CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-9X57-PVWJ-P59F
Vulnerability from github – Published: 2026-05-19 06:30 – Updated: 2026-05-19 06:30NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions.
This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9.
{
"affected": [],
"aliases": [
"CVE-2026-47307"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T04:16:31Z",
"severity": "MODERATE"
},
"details": "NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions.\n\nThis issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9.",
"id": "GHSA-9x57-pvwj-p59f",
"modified": "2026-05-19T06:30:29Z",
"published": "2026-05-19T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47307"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/walrus/pull/409"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9X5R-XHJR-W765
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An authenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-39852"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-29T16:15:00Z",
"severity": "MODERATE"
},
"details": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An authenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-9x5r-xhjr-w765",
"modified": "2022-05-24T19:16:05Z",
"published": "2022-05-24T19:16:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39852"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9X8H-Q8GJ-PR53
Vulnerability from github – Published: 2025-07-07 03:30 – Updated: 2025-07-07 03:30Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.
{
"affected": [],
"aliases": [
"CVE-2025-53183"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T03:15:29Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference vulnerability in the PDF preview module\nImpact: Successful exploitation of this vulnerability may affect function stability.",
"id": "GHSA-9x8h-q8gj-pr53",
"modified": "2025-07-07T03:30:23Z",
"published": "2025-07-07T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53183"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9X94-VH8X-VRHP
Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req().
Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used.
v2: Fix kfreeing the request if getting an mst_primary reference fails.
{
"affected": [],
"aliases": [
"CVE-2024-57798"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T13:15:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()\n\nWhile receiving an MST up request message from one thread in\ndrm_dp_mst_handle_up_req(), the MST topology could be removed from\nanother thread via drm_dp_mst_topology_mgr_set_mst(false), freeing\nmst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.\nThis could lead to a NULL deref/use-after-free of mst_primary in\ndrm_dp_mst_handle_up_req().\n\nAvoid the above by holding a reference for mst_primary in\ndrm_dp_mst_handle_up_req() while it\u0027s used.\n\nv2: Fix kfreeing the request if getting an mst_primary reference fails.",
"id": "GHSA-9x94-vh8x-vrhp",
"modified": "2025-11-03T21:32:07Z",
"published": "2025-01-11T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57798"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9735d40f5fde9970aa46e828ecc85c32571d58a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce55818b2d3a999f886af91679589e4644ff1dc8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e54b00086f7473dbda1a7d6fc47720ced157c6a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f61b2e5e7821f868d6afc22382a66a30ee780ba0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9XH4-23Q4-V6WR
Vulnerability from github – Published: 2021-05-21 14:26 – Updated: 2024-11-13 15:59Impact
The implementation of tf.raw_ops.FusedBatchNorm is vulnerable to a heap buffer overflow:
import tensorflow as tf
x = tf.zeros([10, 10, 10, 6], dtype=tf.float32)
scale = tf.constant([0.0], shape=[1], dtype=tf.float32)
offset = tf.constant([0.0], shape=[1], dtype=tf.float32)
mean = tf.constant([0.0], shape=[1], dtype=tf.float32)
variance = tf.constant([0.0], shape=[1], dtype=tf.float32)
epsilon = 0.0
exponential_avg_factor = 0.0
data_format = "NHWC"
is_training = False
tf.raw_ops.FusedBatchNorm(
x=x, scale=scale, offset=offset, mean=mean, variance=variance,
epsilon=epsilon, exponential_avg_factor=exponential_avg_factor,
data_format=data_format, is_training=is_training)
If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers:
import tensorflow as tf
import numpy as np
x = tf.zeros([10, 10, 10, 1], dtype=tf.float32)
scale = tf.constant([], shape=[0], dtype=tf.float32)
offset = tf.constant([], shape=[0], dtype=tf.float32)
mean = tf.constant([], shape=[0], dtype=tf.float32)
variance = tf.constant([], shape=[0], dtype=tf.float32)
epsilon = 0.0
exponential_avg_factor = 0.0
data_format = "NHWC"
is_training = False
tf.raw_ops.FusedBatchNorm(
x=x, scale=scale, offset=offset, mean=mean, variance=variance,
epsilon=epsilon, exponential_avg_factor=exponential_avg_factor,
data_format=data_format, is_training=is_training)
The implementation fails to validate that scale, offset, mean and variance (the last two only when required) all have the same number of elements as the number of channels of x. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary.
If the tensors are empty, the validation mentioned in the above paragraph would also trigger and prevent the undefined behavior.
Patches
We have patched the issue in GitHub commit 6972f9dfe325636b3db4e0bc517ee22a159365c0.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29583"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-476",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T17:28:58Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nThe implementation of `tf.raw_ops.FusedBatchNorm` is vulnerable to a heap buffer overflow:\n \n```python\nimport tensorflow as tf\n\nx = tf.zeros([10, 10, 10, 6], dtype=tf.float32)\nscale = tf.constant([0.0], shape=[1], dtype=tf.float32)\noffset = tf.constant([0.0], shape=[1], dtype=tf.float32)\nmean = tf.constant([0.0], shape=[1], dtype=tf.float32)\nvariance = tf.constant([0.0], shape=[1], dtype=tf.float32)\nepsilon = 0.0\nexponential_avg_factor = 0.0\ndata_format = \"NHWC\"\nis_training = False\n \ntf.raw_ops.FusedBatchNorm(\n x=x, scale=scale, offset=offset, mean=mean, variance=variance,\n epsilon=epsilon, exponential_avg_factor=exponential_avg_factor,\n data_format=data_format, is_training=is_training)\n```\n \nIf the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers:\n\n```python \nimport tensorflow as tf\nimport numpy as np\n\nx = tf.zeros([10, 10, 10, 1], dtype=tf.float32)\nscale = tf.constant([], shape=[0], dtype=tf.float32)\noffset = tf.constant([], shape=[0], dtype=tf.float32)\nmean = tf.constant([], shape=[0], dtype=tf.float32)\nvariance = tf.constant([], shape=[0], dtype=tf.float32)\nepsilon = 0.0\nexponential_avg_factor = 0.0\ndata_format = \"NHWC\"\nis_training = False\n\ntf.raw_ops.FusedBatchNorm(\n x=x, scale=scale, offset=offset, mean=mean, variance=variance, \n epsilon=epsilon, exponential_avg_factor=exponential_avg_factor,\n data_format=data_format, is_training=is_training)\n``` \n\nThe [implementation](https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1365f19adcce848dfc1bf89fdd4c7/tensorflow/core/kernels/fused_batch_norm_op.cc) fails to validate that `scale`, `offset`, `mean` and `variance` (the last two only when required) all have the same number of elements as the number of channels of `x`. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary.\n\nIf the tensors are empty, the validation mentioned in the above paragraph would also trigger and prevent the undefined behavior.\n\n### Patches\nWe have patched the issue in GitHub commit [6972f9dfe325636b3db4e0bc517ee22a159365c0](https://github.com/tensorflow/tensorflow/commit/6972f9dfe325636b3db4e0bc517ee22a159365c0).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
"id": "GHSA-9xh4-23q4-v6wr",
"modified": "2024-11-13T15:59:06Z",
"published": "2021-05-21T14:26:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9xh4-23q4-v6wr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29583"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/6972f9dfe325636b3db4e0bc517ee22a159365c0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-511.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-709.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-220.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Heap buffer overflow and undefined behavior in `FusedBatchNorm`"
}
GHSA-9XJ3-PXMC-GV6M
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-06-26 21:32In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
{
"affected": [],
"aliases": [
"CVE-2026-45834"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T17:16:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
"id": "GHSA-9xj3-pxmc-gv6m",
"modified": "2026-06-26T21:32:04Z",
"published": "2026-05-26T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c17c8832562b2aac288e89cefd0f46074f54bcb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b1c0da227bf63479bac9982fc8d12df9aaea0fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85426e97dc72f2088ba6d27e74cd58c3fbd43e31"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9XJ7-MRGQ-4CCQ
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-11-07 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'
In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.
{
"affected": [],
"aliases": [
"CVE-2024-26661"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for \u0027timing generator\u0027 in \u0027dcn21_set_pipe()\u0027\n\nIn \"u32 otg_inst = pipe_ctx-\u003estream_res.tg-\u003einst;\"\npipe_ctx-\u003estream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.",
"id": "GHSA-9xj7-mrgq-4ccq",
"modified": "2024-11-07T21:31:37Z",
"published": "2024-04-02T09:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9XQW-2922-VH7M
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
tee: fix NULL pointer dereference in tee_shm_put
tee_shm_put have NULL pointer dereference:
__optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash
Add check in tee_shm_put to fix it.
panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15
{
"affected": [],
"aliases": [
"CVE-2025-39865"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T16:15:45Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: fix NULL pointer dereference in tee_shm_put\n\ntee_shm_put have NULL pointer dereference:\n\n__optee_disable_shm_cache --\u003e\n\tshm = reg_pair_to_ptr(...);//shm maybe return NULL\n tee_shm_free(shm); --\u003e\n\t\ttee_shm_put(shm);//crash\n\nAdd check in tee_shm_put to fix it.\n\npanic log:\nUnable to handle kernel paging request at virtual address 0000000000100cca\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000\n[0000000000100cca] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----\n6.6.0-39-generic #38\nSource Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07\nHardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0\n10/26/2022\npstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : tee_shm_put+0x24/0x188\nlr : tee_shm_free+0x14/0x28\nsp : ffff001f98f9faf0\nx29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000\nx26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048\nx23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88\nx20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff\nx17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003\nx14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101\nx11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c\nx8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca\nCall trace:\ntee_shm_put+0x24/0x188\ntee_shm_free+0x14/0x28\n__optee_disable_shm_cache+0xa8/0x108\noptee_shutdown+0x28/0x38\nplatform_shutdown+0x28/0x40\ndevice_shutdown+0x144/0x2b0\nkernel_power_off+0x3c/0x80\nhibernate+0x35c/0x388\nstate_store+0x64/0x80\nkobj_attr_store+0x14/0x28\nsysfs_kf_write+0x48/0x60\nkernfs_fop_write_iter+0x128/0x1c0\nvfs_write+0x270/0x370\nksys_write+0x6c/0x100\n__arm64_sys_write+0x20/0x30\ninvoke_syscall+0x4c/0x120\nel0_svc_common.constprop.0+0x44/0xf0\ndo_el0_svc+0x24/0x38\nel0_svc+0x24/0x88\nel0t_64_sync_handler+0x134/0x150\nel0t_64_sync+0x14c/0x15",
"id": "GHSA-9xqw-2922-vh7m",
"modified": "2026-05-12T15:31:11Z",
"published": "2025-09-22T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39865"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25e315bc8ad363bd1194e49062f183ad4011957e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4377eac565c297fdfccd2f8e9bf94ee84ff6172f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e07a4235bb85d9ef664411e4ff4ac34783c18ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/963fca19fe34c496e04f7dd133b807b76a5434ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/add1ecc8f3ad8df22e3599c5c88d7907cc2a3079"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4a718a3a47e89805c3be9d46a84de1949a98d5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f266188603c34e6e234fb0dfc3185f0ba98d71b7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9XXW-H585-3VFJ
Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-29 20:06A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
{
"affected": [],
"aliases": [
"CVE-2021-4217"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-24T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.",
"id": "GHSA-9xxw-h585-3vfj",
"modified": "2022-08-29T20:06:54Z",
"published": "2022-08-25T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-4217"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044583"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C279-989M-238F
Vulnerability from github – Published: 2026-03-29 15:25 – Updated: 2026-03-29 15:25Summary
A nil pointer dereference in tunnelCloseHandler causes the handler goroutine to panic whenever a reverse tunnel (rportfwd) close is attempted. Both the legitimate close path AND the unauthorized close path dereference tunnel.SessionID where tunnel is guaranteed nil. This means rportfwd tunnels can never be cleanly closed, and any authenticated implant can trigger repeated goroutine panics.
Details
File: server/handlers/sessions.go lines 172 and 175
The function enters an else block precisely because core.Tunnels.Get(tunnelData.TunnelID) returned nil. Both conditions inside that else block then dereference tunnel.SessionID instead of rtunnel.SessionID:
} else {
rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)
if rtunnel != nil && session.ID == tunnel.SessionID { // LINE 172 — nil deref
rtunnel.Close()
rtunnels.RemoveRTunnel(rtunnel.ID)
} else if rtunnel != nil && session.ID != tunnel.SessionID { // LINE 175 — nil deref
sessionHandlerLog.Warnf("...")
}
}
Note: The identical bug was already fixed in tunnelDataHandler at lines 124/126 (correctly uses rtunnel.SessionID), but the fix was
not applied to tunnelCloseHandler.
PoC
tunnel := GetTunnel(999) // returns nil — no normal tunnel with this ID
// tunnel is nil here
rtunnel := GetRTunnel(999) // returns valid rtunnel owned by session-AAAA
// Both lines below panic with:
// runtime error: invalid memory address or nil pointer dereference
if rtunnel != nil && sessionID == tunnel.SessionID { ... } // line 172
} else if rtunnel != nil && sessionID != tunnel.SessionID { ... } // line 175
Confirmed on master commit 7ac4db3fa with standalone reproducer.
Output:
PANIC on line 172 (legitimate close): runtime error: invalid memory address or nil pointer dereference
PANIC on line 175 (unauthorized close): runtime error: invalid memory address or nil pointer dereference
Impact
- rportfwd tunnels cannot be closed — functional regression
- Any authenticated implant can trigger repeated handler goroutine panics
- rtunnel map entries leak (never cleaned up on close failure)
recoverAndLogPanic()prevents full server crash but silently drops the close operation
Fix
Replace tunnel.SessionID with rtunnel.SessionID on both lines:
- if rtunnel != nil && session.ID == tunnel.SessionID {
+ if rtunnel != nil && session.ID == rtunnel.SessionID {
rtunnel.Close()
rtunnels.RemoveRTunnel(rtunnel.ID)
- } else if rtunnel != nil && session.ID != tunnel.SessionID {
+ } else if rtunnel != nil && session.ID != rtunnel.SessionID {
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/bishopfox/sliver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:25:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA nil pointer dereference in `tunnelCloseHandler` causes the handler goroutine to panic whenever a reverse tunnel (rportfwd) close is attempted. Both the legitimate close path AND the unauthorized close path dereference `tunnel.SessionID` where `tunnel` is guaranteed nil. This means rportfwd tunnels can never be cleanly closed, and any authenticated implant can trigger repeated goroutine panics.\n\n### Details\nFile: `server/handlers/sessions.go` lines 172 and 175\n\nThe function enters an `else` block precisely because `core.Tunnels.Get(tunnelData.TunnelID)` returned `nil`. Both conditions inside that else block then dereference `tunnel.SessionID` instead of `rtunnel.SessionID`:\n```go\n} else {\n rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)\n\n if rtunnel != nil \u0026\u0026 session.ID == tunnel.SessionID { // LINE 172 \u2014 nil deref\n rtunnel.Close()\n rtunnels.RemoveRTunnel(rtunnel.ID)\n } else if rtunnel != nil \u0026\u0026 session.ID != tunnel.SessionID { // LINE 175 \u2014 nil deref\n sessionHandlerLog.Warnf(\"...\")\n }\n}\n```\n\nNote: The identical bug was already fixed in `tunnelDataHandler` at lines 124/126 (correctly uses `rtunnel.SessionID`), but the fix was \nnot applied to `tunnelCloseHandler`.\n\n### PoC\n```go\ntunnel := GetTunnel(999) // returns nil \u2014 no normal tunnel with this ID\n// tunnel is nil here\n\nrtunnel := GetRTunnel(999) // returns valid rtunnel owned by session-AAAA\n\n// Both lines below panic with:\n// runtime error: invalid memory address or nil pointer dereference\nif rtunnel != nil \u0026\u0026 sessionID == tunnel.SessionID { ... } // line 172\n} else if rtunnel != nil \u0026\u0026 sessionID != tunnel.SessionID { ... } // line 175\n```\n\nConfirmed on master commit `7ac4db3fa` with standalone reproducer.\nOutput:\n```\nPANIC on line 172 (legitimate close): runtime error: invalid memory address or nil pointer dereference\nPANIC on line 175 (unauthorized close): runtime error: invalid memory address or nil pointer dereference\n```\n\n\n\n\n\n### Impact\n- rportfwd tunnels **cannot be closed** \u2014 functional regression\n- Any authenticated implant can trigger repeated handler goroutine panics\n- rtunnel map entries leak (never cleaned up on close failure)\n- `recoverAndLogPanic()` prevents full server crash but silently drops the close operation\n\n### Fix\nReplace `tunnel.SessionID` with `rtunnel.SessionID` on both lines:\n```diff\n- if rtunnel != nil \u0026\u0026 session.ID == tunnel.SessionID {\n+ if rtunnel != nil \u0026\u0026 session.ID == rtunnel.SessionID {\n rtunnel.Close()\n rtunnels.RemoveRTunnel(rtunnel.ID)\n- } else if rtunnel != nil \u0026\u0026 session.ID != tunnel.SessionID {\n+ } else if rtunnel != nil \u0026\u0026 session.ID != rtunnel.SessionID {\n```",
"id": "GHSA-c279-989m-238f",
"modified": "2026-03-29T15:25:42Z",
"published": "2026-03-29T15:25:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-c279-989m-238f"
},
{
"type": "PACKAGE",
"url": "https://github.com/BishopFox/sliver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.