Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-XJP9-7HX4-8RWC

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:51
VLAI
Details

Stability-related vulnerability in the binder background management and control module. Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:16:03Z",
    "severity": "HIGH"
  },
  "details": "Stability-related vulnerability in the binder background management and control module. Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-xjp9-7hx4-8rwc",
  "modified": "2024-04-04T07:51:11Z",
  "published": "2023-09-27T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48606"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/9"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202309-0000001638925158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJR2-G37G-HRJM

Vulnerability from github – Published: 2024-05-22 09:31 – Updated: 2025-01-15 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/secretmem: fix NULL page->mapping dereference in page_is_secretmem()

Check for a NULL page->mapping before dereferencing the mapping in page_is_secretmem(), as the page's mapping can be nullified while gup() is running, e.g. by reclaim or truncation.

BUG: kernel NULL pointer dereference, address: 0000000000000068 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G W RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0 Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046 RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900 ... CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0 Call Trace: get_user_pages_fast_only+0x13/0x20 hva_to_pfn+0xa9/0x3e0 try_async_pf+0xa1/0x270 direct_page_fault+0x113/0xad0 kvm_mmu_page_fault+0x69/0x680 vmx_handle_exit+0xe1/0x5d0 kvm_arch_vcpu_ioctl_run+0xd81/0x1c70 kvm_vcpu_ioctl+0x267/0x670 __x64_sys_ioctl+0x83/0xa0 do_syscall_64+0x56/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T07:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix NULL page-\u003emapping dereference in page_is_secretmem()\n\nCheck for a NULL page-\u003emapping before dereferencing the mapping in\npage_is_secretmem(), as the page\u0027s mapping can be nullified while gup()\nis running, e.g.  by reclaim or truncation.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000068\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] PREEMPT SMP NOPTI\n  CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G        W\n  RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0\n  Code: \u003c48\u003e 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be\n  RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046\n  RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900\n  ...\n  CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0\n  Call Trace:\n   get_user_pages_fast_only+0x13/0x20\n   hva_to_pfn+0xa9/0x3e0\n   try_async_pf+0xa1/0x270\n   direct_page_fault+0x113/0xad0\n   kvm_mmu_page_fault+0x69/0x680\n   vmx_handle_exit+0xe1/0x5d0\n   kvm_arch_vcpu_ioctl_run+0xd81/0x1c70\n   kvm_vcpu_ioctl+0x267/0x670\n   __x64_sys_ioctl+0x83/0xa0\n   do_syscall_64+0x56/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae",
  "id": "GHSA-xjr2-g37g-hrjm",
  "modified": "2025-01-15T21:31:40Z",
  "published": "2024-05-22T09:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47463"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79f9bc5843142b649575f887dccdf1c07ad75c20"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b77ba1e02345bafd703f0d407bdbd88c3be1f767"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJW6-GM63-G5H8

Vulnerability from github – Published: 2025-11-04 21:31 – Updated: 2025-11-04 21:31
VLAI
Details

An issue was discovered in the NPU driver in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, 2500. There is a NULL Pointer Dereference of hdev in the __npu_vertex_bootup function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-04T19:17:11Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the NPU driver in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, 2500. There is a NULL Pointer Dereference of hdev in the __npu_vertex_bootup function.",
  "id": "GHSA-xjw6-gm63-g5h8",
  "modified": "2025-11-04T21:31:34Z",
  "published": "2025-11-04T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54334"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54334"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJX5-8V38-Q6GH

Vulnerability from github – Published: 2026-01-25 15:30 – Updated: 2026-03-18 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec

Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs.

The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command.

Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL

The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-25T15:15:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec\n\nCommit efa56305908b (\"nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\")\nadded ttag bounds checking and data_offset\nvalidation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate\nwhether the command\u0027s data structures (cmd-\u003ereq.sg and cmd-\u003eiov) have\nbeen properly initialized before processing H2C_DATA PDUs.\n\nThe nvmet_tcp_build_pdu_iovec() function dereferences these pointers\nwithout NULL checks. This can be triggered by sending H2C_DATA PDU\nimmediately after the ICREQ/ICRESP handshake, before\nsending a CONNECT command or NVMe write command.\n\nAttack vectors that trigger NULL pointer dereferences:\n1. H2C_DATA PDU sent before CONNECT \u2192 both pointers NULL\n2. H2C_DATA PDU for READ command \u2192 cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n3. H2C_DATA PDU for uninitialized command slot \u2192 both pointers NULL\n\nThe fix validates both cmd-\u003ereq.sg and cmd-\u003eiov before calling\nnvmet_tcp_build_pdu_iovec(). Both checks are required because:\n- Uninitialized commands: both NULL\n- READ commands: cmd-\u003ereq.sg allocated, cmd-\u003eiov NULL\n- WRITE commands: both allocated",
  "id": "GHSA-xjx5-8v38-q6gh",
  "modified": "2026-03-18T18:31:10Z",
  "published": "2026-01-25T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22998"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76abc83a9d25593c2b7613c549413079c14a4686"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d75570002929d20e40110d6b03e46202c9d1bc7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/baabe43a0edefac8cd7b981ff87f967f6034dafe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM5J-HMVJ-WR75

Vulnerability from github – Published: 2024-09-27 15:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ

Make sure the connector is fully initialized before signalling any HPD events via drm_kms_helper_hotplug_event(), otherwise this may lead to NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T13:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ\n\nMake sure the connector is fully initialized before signalling any\nHPD events via drm_kms_helper_hotplug_event(), otherwise this may\nlead to NULL pointer dereference.",
  "id": "GHSA-xm5j-hmvj-wr75",
  "modified": "2025-11-04T00:31:30Z",
  "published": "2024-09-27T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46810"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/162e48cb1d84c2c966b649b8ac5c9d4f75f6d44f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1fb13693953737783b424aa4712f0a27a9eaf5a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d567126474e68f959b2c2543c375f3bb32e948a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adc5674c23b8191e596ed0dbaa9600265ac896a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1b121f21bbc56a6ae035aa5b77daac62bfb9be5"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM67-P2Q8-VHGG

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:18
VLAI
Details

In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handle reallocation failures, leading to a memory copy into a NULL pointer. This is different from CVE-2018-20186.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13959"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-18T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handle reallocation failures, leading to a memory copy into a NULL pointer. This is different from CVE-2018-20186.",
  "id": "GHSA-xm67-p2q8-vhgg",
  "modified": "2024-04-04T01:18:43Z",
  "published": "2022-05-24T16:50:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13959"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/394"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM7V-QXRM-68JG

Vulnerability from github – Published: 2025-03-12 00:31 – Updated: 2025-03-12 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: phy: at803x: fix NULL pointer dereference on AR9331 PHY

Latest kernel will explode on the PHY interrupt config, since it depends now on allocated priv. So, run probe to allocate priv to fix it.

ar9331_switch ethernet.1:10 lan0 (uninitialized): PHY [!ahb!ethernet@1a000000!mdio!switch@10:00] driver [Qualcomm Atheros AR9331 built-in PHY] (irq=13) CPU 0 Unable to handle kernel paging request at virtual address 0000000a, epc == 8050e8a8, ra == 80504b34 ... Call Trace: [<8050e8a8>] at803x_config_intr+0x5c/0xd0 [<80504b34>] phy_request_interrupt+0xa8/0xd0 [<8050289c>] phylink_bringup_phy+0x2d8/0x3ac [<80502b68>] phylink_fwnode_phy_connect+0x118/0x130 [<8074d8ec>] dsa_slave_create+0x270/0x420 [<80743b04>] dsa_port_setup+0x12c/0x148 [<8074580c>] dsa_register_switch+0xaf0/0xcc0 [<80511344>] ar9331_sw_probe+0x370/0x388 [<8050cb78>] mdio_probe+0x44/0x70 [<804df300>] really_probe+0x200/0x424 [<804df7b4>] __driver_probe_device+0x290/0x298 [<804df810>] driver_probe_device+0x54/0xe4 [<804dfd50>] __device_attach_driver+0xe4/0x130 [<804dcb00>] bus_for_each_drv+0xb4/0xd8 [<804dfac4>] __device_attach+0x104/0x1a4 [<804ddd24>] bus_probe_device+0x48/0xc4 [<804deb44>] deferred_probe_work_func+0xf0/0x10c [<800a0ffc>] process_one_work+0x314/0x4d4 [<800a17fc>] worker_thread+0x2a4/0x354 [<800a9a54>] kthread+0x134/0x13c [<8006306c>] ret_from_kernel_thread+0x14/0x1c

Same Issue would affect some other PHYs (QCA8081, QCA9561), so fix it too.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: at803x: fix NULL pointer dereference on AR9331 PHY\n\nLatest kernel will explode on the PHY interrupt config, since it depends\nnow on allocated priv. So, run probe to allocate priv to fix it.\n\n ar9331_switch ethernet.1:10 lan0 (uninitialized): PHY [!ahb!ethernet@1a000000!mdio!switch@10:00] driver [Qualcomm Atheros AR9331 built-in PHY] (irq=13)\n CPU 0 Unable to handle kernel paging request at virtual address 0000000a, epc == 8050e8a8, ra == 80504b34\n         ...\n Call Trace:\n [\u003c8050e8a8\u003e] at803x_config_intr+0x5c/0xd0\n [\u003c80504b34\u003e] phy_request_interrupt+0xa8/0xd0\n [\u003c8050289c\u003e] phylink_bringup_phy+0x2d8/0x3ac\n [\u003c80502b68\u003e] phylink_fwnode_phy_connect+0x118/0x130\n [\u003c8074d8ec\u003e] dsa_slave_create+0x270/0x420\n [\u003c80743b04\u003e] dsa_port_setup+0x12c/0x148\n [\u003c8074580c\u003e] dsa_register_switch+0xaf0/0xcc0\n [\u003c80511344\u003e] ar9331_sw_probe+0x370/0x388\n [\u003c8050cb78\u003e] mdio_probe+0x44/0x70\n [\u003c804df300\u003e] really_probe+0x200/0x424\n [\u003c804df7b4\u003e] __driver_probe_device+0x290/0x298\n [\u003c804df810\u003e] driver_probe_device+0x54/0xe4\n [\u003c804dfd50\u003e] __device_attach_driver+0xe4/0x130\n [\u003c804dcb00\u003e] bus_for_each_drv+0xb4/0xd8\n [\u003c804dfac4\u003e] __device_attach+0x104/0x1a4\n [\u003c804ddd24\u003e] bus_probe_device+0x48/0xc4\n [\u003c804deb44\u003e] deferred_probe_work_func+0xf0/0x10c\n [\u003c800a0ffc\u003e] process_one_work+0x314/0x4d4\n [\u003c800a17fc\u003e] worker_thread+0x2a4/0x354\n [\u003c800a9a54\u003e] kthread+0x134/0x13c\n [\u003c8006306c\u003e] ret_from_kernel_thread+0x14/0x1c\n\nSame Issue would affect some other PHYs (QCA8081, QCA9561), so fix it\ntoo.",
  "id": "GHSA-xm7v-qxrm-68jg",
  "modified": "2025-03-12T00:31:49Z",
  "published": "2025-03-12T00:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49692"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66fa352215e8455ba2e5f33793535795bd3e36ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9926de7315be3d606cc011a305ad9adb9e8e14c9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM94-M277-F852

Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-04-22 00:31
VLAI
Details

Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-21T13:16:23Z",
    "severity": "MODERATE"
  },
  "details": "Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.",
  "id": "GHSA-xm94-m277-f852",
  "modified": "2026-04-22T00:31:39Z",
  "published": "2026-04-21T15:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6778"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022746"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMH6-3RX4-QRFP

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix potential kernel oops when probe fails

When probe of the sdio brcmfmac device fails for some reasons (i.e. missing firmware), the sdiodev->bus is set to error instead of NULL, thus the cleanup later in brcmf_sdio_remove() tries to free resources via invalid bus pointer. This happens because sdiodev->bus is set 2 times: first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix this by chaning the brcmf_sdio_probe() function to return the error code and set sdio->bus only there.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:31Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix potential kernel oops when probe fails\n\nWhen probe of the sdio brcmfmac device fails for some reasons (i.e.\nmissing firmware), the sdiodev-\u003ebus is set to error instead of NULL, thus\nthe cleanup later in brcmf_sdio_remove() tries to free resources via\ninvalid bus pointer. This happens because sdiodev-\u003ebus is set 2 times:\nfirst in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix\nthis by chaning the brcmf_sdio_probe() function to return the error code\nand set sdio-\u003ebus only there.",
  "id": "GHSA-xmh6-3rx4-qrfp",
  "modified": "2026-05-13T21:31:58Z",
  "published": "2026-05-06T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43144"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMJQ-8XH6-Q7GF

Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-10-08 21:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T19:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.6.3195 build 20250715 and later\nQuTS hero h5.2.6.3195 build 20250715 and later",
  "id": "GHSA-xmjq-8xh6-q7gf",
  "modified": "2025-10-08T21:30:24Z",
  "published": "2025-10-03T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48728"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.