CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-989P-25JR-248M
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-11-01 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'
'panel_cntl' structure used to control the display panel could be null, dereferencing it could lead to a null pointer access.
Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)
{
"affected": [],
"aliases": [
"CVE-2024-26662"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix \u0027panel_cntl\u0027 could be null in \u0027dcn21_set_backlight_level()\u0027\n\n\u0027panel_cntl\u0027 structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed \u0027panel_cntl\u0027 could be null (see line 250)",
"id": "GHSA-989p-25jr-248m",
"modified": "2024-11-01T21:31:46Z",
"published": "2024-04-02T09:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98FX-X879-QP6F
Vulnerability from github – Published: 2024-02-07 21:30 – Updated: 2025-11-04 21:31A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-6356"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-07T21:15:08Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel\u0027s NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.",
"id": "GHSA-98fx-x879-qp6f",
"modified": "2025-11-04T21:31:06Z",
"published": "2024-02-07T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0723"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0724"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0725"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0881"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0897"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1248"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-6356"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254054"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFYW6R64GPLUOXSQBJI3JBUX3HGLAYPP"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240415-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98GP-W8MX-VGW9
Vulnerability from github – Published: 2024-03-03 00:30 – Updated: 2025-01-13 21:30In the Linux kernel, the following vulnerability has been resolved:
LoongArch: Set all reserved memblocks on Node#0 at initialization
After commit 61167ad5fecdea ("mm: pass nid to reserve_bootmem_region()") we get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled:
[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733 [ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90 [ 0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0 [ 0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000 [ 0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800 [ 0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20 [ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000 [ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000 [ 0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000 [ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c [ 0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE) [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 0.000000] ECFG: 00070800 (LIE=11 VS=7) [ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0) [ 0.000000] BADV: 0000000000002b82 [ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000) [ 0.000000] Modules linked in: [ 0.000000] Process swapper (pid: 0, threadinfo=(_ptrval), task=(_ptrval)) [ 0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00 [ 0.000000] 900000000470e000 90000000002c1918 0000000000000000 9000000004110780 [ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748 [ 0.000000] 0000000000000000 900000000421ca84 9000000004620000 9000000004564970 [ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000 [ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000 [ 0.000000] 0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918 [ 0.000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000 [ 0.000000] 90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c [ 0.000000] 9000000004270008 0000000000000001 0000000000000000 90000000045ccd00 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<90000000040e3f28>] reserve_bootmem_region+0xfc/0x21c [ 0.000000] [<900000000421ca84>] memblock_free_all+0x114/0x350 [ 0.000000] [<9000000004218b2c>] mm_core_init+0x138/0x3cc [ 0.000000] [<9000000004200e38>] start_kernel+0x488/0x7a4 [ 0.000000] [<90000000040df0d8>] kernel_entry+0xd8/0xdc [ 0.000000] [ 0.000000] Code: 02eb21ad 00410f4c 380c31ac <262b818d> 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd
The reason is early memblock_reserve() in memblock_init() set node id to MAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain reserve_bootmem_region() -> init_reserved_page(). After memblock_init(), those late calls of memblock_reserve() operate on subregions of memblock .memory regions. As a result, these reserved regions will be set to the correct node at the first iteration of memmap_init_reserved_pages().
So set all reserved memblocks on Node#0 at initialization can avoid this panic.
{
"affected": [],
"aliases": [
"CVE-2023-52506"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-02T22:15:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Set all reserved memblocks on Node#0 at initialization\n\nAfter commit 61167ad5fecdea (\"mm: pass nid to reserve_bootmem_region()\")\nwe get a panic if DEFERRED_STRUCT_PAGE_INIT is enabled:\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000002b82, era == 90000000040e3f28, ra == 90000000040e3f18\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0+ #733\n[ 0.000000] pc 90000000040e3f28 ra 90000000040e3f18 tp 90000000046f4000 sp 90000000046f7c90\n[ 0.000000] a0 0000000000000001 a1 0000000000200000 a2 0000000000000040 a3 90000000046f7ca0\n[ 0.000000] a4 90000000046f7ca4 a5 0000000000000000 a6 90000000046f7c38 a7 0000000000000000\n[ 0.000000] t0 0000000000000002 t1 9000000004b00ac8 t2 90000000040e3f18 t3 90000000040f0800\n[ 0.000000] t4 00000000000f0000 t5 80000000ffffe07e t6 0000000000000003 t7 900000047fff5e20\n[ 0.000000] t8 aaaaaaaaaaaaaaab u0 0000000000000018 s9 0000000000000000 s0 fffffefffe000000\n[ 0.000000] s1 0000000000000000 s2 0000000000000080 s3 0000000000000040 s4 0000000000000000\n[ 0.000000] s5 0000000000000000 s6 fffffefffe000000 s7 900000000470b740 s8 9000000004ad4000\n[ 0.000000] ra: 90000000040e3f18 reserve_bootmem_region+0xec/0x21c\n[ 0.000000] ERA: 90000000040e3f28 reserve_bootmem_region+0xfc/0x21c\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010800 [PIL] (IS=11 ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000000000002b82\n[ 0.000000] PRID: 0014d000 (Loongson-64bit, Loongson-3A6000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 0000000000000000 9000000002eb5430 0000003a00000020 90000000045ccd00\n[ 0.000000] 900000000470e000 90000000002c1918 0000000000000000 9000000004110780\n[ 0.000000] 00000000fe6c0000 0000000480000000 9000000004b4e368 9000000004110748\n[ 0.000000] 0000000000000000 900000000421ca84 9000000004620000 9000000004564970\n[ 0.000000] 90000000046f7d78 9000000002cc9f70 90000000002c1918 900000000470e000\n[ 0.000000] 9000000004564970 90000000040bc0e0 90000000046f7d78 0000000000000000\n[ 0.000000] 0000000000004000 90000000045ccd00 0000000000000000 90000000002c1918\n[ 0.000000] 90000000002c1900 900000000470b700 9000000004b4df78 9000000004620000\n[ 0.000000] 90000000046200a8 90000000046200a8 0000000000000000 9000000004218b2c\n[ 0.000000] 9000000004270008 0000000000000001 0000000000000000 90000000045ccd00\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [\u003c90000000040e3f28\u003e] reserve_bootmem_region+0xfc/0x21c\n[ 0.000000] [\u003c900000000421ca84\u003e] memblock_free_all+0x114/0x350\n[ 0.000000] [\u003c9000000004218b2c\u003e] mm_core_init+0x138/0x3cc\n[ 0.000000] [\u003c9000000004200e38\u003e] start_kernel+0x488/0x7a4\n[ 0.000000] [\u003c90000000040df0d8\u003e] kernel_entry+0xd8/0xdc\n[ 0.000000]\n[ 0.000000] Code: 02eb21ad 00410f4c 380c31ac \u003c262b818d\u003e 6800b70d 02c1c196 0015001c 57fe4bb1 260002cd\n\nThe reason is early memblock_reserve() in memblock_init() set node id to\nMAX_NUMNODES, making NODE_DATA(nid) a NULL dereference in the call chain\nreserve_bootmem_region() -\u003e init_reserved_page(). After memblock_init(),\nthose late calls of memblock_reserve() operate on subregions of memblock\n.memory regions. As a result, these reserved regions will be set to the\ncorrect node at the first iteration of memmap_init_reserved_pages().\n\nSo set all reserved memblocks on Node#0 at initialization can avoid this\npanic.",
"id": "GHSA-98gp-w8mx-vgw9",
"modified": "2025-01-13T21:30:46Z",
"published": "2024-03-03T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52506"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19878758accf6b2788091a771d9f9fee7bab11ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b795fb9f5861ee256070d59e33130980a01fadd7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f105e893a8edd48bdf4bef9fef845a9ff402f737"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98X5-562F-MWVP
Vulnerability from github – Published: 2024-02-23 15:30 – Updated: 2024-04-19 21:31In the Linux kernel, the following vulnerability has been resolved:
media: v4l: async: Fix duplicated list deletion
The list deletion call dropped here is already called from the helper function in the line before. Having a second list_del() call results in either a warning (with CONFIG_DEBUG_LIST=y):
list_del corruption, c46c8198->next is LIST_POISON1 (00000100)
If CONFIG_DEBUG_LIST is disabled the operation results in a kernel error due to NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2023-52459"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-23T15:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l: async: Fix duplicated list deletion\n\nThe list deletion call dropped here is already called from the\nhelper function in the line before. Having a second list_del()\ncall results in either a warning (with CONFIG_DEBUG_LIST=y):\n\nlist_del corruption, c46c8198-\u003enext is LIST_POISON1 (00000100)\n\nIf CONFIG_DEBUG_LIST is disabled the operation results in a\nkernel error due to NULL pointer dereference.",
"id": "GHSA-98x5-562f-mwvp",
"modified": "2024-04-19T21:31:07Z",
"published": "2024-02-23T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52459"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49d82811428469566667f22749610b8c132cdb3e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7062628caeaec90e8f691ebab2d70f31b7b6b91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98X8-X9R6-F88W
Vulnerability from github – Published: 2024-08-07 18:30 – Updated: 2024-08-08 21:32In the Linux kernel, the following vulnerability has been resolved:
tty: serial: ma35d1: Add a NULL check for of_node
The pdev->dev.of_node can be NULL if the "serial" node is absent. Add a NULL check to return an error in such cases.
{
"affected": [],
"aliases": [
"CVE-2024-42248"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T16:15:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: ma35d1: Add a NULL check for of_node\n\nThe pdev-\u003edev.of_node can be NULL if the \"serial\" node is absent.\nAdd a NULL check to return an error in such cases.",
"id": "GHSA-98x8-x9r6-f88w",
"modified": "2024-08-08T21:32:01Z",
"published": "2024-08-07T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42248"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e0e15ab2d3a094a38525d23c03d78ec7d14a40e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23efa74cfe6eb923abb5b9bc51b2a04879013c67"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/acd09ac253b5de8fd79fc61a482ee19154914c7a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-996R-F8XW-6H6P
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:12A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 Series and 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone. The vulnerability is due to insufficient validation of input Session Initiation Protocol (SIP) packets. An attacker could exploit this vulnerability by altering the SIP replies that are sent to the affected phone during the registration process. A successful exploit could allow the attacker to cause the phone to reboot and not complete the registration process.
{
"affected": [],
"aliases": [
"CVE-2019-1922"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-06T02:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800 Series and 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected phone. The vulnerability is due to insufficient validation of input Session Initiation Protocol (SIP) packets. An attacker could exploit this vulnerability by altering the SIP replies that are sent to the affected phone during the registration process. A successful exploit could allow the attacker to cause the phone to reboot and not complete the registration process.",
"id": "GHSA-996r-f8xw-6h6p",
"modified": "2024-04-04T01:12:36Z",
"published": "2022-05-24T16:49:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1922"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-ip-phone-sip-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-998V-VQG2-R4WF
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15An issue was discovered in gravity through 0.8.1. A NULL pointer dereference exists in the function gravity_string_to_value() located in gravity_value.c. It allows an attacker to cause Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2021-32283"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in gravity through 0.8.1. A NULL pointer dereference exists in the function gravity_string_to_value() located in gravity_value.c. It allows an attacker to cause Denial of Service.",
"id": "GHSA-998v-vqg2-r4wf",
"modified": "2022-05-24T19:15:13Z",
"published": "2022-05-24T19:15:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32283"
},
{
"type": "WEB",
"url": "https://github.com/marcobambini/gravity/issues/314"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-99FM-GJ3Q-Q3G4
Vulnerability from github – Published: 2026-06-01 15:30 – Updated: 2026-06-02 00:31A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
{
"affected": [],
"aliases": [
"CVE-2025-60495"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T15:16:28Z",
"severity": "MODERATE"
},
"details": "A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.",
"id": "GHSA-99fm-gj3q-q3g4",
"modified": "2026-06-02T00:31:54Z",
"published": "2026-06-01T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60495"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/3335"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/9beed3c0a2f38505c745e5376234e7ed66e8e0b1"
},
{
"type": "WEB",
"url": "https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/66/README.md"
},
{
"type": "WEB",
"url": "https://infosec.exchange/@sigdevel/116659058320692913"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99H3-VVC6-H7GH
Vulnerability from github – Published: 2024-03-11 18:31 – Updated: 2024-12-12 18:30In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix peer flow lists handling
The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent user holds a reference to a peer flow (for example, the neighbor update workqueue task is updating peer flow's parent encap entry concurrently), then the flow will not be removed from the peer list and, consecutively, DUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm will try to remove the flow from eswitch instances that it has never peered with causing either NULL pointer dereference when trying to remove the flow peer list head of peer_index that was never initialized or a warning if the list debug config is enabled[0].
Fix the issue by always removing the peer flow from the list even when not releasing the last reference to it.
[0]:
[ 3102.985806] ------------[ cut here ]------------ [ 3102.986223] list_del corruption, ffff888139110698->next is NULL [ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg ss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding] [ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3 [ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b [ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286 [ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640 [ 3102.997188] DEL flow 00000000be367878 on port 0 [ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff [ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100 [ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240 [ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000 [ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0 [ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3103.003787] Call Trace: [ 3103.004055] [ 3103.004297] ? __warn+0x7d/0x130 [ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.005094] ? report_bug+0xf1/0x1c0 [ 3103.005439] ? console_unlock+0x4a/0xd0 [ 3103.005806] ? handle_bug+0x3f/0x70 [ 3103.006149] ? exc_invalid_op+0x13/0x60 [ 3103.006531] ? asm_exc_invalid_op+0x16/0x20 [ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core] [ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] [ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core] [ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core] [ 3103.009901] tc_setup_cb_destroy+0xab/0x180 [ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower] [ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower] [ 3103.0 ---truncated---
{
"affected": [],
"aliases": [
"CVE-2023-52487"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-11T18:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix peer flow lists handling\n\nThe cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP\nflag when list of peer flows has become empty. However, if any concurrent\nuser holds a reference to a peer flow (for example, the neighbor update\nworkqueue task is updating peer flow\u0027s parent encap entry concurrently),\nthen the flow will not be removed from the peer list and, consecutively,\nDUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls\nmlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm\nwill try to remove the flow from eswitch instances that it has never peered\nwith causing either NULL pointer dereference when trying to remove the flow\npeer list head of peer_index that was never initialized or a warning if the\nlist debug config is enabled[0].\n\nFix the issue by always removing the peer flow from the list even when not\nreleasing the last reference to it.\n\n[0]:\n\n[ 3102.985806] ------------[ cut here ]------------\n[ 3102.986223] list_del corruption, ffff888139110698-\u003enext is NULL\n[ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg\nss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding]\n[ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3\n[ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0\n[ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff \u003c0f\u003e 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b\n[ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286\n[ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\n[ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640\n[ 3102.997188] DEL flow 00000000be367878 on port 0\n[ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff\n[ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100\n[ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240\n[ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000\n[ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0\n[ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 3103.003787] Call Trace:\n[ 3103.004055] \u003cTASK\u003e\n[ 3103.004297] ? __warn+0x7d/0x130\n[ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3103.005094] ? report_bug+0xf1/0x1c0\n[ 3103.005439] ? console_unlock+0x4a/0xd0\n[ 3103.005806] ? handle_bug+0x3f/0x70\n[ 3103.006149] ? exc_invalid_op+0x13/0x60\n[ 3103.006531] ? asm_exc_invalid_op+0x16/0x20\n[ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0\n[ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core]\n[ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n[ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core]\n[ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core]\n[ 3103.009901] tc_setup_cb_destroy+0xab/0x180\n[ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower]\n[ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower]\n[ 3103.0\n---truncated---",
"id": "GHSA-99h3-vvc6-h7gh",
"modified": "2024-12-12T18:30:50Z",
"published": "2024-03-11T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52487"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74cec142f89bf85c6c99c5db957da9f663f9f16f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d76fdd31f953ac5046555171620f2562715e9b71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e24d6f5a7f2d95a98a46257a5a5a5381d572894f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99J3-P989-HW7J
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-11-10 12:01Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics Drivers before 10.18.14.5074 (aka 15.36.x.5074) may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2019-11111"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics Drivers before 10.18.14.5074 (aka 15.36.x.5074) may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-99j3-p989-hw7j",
"modified": "2022-11-10T12:01:06Z",
"published": "2022-05-24T17:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11111"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200320-0005"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00242.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.