modified": "2022-05-24T19:02:41Z",
"published": "2022-05-24T19:02:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20222"
},
{
"type": "WEB",
"url": "https://mikrotik.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162513/Mikrotik-RouterOS-6.46.5-Memory-Corruption-Assertion-Failure.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/15"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X63Q-5MXW-X3P4
Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-23 18:31OpenAirInterface CN5G AMF (oai-cn5g-amf) <= 2.0.0 contains a null dereference in its handling of unsupported NGAP protocol messages which allows an attacker with network-adjacent access to the AMF to carry out denial of service. When a procedure code/presence field tuple is received that is unsupported, OAI indexes into a null function pointer and subsequently dereferences it.
{
"affected": [],
"aliases": [
"CVE-2024-24445"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T22:15:11Z",
"severity": "MODERATE"
},
"details": "OpenAirInterface CN5G AMF (oai-cn5g-amf) \u003c= 2.0.0 contains a null dereference in its handling of unsupported NGAP protocol messages which allows an attacker with network-adjacent access to the AMF to carry out denial of service. When a procedure code/presence field tuple is received that is unsupported, OAI indexes into a null function pointer and subsequently dereferences it.",
"id": "GHSA-x63q-5mxw-x3p4",
"modified": "2025-01-23T18:31:18Z",
"published": "2025-01-22T00:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24445"
},
{
"type": "WEB",
"url": "https://cellularsecurity.org/ransacked"
},
{
"type": "WEB",
"url": "http://openairinterface.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X63X-QRG6-GGCJ
Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2022-01-26 00:03There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.
{
"affected": [],
"aliases": [
"CVE-2021-38785"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-18T14:15:00Z",
"severity": "HIGH"
},
"details": "There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.",
"id": "GHSA-x63x-qrg6-ggcj",
"modified": "2022-01-26T00:03:28Z",
"published": "2022-01-19T00:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38785"
},
{
"type": "WEB",
"url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/Allwinner%20R818%20SoC%EF%BC%9ACamera%20Driver%20has%20Null%20Pointer%20Dereference%20Vulnerability.md"
},
{
"type": "WEB",
"url": "https://vul.wangan.com/a/CNVD-2021-49170"
},
{
"type": "WEB",
"url": "https://www.allwinnertech.com/index.php?c=product\u0026a=index\u0026id=92"
},
{
"type": "WEB",
"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-49170"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X64C-PWXP-R95W
Vulnerability from github – Published: 2022-05-14 02:19 – Updated: 2022-05-14 02:19An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
{
"affected": [],
"aliases": [
"CVE-2018-15504"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-18T03:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.",
"id": "GHSA-x64c-pwxp-r95w",
"modified": "2022-05-14T02:19:49Z",
"published": "2022-05-14T02:19:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15504"
},
{
"type": "WEB",
"url": "https://github.com/embedthis/appweb/issues/605"
},
{
"type": "WEB",
"url": "https://github.com/embedthis/goahead/issues/264"
},
{
"type": "WEB",
"url": "https://github.com/embedthis/appweb/commit/66067ae6d1fa08b37a270e7dc1821df52ed2daef"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/s/article/2019-07-Security-Bulletin-Junos-OS-J-Web-Denial-of-Service-due-to-multiple-vulnerabilities-in-Embedthis-Appweb-Server"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X664-JH9H-XWCQ
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.
{
"affected": [],
"aliases": [
"CVE-2011-1598"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-05-09T22:55:00Z",
"severity": "MODERATE"
},
"details": "The bcm_release function in net/can/bcm.c in the Linux kernel before 2.6.39-rc6 does not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.",
"id": "GHSA-x664-jh9h-xwcq",
"modified": "2022-05-13T01:24:48Z",
"published": "2022-05-13T01:24:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1598"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=698057"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c6914a6f261aca0c9f715f883a353ae7ff51fe83"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c6914a6f261aca0c9f715f883a353ae7ff51fe83"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/20/2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/20/6"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/20/7"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/21/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/21/2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/21/7"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/22/2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/25/4"
},
{
"type": "WEB",
"url": "http://permalink.gmane.org/gmane.linux.network/192898"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.39-rc6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/47503"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X66F-V9WW-9C9P
Vulnerability from github – Published: 2024-08-17 09:30 – Updated: 2024-09-03 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check for NULL pointer
[why & how] Need to make sure plane_state is initialized before accessing its members.
(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)
{
"affected": [],
"aliases": [
"CVE-2024-42308"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-17T09:15:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check for NULL pointer\n\n[why \u0026 how]\nNeed to make sure plane_state is initialized\nbefore accessing its members.\n\n(cherry picked from commit 295d91cbc700651782a60572f83c24861607b648)",
"id": "GHSA-x66f-v9ww-9c9p",
"modified": "2024-09-03T15:30:38Z",
"published": "2024-08-17T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42308"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/185616085b12e651cdfd11ef00d1449f54552d89"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ab68e168ae1695f7c04fae98930740aaf7c50fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ccd37085976ea5d3c499b1e6d0b3f4deaf2cd5a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b5ed0648213e9355cc78f4a264d9afe8536d692"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71dbf95359347c2ecc5a6dfc02783fcfccb2e9fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ce89824ff04d261fc855e0ca6e6025251d9fa40"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f068494430d15b5fc551ac928de9dac7e5e27602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.