CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6298 vulnerabilities reference this CWE, most recent first.
GHSA-XWWX-GG4V-8GP7
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()
The validity of sock should be checked before assignment to avoid incorrect values. Commit 57569c37f0ad ("scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()") introduced this change which may lead to inconsistent values of tcp_sw_conn->sendpage and conn->datadgst_en.
Fix the issue by moving the position of the assignment.
{
"affected": [],
"aliases": [
"CVE-2023-53464"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()\n\nThe validity of sock should be checked before assignment to avoid incorrect\nvalues. Commit 57569c37f0ad (\"scsi: iscsi: iscsi_tcp: Fix null-ptr-deref\nwhile calling getpeername()\") introduced this change which may lead to\ninconsistent values of tcp_sw_conn-\u003esendpage and conn-\u003edatadgst_en.\n\nFix the issue by moving the position of the assignment.",
"id": "GHSA-xwwx-gg4v-8gp7",
"modified": "2026-01-20T18:31:51Z",
"published": "2025-10-01T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53464"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48b19b79cfa37b1e50da3b5a8af529f994c08901"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/499757ad3332e2527254f9ab68dec1da087b1d96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e5c5f472972c4bc9430adc08b36763a0fa5b9f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e06a68fbbfcd8576eee8f7139fa2b13c9b72e91"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b287e21e73ec23f3788fbe40037c42dbe6e9a9a9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX3Q-MVC5-C52F
Vulnerability from github – Published: 2022-05-17 02:24 – Updated: 2022-05-17 02:24There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2017-11590"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-24T01:29:00Z",
"severity": "HIGH"
},
"details": "There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack.",
"id": "GHSA-xx3q-mvc5-c52f",
"modified": "2022-05-17T02:24:08Z",
"published": "2022-05-17T02:24:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11590"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473167"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX4X-7C38-RPQ3
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33In the Linux kernel, the following vulnerability has been resolved:
ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions.
Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition.
{
"affected": [],
"aliases": [
"CVE-2026-43443"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:56Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp-mach-common: Add missing error check for clock acquisition\n\nThe acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not\ncheck the return values of clk_get(). This could lead to a kernel crash\nwhen the invalid pointers are later dereferenced by clock core\nfunctions.\n\nFix this by:\n1. Changing clk_get() to the device-managed devm_clk_get().\n2. Adding IS_ERR() checks immediately after each clock acquisition.",
"id": "GHSA-xx4x-7c38-rpq3",
"modified": "2026-05-21T18:33:06Z",
"published": "2026-05-08T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43443"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX6W-WXQJ-HCRW
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2025-04-20 03:45DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 mishandles certain NULL arrays, which allows attackers to perform Denial of Service (NULL pointer dereference and application crash in AcquireQuantumMemory within MagickCore/memory.c) by providing a crafted Image File as input.
{
"affected": [],
"aliases": [
"CVE-2017-14505"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-17T19:29:00Z",
"severity": "MODERATE"
},
"details": "DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 mishandles certain NULL arrays, which allows attackers to perform Denial of Service (NULL pointer dereference and application crash in AcquireQuantumMemory within MagickCore/memory.c) by providing a crafted Image File as input.",
"id": "GHSA-xx6w-wxqj-hcrw",
"modified": "2025-04-20T03:45:24Z",
"published": "2022-05-13T01:17:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14505"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/716"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100882"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX7J-2FQW-VV47
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a btf decl_tag bug when tagging a function
syzbot reported a btf decl_tag bug with stack trace below:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline] RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Call Trace: btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198 btf_check_all_types kernel/bpf/btf.c:4239 [inline] btf_parse_type_sec kernel/bpf/btf.c:4280 [inline] btf_parse kernel/bpf/btf.c:4513 [inline] btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpf_btf_load kernel/bpf/syscall.c:4039 [inline] __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 __do_sys_bpf kernel/bpf/syscall.c:4738 [inline] __se_sys_bpf kernel/bpf/syscall.c:4736 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decl_tag to func type 3 type 3: func to func_proto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range.
Currently, the target type of decl_tag can be struct/union, var or func. Both struct/union and var implemented their own 'resolve' callback functions and hence handled properly in kernel. But func type doesn't have 'resolve' callback function. When btf_decl_tag_resolve() tries to check func type, it tries to get vlen of its func_proto type, which triggered the above kasan error.
To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check() before trying to accessing func_proto type. In the current implementation, func type is checked with btf_func_check() in the main checking function btf_check_all_types(). To fix the above kasan issue, let us implement 'resolve' callback func type properly. The 'resolve' callback will be also called in btf_check_all_types() for func types.
{
"affected": [],
"aliases": [
"CVE-2022-49228"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:59Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a btf decl_tag bug when tagging a function\n\nsyzbot reported a btf decl_tag bug with stack trace below:\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]\n RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910\n ...\n Call Trace:\n \u003cTASK\u003e\n btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198\n btf_check_all_types kernel/bpf/btf.c:4239 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]\n btf_parse kernel/bpf/btf.c:4513 [inline]\n btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047\n bpf_btf_load kernel/bpf/syscall.c:4039 [inline]\n __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679\n __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe kasan error is triggered with an illegal BTF like below:\n type 0: void\n type 1: int\n type 2: decl_tag to func type 3\n type 3: func to func_proto type 8\nThe total number of types is 4 and the type 3 is illegal\nsince its func_proto type is out of range.\n\nCurrently, the target type of decl_tag can be struct/union, var or func.\nBoth struct/union and var implemented their own \u0027resolve\u0027 callback functions\nand hence handled properly in kernel.\nBut func type doesn\u0027t have \u0027resolve\u0027 callback function. When\nbtf_decl_tag_resolve() tries to check func type, it tries to get\nvlen of its func_proto type, which triggered the above kasan error.\n\nTo fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()\nbefore trying to accessing func_proto type.\nIn the current implementation, func type is checked with\nbtf_func_check() in the main checking function btf_check_all_types().\nTo fix the above kasan issue, let us implement \u0027resolve\u0027 callback\nfunc type properly. The \u0027resolve\u0027 callback will be also called\nin btf_check_all_types() for func types.",
"id": "GHSA-xx7j-2fqw-vv47",
"modified": "2025-09-22T21:30:15Z",
"published": "2025-09-22T21:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49228"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a3bcd2110c087bc62e90fddd4a93237b049d6e68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7e7b42f4f956f2c68ad8cda87d750093dbba737"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX7M-69FF-9CRP
Vulnerability from github – Published: 2026-02-12 22:11 – Updated: 2026-02-12 22:11In SurrealDB instances with the scripting capability enabled (--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.
The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.
Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (--allow-guests), is enabled, then guests can perform this attack.
Impact
Any user able to execute queries on a SurrealDB instance with scripting enabled (--allow-scripting) can cause complete denial of service. The server process terminates immediately without graceful shutdown.
The underlying cause of the vulnerability is a null pointer dereference in the QuickJS-NG v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data.
Patches
Versions prior to SurrealDB v2.6.1 and v3.0.0-beta.3 are vulnerable.
The patches for SurrealDB v2.6.1 and v3.0.0-beta.3 update the rquickjs dependency from v0.9.0 to v0.11.0, which in turn uses an updated version of QuickJS-NG.
Workarounds
Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.
Administrators can also use --deny-arbitrary-query to deny arbitrary querying by either guest, record or system users, or a combination of those, with impacts to functionality for those users.
Links
SurrealDB Documentation - Capabilities SurrealDB Documentation - Guest Access SurrealQL Documentation - Scripting Functions quickjs-ng v0.9 Release Notes https://github.com/surrealdb/surrealdb/pull/6833 https://github.com/surrealdb/surrealdb/pull/6774
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha.8"
},
{
"fixed": "3.0.0-beta.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T22:11:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In SurrealDB instances with the scripting capability enabled (`--allow-scripting`), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.\n\nThe query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.\n\nWhilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (`--allow-guests`), is enabled, then guests can perform this attack.\n\n### Impact\n\nAny user able to execute queries on a SurrealDB instance with scripting enabled (`--allow-scripting`) can cause complete denial of service. The server process terminates immediately without graceful shutdown.\n\nThe underlying cause of the vulnerability is a null pointer dereference in the `QuickJS-NG` v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data. \n\n### Patches\n\nVersions prior to SurrealDB `v2.6.1` and `v3.0.0-beta.3` are vulnerable.\n\nThe patches for SurrealDB `v2.6.1` and `v3.0.0-beta.3` update the `rquickjs` dependency from `v0.9.0` to `v0.11.0`, which in turn uses an updated version of `QuickJS-NG`.\n\n### Workarounds\nDeny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default.\n\nAdministrators can also use `--deny-arbitrary-query` to deny arbitrary querying by either `guest`, `record` or `system` users, or a combination of those, with impacts to functionality for those users. \n\n### Links ###\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n[SurrealDB Documentation - Guest Access](https://surrealdb.com/docs/surrealdb/security/capabilities#guest-access)\n[SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)\n[quickjs-ng v0.9 Release Notes](https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0)\nhttps://github.com/surrealdb/surrealdb/pull/6833\nhttps://github.com/surrealdb/surrealdb/pull/6774",
"id": "GHSA-xx7m-69ff-9crp",
"modified": "2026-02-12T22:11:48Z",
"published": "2026-02-12T22:11:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-xx7m-69ff-9crp"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/6774"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/6833"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/2b0389b92398d9ecff4632cd51bbf8303832a988"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/bcd2ece9ef0d721215f06a47280698669f332285"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SurrealDB vulnerable to Denial of Service through scripting function memory edge case"
}
GHSA-XX8Q-M9QM-7FM9
Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2025-12-01 18:30NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3.
{
"affected": [],
"aliases": [
"CVE-2025-7007"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-01T17:15:50Z",
"severity": "HIGH"
},
"details": "NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3.",
"id": "GHSA-xx8q-m9qm-7fm9",
"modified": "2025-12-01T18:30:38Z",
"published": "2025-12-01T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7007"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XXCJ-RHQG-M46G
Vulnerability from github – Published: 2022-11-21 20:42 – Updated: 2025-01-15 16:58Impact
If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches by passing in quantized tensors as input ksizes.
import numpy as np
import tensorflow as tf
a_input = np.array([1, -1], dtype= np.int32)
a_ksizes = a_strides = tf.constant(dtype=tf.dtypes.qint16, value=[[1, 4], [5, 2]])
tf.compat.v1.extract_volume_patches(input=a_input,ksizes=a_ksizes,strides=a_strides,padding='VALID')
Patches
We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce.
The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Pattarakrit Rattankul.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41889"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T20:42:00Z",
"nvd_published_at": "2022-11-18T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in [`tf.compat.v1.extract_volume_patches`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc) by passing in quantized tensors as input `ksizes`.\n```python\nimport numpy as np\nimport tensorflow as tf\n\na_input = np.array([1, -1], dtype= np.int32)\na_ksizes = a_strides = tf.constant(dtype=tf.dtypes.qint16, value=[[1, 4], [5, 2]])\n\n\ntf.compat.v1.extract_volume_patches(input=a_input,ksizes=a_ksizes,strides=a_strides,padding=\u0027VALID\u0027)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [e9e95553e5411834d215e6770c81a83a3d0866ce](https://github.com/tensorflow/tensorflow/commit/e9e95553e5411834d215e6770c81a83a3d0866ce).\n\nThe fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Pattarakrit Rattankul.\n",
"id": "GHSA-xxcj-rhqg-m46g",
"modified": "2025-01-15T16:58:58Z",
"published": "2022-11-21T20:42:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xxcj-rhqg-m46g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41889"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/e9e95553e5411834d215e6770c81a83a3d0866ce"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Segfault via invalid attributes in `pywrap_tfe_src.cc`"
}
GHSA-XXF4-CQMV-X4MH
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2021-12-28 00:01A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.
{
"affected": [],
"aliases": [
"CVE-2021-44921"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T21:15:00Z",
"severity": "MODERATE"
},
"details": "A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.",
"id": "GHSA-xxf4-cqmv-x4mh",
"modified": "2021-12-28T00:01:06Z",
"published": "2021-12-22T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44921"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1964"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XXF6-HQ9Q-9R8Q
Vulnerability from github – Published: 2022-02-23 00:00 – Updated: 2022-03-17 00:05NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4.
{
"affected": [],
"aliases": [
"CVE-2022-0712"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-22T18:15:00Z",
"severity": "HIGH"
},
"details": "NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4.",
"id": "GHSA-xxf6-hq9q-9r8q",
"modified": "2022-03-17T00:05:22Z",
"published": "2022-02-23T00:00:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0712"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/commit/515e592b9bea0612bc63d8e93239ff35bcf645c7"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1e572820-e502-49d1-af0e-81833e2eb466"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZTIMAS53YT66FUS4QHQAFRJOBMUFG6D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.