Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-9HF9-8PX4-MGF9

Vulnerability from github – Published: 2026-06-01 21:30 – Updated: 2026-06-02 18:31
VLAI
Details

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-37230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T19:16:33Z",
    "severity": "HIGH"
  },
  "details": "FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value.",
  "id": "GHSA-9hf9-8px4-mgf9",
  "modified": "2026-06-02T18:31:28Z",
  "published": "2026-06-01T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37230"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37230.md"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eurecom.fr/mosaic5g/flexric"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HFM-P748-VM54

Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-11-01 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: remove tcp ulp setsockopt support

TCP_ULP setsockopt cannot be used for mptcp because its already used internally to plumb subflow (tcp) sockets to the mptcp layer.

syzbot managed to trigger a crash for mptcp connections that are in fallback mode:

KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0 RIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline] [..] __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline] tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160 do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391 mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638

Remove support for TCP_ULP setsockopt.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-19T15:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: remove tcp ulp setsockopt support\n\nTCP_ULP setsockopt cannot be used for mptcp because its already\nused internally to plumb subflow (tcp) sockets to the mptcp layer.\n\nsyzbot managed to trigger a crash for mptcp connections that are\nin fallback mode:\n\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nCPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0\nRIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline]\n[..]\n __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline]\n tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160\n do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391\n mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638\n\nRemove support for TCP_ULP setsockopt.",
  "id": "GHSA-9hfm-p748-vm54",
  "modified": "2024-11-01T15:31:46Z",
  "published": "2024-06-19T15:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47591"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3de0c86d42f841d1d64f316cd949e65c566f0734"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/404cd9a22150f24acf23a8df2ad0c094ba379f57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HG8-83GP-55G2

Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-08-27 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm: vc4: Fix possible null pointer dereference

In vc4_hdmi_audio_init() of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-19T14:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: vc4: Fix possible null pointer dereference\n\nIn vc4_hdmi_audio_init() of_get_address() may return\nNULL which is later dereferenced. Fix this bug by adding NULL check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
  "id": "GHSA-9hg8-83gp-55g2",
  "modified": "2024-08-27T21:31:12Z",
  "published": "2024-06-19T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38546"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a345fe928c21de6f3c3c7230ff509d715153a31"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d9adecc88ab678785b581ab021f039372c324cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42c22b63056cea259d5313bf138a834840af85a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6cf1874aec42058a5ad621a23b5b2f248def0e96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80431ea3634efb47a3004305d76486db9dd8ed49"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd7827d46d403f8cdb43d16744cb1114e4726b21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c534b63bede6cb987c2946ed4d0b0013a52c5ba7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HQJ-32WW-HGVJ

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-10-01 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name()

devm_kstrdup() can return a NULL pointer on failure,but this returned value in btbcm_get_board_name() is not checked. Add NULL check in btbcm_get_board_name(), to handle kernel NULL pointer dereference error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btbcm: Fix NULL deref in btbcm_get_board_name()\n\ndevm_kstrdup() can return a NULL pointer on failure,but this\nreturned value in btbcm_get_board_name() is not checked.\nAdd NULL check in btbcm_get_board_name(), to handle kernel NULL\npointer dereference error.",
  "id": "GHSA-9hqj-32ww-hgvj",
  "modified": "2025-10-01T21:31:10Z",
  "published": "2025-02-27T03:34:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57988"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/74af8b9d0e79deefd2d43e14b84575839a849169"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b88655bc6593c6a7fdc1248b212d17e581c4334e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df2f2d9199e61819cca5da0121dfa4d4cb57000f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HV4-R5P9-3GF6

Vulnerability from github – Published: 2026-06-26 09:30 – Updated: 2026-06-26 09:30
VLAI
Details

An unauthenticated NULL pointer dereference vulnerability exists in the HTTP request parsing logic of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of required HTTP request metadata before it is used by the affected components. A remote attacker may exploit this vulnerability by sending a specially crafted HTTP request, causing the affected process to crash and resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T08:16:24Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated\nNULL pointer dereference vulnerability exists in the HTTP request parsing logic\nof multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and\nearlier. The vulnerability is caused by improper validation of required HTTP\nrequest metadata before it is used by the affected components. A remote attacker\nmay exploit this vulnerability by sending a specially crafted HTTP request,\ncausing the affected process to crash and resulting in a denial of service.",
  "id": "GHSA-9hv4-r5p9-3gf6",
  "modified": "2026-06-26T09:30:46Z",
  "published": "2026-06-26T09:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57875"
    },
    {
      "type": "WEB",
      "url": "https://www.geovision.com.tw/cyber_security.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HWV-RWQX-F5CV

Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags

In nvme_alloc_admin_tags, the admin_q can be set to an error (typically -ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which is checked immediately after the call. However, when we return the error message up the stack, to nvme_reset_work the error takes us to nvme_remove_dead_ctrl() nvme_dev_disable() nvme_suspend_queue(&dev->queues[0]).

Here, we only check that the admin_q is non-NULL, rather than not an error or NULL, and begin quiescing a queue that never existed, leading to bad / NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags\n\nIn nvme_alloc_admin_tags, the admin_q can be set to an error (typically\n-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which\nis checked immediately after the call. However, when we return the error\nmessage up the stack, to nvme_reset_work the error takes us to\nnvme_remove_dead_ctrl()\n  nvme_dev_disable()\n   nvme_suspend_queue(\u0026dev-\u003equeues[0]).\n\nHere, we only check that the admin_q is non-NULL, rather than not\nan error or NULL, and begin quiescing a queue that never existed, leading\nto bad / NULL pointer dereference.",
  "id": "GHSA-9hwv-rwqx-f5cv",
  "modified": "2025-03-17T18:31:51Z",
  "published": "2025-03-17T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49492"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54a4c1e47d1b2585e74920399455bd9abbfb2bd7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a28556082d1fbcbc599baf1c24252dfc73efefc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8321b17789f614414206af07e17ce4751c95dc76"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8da2b7bdb47e94bbc4062a3978c708926bcb022c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/906c81dba8ee8057523859b5e1a2479e9fd34860"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e649471b396fa0139d53919354ce1eace9b9a24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af98940dd33c9f9e1beb4f71c0a39260100e2a65"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da42761181627e9bdc37d18368b827948a583929"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f76729662650cd7bc8f8194e057af381370349a7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HWW-3H52-PHXP

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

An issue was discovered in Bento4 through v1.6.0-636. A NULL pointer dereference exists in the AP4_DescriptorFinder::Test component located in /Core/Ap4Descriptor.h. It allows an attacker to cause a denial of service (DOS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-05T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Bento4 through v1.6.0-636. A NULL pointer dereference exists in the AP4_DescriptorFinder::Test component located in /Core/Ap4Descriptor.h. It allows an attacker to cause a denial of service (DOS).",
  "id": "GHSA-9hww-3h52-phxp",
  "modified": "2022-05-24T19:10:09Z",
  "published": "2022-05-24T19:10:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/616"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9HXC-CRM7-5F87

Vulnerability from github – Published: 2025-01-19 12:31 – Updated: 2025-01-31 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix tlb invalidation when wedging

If GuC fails to load, the driver wedges, but in the process it tries to do stuff that may not be initialized yet. This moves the xe_gt_tlb_invalidation_init() to be done earlier: as its own doc says, it's a software-only initialization and should had been named with the _early() suffix.

Move it to be called by xe_gt_init_early(), so the locks and seqno are initialized, avoiding a NULL ptr deref when wedging:

xe 0000:03:00.0: [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01
xe 0000:03:00.0: [drm] *ERROR* GT0: firmware signature verification failed
xe 0000:03:00.0: [drm] *ERROR* CRITICAL: Xe has declared device 0000:03:00.0 as wedged.
...
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G     U  W          6.13.0-rc4-xe+ #3
Tainted: [U]=USER, [W]=WARN
Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022
RIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe]

This can be easily triggered by poking the GuC binary to force a signature failure. There will still be an extra message,

xe 0000:03:00.0: [drm] *ERROR* GT0: GuC mmio request 0x4100: no reply 0x4100

but that's better than a NULL ptr deref.

(cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-19T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix tlb invalidation when wedging\n\nIf GuC fails to load, the driver wedges, but in the process it tries to\ndo stuff that may not be initialized yet. This moves the\nxe_gt_tlb_invalidation_init() to be done earlier: as its own doc says,\nit\u0027s a software-only initialization and should had been named with the\n_early() suffix.\n\nMove it to be called by xe_gt_init_early(), so the locks and seqno are\ninitialized, avoiding a NULL ptr deref when wedging:\n\n\txe 0000:03:00.0: [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01\n\txe 0000:03:00.0: [drm] *ERROR* GT0: firmware signature verification failed\n\txe 0000:03:00.0: [drm] *ERROR* CRITICAL: Xe has declared device 0000:03:00.0 as wedged.\n\t...\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t#PF: supervisor read access in kernel mode\n\t#PF: error_code(0x0000) - not-present page\n\tPGD 0 P4D 0\n\tOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n\tCPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G     U  W          6.13.0-rc4-xe+ #3\n\tTainted: [U]=USER, [W]=WARN\n\tHardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022\n\tRIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe]\n\nThis can be easily triggered by poking the GuC binary to force a\nsignature failure. There will still be an extra message,\n\n\txe 0000:03:00.0: [drm] *ERROR* GT0: GuC mmio request 0x4100: no reply 0x4100\n\nbut that\u0027s better than a NULL ptr deref.\n\n(cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6)",
  "id": "GHSA-9hxc-crm7-5f87",
  "modified": "2025-01-31T18:31:05Z",
  "published": "2025-01-19T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21644"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09b94ddc58c6640cbbc7775a61a5387b8be71488"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ab4981552930a9c45682d62424ba610edc3992d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HXX-56X6-JHJ8

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-28T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-9hxx-56x6-jhj8",
  "modified": "2022-05-24T19:03:38Z",
  "published": "2022-05-24T19:03:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35504"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1909766"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-27"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210713-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/04/16/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/04/16/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9J35-6CP9-6X6G

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix potential NULL pointer deref in error path of ice_set_ringparam()

ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence:

ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref)

Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue.

Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix potential NULL pointer deref in error path of ice_set_ringparam()\n\nice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without\nclearing ICE_TX_RING_FLAGS_TXTIME bit.\nWhen ICE_TX_RING_FLAGS_TXTIME is set and the subsequent\nice_setup_tx_ring() call fails, a NULL pointer dereference could happen\nin the unwinding sequence:\n\nice_clean_tx_ring()\n-\u003e ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set)\n-\u003e ice_free_tx_tstamp_ring()\n  -\u003e ice_free_tstamp_ring()\n    -\u003e tstamp_ring-\u003edesc (NULL deref)\n\nClear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue.\n\nNote that this potential issue is found by manual code review.\nCompile test only since unfortunately I don\u0027t have E830 devices.",
  "id": "GHSA-9j35-6cp9-6x6g",
  "modified": "2026-07-14T21:31:28Z",
  "published": "2026-06-24T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53007"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c54e3c270384829336b2526033d44ce1aa6dc67c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa28351f970fa5138c7c5dedfe5dea480a0ee065"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.