Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-C754-VQMV-W93F

Vulnerability from github – Published: 2025-07-09 12:31 – Updated: 2025-12-18 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bcache: fix NULL pointer in cache_set_flush()

  1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc().
  2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set().
  3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.

1794 struct cache_set bch_cache_set_alloc(struct cache_sb sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void ), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 }

(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do not give the value to c->cache[], it means that c->cache[] is NULL.

LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624)

1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 }

(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-09T11:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix NULL pointer in cache_set_flush()\n\n1. LINE#1794 - LINE#1887 is some codes about function of\n   bch_cache_set_alloc().\n2. LINE#2078 - LINE#2142 is some codes about function of\n   register_cache_set().\n3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.\n\n 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)\n 1795 {\n ...\n 1860         if (!(c-\u003edevices = kcalloc(c-\u003enr_uuids, sizeof(void *), GFP_KERNEL)) ||\n 1861             mempool_init_slab_pool(\u0026c-\u003esearch, 32, bch_search_cache) ||\n 1862             mempool_init_kmalloc_pool(\u0026c-\u003ebio_meta, 2,\n 1863                                 sizeof(struct bbio) + sizeof(struct bio_vec) *\n 1864                                 bucket_pages(c)) ||\n 1865             mempool_init_kmalloc_pool(\u0026c-\u003efill_iter, 1, iter_size) ||\n 1866             bioset_init(\u0026c-\u003ebio_split, 4, offsetof(struct bbio, bio),\n 1867                         BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||\n 1868             !(c-\u003euuids = alloc_bucket_pages(GFP_KERNEL, c)) ||\n 1869             !(c-\u003emoving_gc_wq = alloc_workqueue(\"bcache_gc\",\n 1870                                                 WQ_MEM_RECLAIM, 0)) ||\n 1871             bch_journal_alloc(c) ||\n 1872             bch_btree_cache_alloc(c) ||\n 1873             bch_open_buckets_alloc(c) ||\n 1874             bch_bset_sort_state_init(\u0026c-\u003esort, ilog2(c-\u003ebtree_pages)))\n 1875                 goto err;\n                      ^^^^^^^^\n 1876\n ...\n 1883         return c;\n 1884 err:\n 1885         bch_cache_set_unregister(c);\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^\n 1886         return NULL;\n 1887 }\n ...\n 2078 static const char *register_cache_set(struct cache *ca)\n 2079 {\n ...\n 2098         c = bch_cache_set_alloc(\u0026ca-\u003esb);\n 2099         if (!c)\n 2100                 return err;\n                      ^^^^^^^^^^\n ...\n 2128         ca-\u003eset = c;\n 2129         ca-\u003eset-\u003ecache[ca-\u003esb.nr_this_dev] = ca;\n              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n ...\n 2138         return NULL;\n 2139 err:\n 2140         bch_cache_set_unregister(c);\n 2141         return err;\n 2142 }\n\n(1) If LINE#1860 - LINE#1874 is true, then do \u0027goto err\u0027(LINE#1875) and\n    call bch_cache_set_unregister()(LINE#1885).\n(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.\n(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the\n    value to c-\u003ecache[], it means that c-\u003ecache[] is NULL.\n\nLINE#1624 - LINE#1665 is some codes about function of cache_set_flush().\nAs (1), in LINE#1885 call\nbch_cache_set_unregister()\n---\u003e bch_cache_set_stop()\n     ---\u003e closure_queue()\n          -.-\u003e cache_set_flush() (as below LINE#1624)\n\n 1624 static void cache_set_flush(struct closure *cl)\n 1625 {\n ...\n 1654         for_each_cache(ca, c, i)\n 1655                 if (ca-\u003ealloc_thread)\n                          ^^\n 1656                         kthread_stop(ca-\u003ealloc_thread);\n ...\n 1665 }\n\n(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the\n    kernel crash occurred as below:\n[  846.712887] bcache: register_cache() error drbd6: cannot allocate memory\n[  846.713242] bcache: register_bcache() error : failed to register device\n[  846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered\n[  846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8\n[  846.714790] PGD 0 P4D 0\n[  846.715129] Oops: 0000 [#1] SMP PTI\n[  846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G           OE    --------- -  - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1\n[  846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018\n[  846.716451] Workqueue: events cache_set_flush [bcache]\n[  846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]\n[  846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 \u003c48\u003e 8b b8 f8 09 00 0\n---truncated---",
  "id": "GHSA-c754-vqmv-w93f",
  "modified": "2025-12-18T18:30:28Z",
  "published": "2025-07-09T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38263"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e46ed947ec658f89f1a910d880cd05e42d3763e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f25f2d3fa29325320c19a30abf787e0bd5fc91b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f9e128186c99a117e304f1dce6d0b9e50c63cd8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/553f560e0a74a7008ad9dba05c3fd05da296befb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/667c3f52373ff5354cb3543e27237eb7df7b2333"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4f5e7e417034b05f5d2f5fa9a872db897da69bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d54681938b777488e5dfb781b566d16adad991de"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C76M-XVX5-75QC

Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2022-07-08 00:00
VLAI
Details

In Bento4 1.6.0-638, there is a null pointer reference in the function AP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , as demonstrated by GPAC. This can cause a denial of service (DOS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-28T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Bento4 1.6.0-638, there is a null pointer reference in the function AP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , as demonstrated by GPAC. This can cause a denial of service (DOS).",
  "id": "GHSA-c76m-xvx5-75qc",
  "modified": "2022-07-08T00:00:44Z",
  "published": "2022-06-29T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/643"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C77M-CX29-7M84

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-06-27 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()

check the alloc_workqueue return value in radeon_crtc_init() to avoid null-ptr-deref.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check the alloc_workqueue return value in radeon_crtc_init()\n\ncheck the alloc_workqueue return value in radeon_crtc_init()\nto avoid null-ptr-deref.",
  "id": "GHSA-c77m-cx29-7m84",
  "modified": "2024-06-27T15:30:38Z",
  "published": "2024-02-26T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52470"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b813a6a0087451cb702b6eb841f10856f49d088"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14bbfaa5df273b26cde6707f6e655585700e6fe1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21b1645660717d6126dd4866c850fcc5c4703a41"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57ca7984806d79b38af528de88fd803babf27feb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d12c5d75f7c78b83a738025947651ec5c95b4d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a2464fac80d42f6f8819fed97a553e9c2f43310"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4ff55408187f2595066967047363ca84e76db85"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb2d8bc9b5e55848b8a7c3c028e2ee8d49f28f97"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C783-64QQ-77VX

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-17 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference

There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start():

  1. nvmet_bio_done() is called when a bio completes
  2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
  3. The queue_response callback can re-queue and re-submit the same request
  4. The re-submission reuses the same inline_bio from nvmet_req
  5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL
  6. The re-submitted bio enters submit_bio_noacct_nocheck()
  7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:

BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0

Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T16:15:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference\n\nThere is a race condition in nvmet_bio_done() that can cause a NULL\npointer dereference in blk_cgroup_bio_start():\n\n1. nvmet_bio_done() is called when a bio completes\n2. nvmet_req_complete() is called, which invokes req-\u003eops-\u003equeue_response(req)\n3. The queue_response callback can re-queue and re-submit the same request\n4. The re-submission reuses the same inline_bio from nvmet_req\n5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete)\n   invokes bio_uninit() for inline_bio, which sets bio-\u003ebi_blkg to NULL\n6. The re-submitted bio enters submit_bio_noacct_nocheck()\n7. blk_cgroup_bio_start() dereferences bio-\u003ebi_blkg, causing a crash:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000028\n  #PF: supervisor read access in kernel mode\n  RIP: 0010:blk_cgroup_bio_start+0x10/0xd0\n  Call Trace:\n   submit_bio_noacct_nocheck+0x44/0x250\n   nvmet_bdev_execute_rw+0x254/0x370 [nvmet]\n   process_one_work+0x193/0x3c0\n   worker_thread+0x281/0x3a0\n\nFix this by reordering nvmet_bio_done() to call nvmet_req_bio_put()\nBEFORE nvmet_req_complete(). This ensures the bio is cleaned up before\nthe request can be re-submitted, preventing the race condition.",
  "id": "GHSA-c783-64qq-77vx",
  "modified": "2026-03-17T21:31:41Z",
  "published": "2026-02-14T18:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23148"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C785-QF3F-59WW

Vulnerability from github – Published: 2025-04-22 15:30 – Updated: 2025-04-22 21:30
VLAI
Details

In Rollback Rx Professional 12.8.0.0, the driver file shieldm.sys allows local users to cause a denial of service because of a null pointer dereference from IOCtl 0x96202000.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-22T15:16:12Z",
    "severity": "HIGH"
  },
  "details": "In Rollback Rx Professional 12.8.0.0, the driver file shieldm.sys allows local users to cause a denial of service because of a null pointer dereference from IOCtl 0x96202000.",
  "id": "GHSA-c785-qf3f-59ww",
  "modified": "2025-04-22T21:30:43Z",
  "published": "2025-04-22T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29547"
    },
    {
      "type": "WEB",
      "url": "https://horizondatasys.com/rollback-rx-time-machine/rollback-rx-professional"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/190491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C794-5G44-8V2H

Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2025-04-20 03:46
VLAI
Details

ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in PDFDelegateMessage in coders/pdf.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-05T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in PDFDelegateMessage in coders/pdf.c.",
  "id": "GHSA-c794-5g44-8v2h",
  "modified": "2025-04-20T03:46:20Z",
  "published": "2022-05-13T01:17:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/724"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7CC-4R75-QHXM

Vulnerability from github – Published: 2025-10-27 03:30 – Updated: 2025-11-05 00:31
VLAI
Details

A vulnerability has been found in Kamailio 5.5. This affects the function yyerror_at of the file src/core/cfg.y of the component Grammar Rule Handler. Such manipulation leads to null pointer dereference. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T03:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Kamailio 5.5. This affects the function yyerror_at of the file src/core/cfg.y of the component Grammar Rule Handler. Such manipulation leads to null pointer dereference. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-c7cc-4r75-qhxm",
  "modified": "2025-11-05T00:31:30Z",
  "published": "2025-10-27T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12207"
    },
    {
      "type": "WEB",
      "url": "https://shimo.im/docs/vVqRMVMlrycMO63y"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.329877"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.329877"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.673241"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/10/27/8"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/11/02/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/27/12"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/27/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C7F7-QVVR-9MC8

Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2022-05-14 01:33
VLAI
Details

An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereference occurs in AP4_Track::GetSampleIndexForTimeStampMs() located in Core/Ap4Track.cpp. It can triggered by sending a crafted file to the mp4audioclip binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-17T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereference occurs in AP4_Track::GetSampleIndexForTimeStampMs() located in Core/Ap4Track.cpp. It can triggered by sending a crafted file to the mp4audioclip binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.",
  "id": "GHSA-c7f7-qvvr-9mc8",
  "modified": "2022-05-14T01:33:34Z",
  "published": "2022-05-14T01:33:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8380"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/366"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-function-ap4_trackgetsampleindexfortimestampms-bento4-1-5-1-628"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7J2-W3HR-P277

Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2022-04-28 00:00
VLAI
Details

An issue was discovered in in bwm-ng v0.6.2. An arbitrary null write exists in get_cmdln_options() function in src/options.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-18T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in in bwm-ng v0.6.2. An arbitrary null write exists in get_cmdln_options() function in src/options.c.",
  "id": "GHSA-c7j2-w3hr-p277",
  "modified": "2022-04-28T00:00:54Z",
  "published": "2022-04-19T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vgropp/bwm-ng/issues/26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vgropp/bwm-ng/commit/9774f23bf78a6e6d3ae4cfe3d73bad34f2fdcd17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7J4-9PJM-J3R2

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/tunnel: wait until all sk_user_data reader finish before releasing the sock

There is a race condition in vxlan that when deleting a vxlan device during receiving packets, there is a possibility that the sock is released after getting vxlan_sock vs from sk_user_data. Then in later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got NULL pointer dereference. e.g.

#0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757 #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48 #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542 #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62 [exception RIP: vxlan_ecn_decapsulate+0x3b] RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246 RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000 RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700 RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700 R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan] #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507 #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45 #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807 #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951 #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139 #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3 #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3

Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh

Fix this by waiting for all sk_user_data reader to finish before releasing the sock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tunnel: wait until all sk_user_data reader finish before releasing the sock\n\nThere is a race condition in vxlan that when deleting a vxlan device\nduring receiving packets, there is a possibility that the sock is\nreleased after getting vxlan_sock vs from sk_user_data. Then in\nlater vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got\nNULL pointer dereference. e.g.\n\n   #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757\n   #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d\n   #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48\n   #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b\n   #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb\n   #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542\n   #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62\n      [exception RIP: vxlan_ecn_decapsulate+0x3b]\n      RIP: ffffffffc1014e7b  RSP: ffffa25ec6978cb0  RFLAGS: 00010246\n      RAX: 0000000000000008  RBX: ffff8aa000888000  RCX: 0000000000000000\n      RDX: 000000000000000e  RSI: ffff8a9fc7ab803e  RDI: ffff8a9fd1168700\n      RBP: ffff8a9fc7ab803e   R8: 0000000000700000   R9: 00000000000010ae\n      R10: ffff8a9fcb748980  R11: 0000000000000000  R12: ffff8a9fd1168700\n      R13: ffff8aa000888000  R14: 00000000002a0000  R15: 00000000000010ae\n      ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n   #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]\n   #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507\n   #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45\n  #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807\n  #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951\n  #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde\n  #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b\n  #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139\n  #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a\n  #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3\n  #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca\n  #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3\n\nReproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh\n\nFix this by waiting for all sk_user_data reader to finish before\nreleasing the sock.",
  "id": "GHSA-c7j4-9pjm-j3r2",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50405"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/303000c793f705d07b551eb7c1c27001c5b33c8d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cf7203ca620682165706f70a1b12b5194607dce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/588d0b8462f5ffed3e677e65639825b2678117ab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84e566d157cc22ad2da8bdd970495855fbf13d92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91f09a776ae335ca836ed864b8f2a9461882a280"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a6544343bba7da929d6d4a2dc44ec0f15970081"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b38aa7465411795e9e744b8d94633910497fec2a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be34e79e0ae6adbf6e7e75ddaee9ad84795ab933"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8316584b0a6c61c9c407631040c22712b26e38c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.