CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-FVJC-2G3G-9PM4
Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-10-29 21:30In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers
Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio.
The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier
{
"affected": [],
"aliases": [
"CVE-2025-21870"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T14:15:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers\n\nOther, non DAI copier widgets could have the same stream name (sname) as\nthe ALH copier and in that case the copier-\u003edata is NULL, no alh_data is\nattached, which could lead to NULL pointer dereference.\nWe could check for this NULL pointer in sof_ipc4_prepare_copier_module()\nand avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()\nwill miscalculate the ALH device count, causing broken audio.\n\nThe correct fix is to harden the matching logic by making sure that the\n1. widget is a DAI widget - so dai = w-\u003eprivate is valid\n2. the dai (and thus the copier) is ALH copier",
"id": "GHSA-fvjc-2g3g-9pm4",
"modified": "2025-10-29T21:30:32Z",
"published": "2025-03-27T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21870"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6fd60136d256b3b948333ebdb3835f41a95ab7ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87c8768a96092ce75cd47fe076db5080db7ac515"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93c6c2e5801aab09ef1ef99f248f3cd323c3f152"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FVJW-79JQ-H4JJ
Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-22 18:30In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on inline_dots inode
As Wenqing reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=215765
It will cause a kernel panic with steps: - mkdir mnt - mount tmp40.img mnt - ls mnt
folio_mark_dirty+0x33/0x50 f2fs_add_regular_entry+0x541/0xad0 [f2fs] f2fs_add_dentry+0x6c/0xb0 [f2fs] f2fs_do_add_link+0x182/0x230 [f2fs] __recover_dot_dentries+0x2d6/0x470 [f2fs] f2fs_lookup+0x5af/0x6a0 [f2fs] __lookup_slow+0xac/0x200 lookup_slow+0x45/0x70 walk_component+0x16c/0x250 path_lookupat+0x8b/0x1f0 filename_lookup+0xef/0x250 user_path_at_empty+0x46/0x70 vfs_statx+0x98/0x190 __do_sys_newlstat+0x41/0x90 __x64_sys_newlstat+0x1a/0x30 do_syscall_64+0x37/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae
The root cause is for special file: e.g. character, block, fifo or socket file, f2fs doesn't assign address space operations pointer array for mapping->a_ops field, so, in a fuzzed image, if inline_dots flag was tagged in special file, during lookup(), when f2fs runs into __recover_dot_dentries(), it will cause NULL pointer access once f2fs_add_regular_entry() calls a_ops->set_dirty_page().
{
"affected": [],
"aliases": [
"CVE-2022-49428"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on inline_dots inode\n\nAs Wenqing reported in bugzilla:\n\nhttps://bugzilla.kernel.org/show_bug.cgi?id=215765\n\nIt will cause a kernel panic with steps:\n- mkdir mnt\n- mount tmp40.img mnt\n- ls mnt\n\nfolio_mark_dirty+0x33/0x50\nf2fs_add_regular_entry+0x541/0xad0 [f2fs]\nf2fs_add_dentry+0x6c/0xb0 [f2fs]\nf2fs_do_add_link+0x182/0x230 [f2fs]\n__recover_dot_dentries+0x2d6/0x470 [f2fs]\nf2fs_lookup+0x5af/0x6a0 [f2fs]\n__lookup_slow+0xac/0x200\nlookup_slow+0x45/0x70\nwalk_component+0x16c/0x250\npath_lookupat+0x8b/0x1f0\nfilename_lookup+0xef/0x250\nuser_path_at_empty+0x46/0x70\nvfs_statx+0x98/0x190\n__do_sys_newlstat+0x41/0x90\n__x64_sys_newlstat+0x1a/0x30\ndo_syscall_64+0x37/0xb0\nentry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root cause is for special file: e.g. character, block, fifo or\nsocket file, f2fs doesn\u0027t assign address space operations pointer array\nfor mapping-\u003ea_ops field, so, in a fuzzed image, if inline_dots flag was\ntagged in special file, during lookup(), when f2fs runs into\n__recover_dot_dentries(), it will cause NULL pointer access once\nf2fs_add_regular_entry() calls a_ops-\u003eset_dirty_page().",
"id": "GHSA-fvjw-79jq-h4jj",
"modified": "2025-10-22T18:30:30Z",
"published": "2025-10-22T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49428"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12662d19467b391b5b509ac5e9ab4f583c6dde16"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/250e5a6be52a6b9d82fe91976c83cc158868b4e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34f48ce5d5936eea33e3b6415403e57eb84aff97"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FVMX-33HG-GJQ5
Vulnerability from github – Published: 2024-02-27 21:31 – Updated: 2024-04-10 21:30In the Linux kernel, the following vulnerability has been resolved:
sfc: farch: fix TX queue lookup in TX event handling
We're starting from a TXQ label, not a TXQ type, so efx_channel_get_tx_queue() is inappropriate (and could return NULL, leading to panics).
{
"affected": [],
"aliases": [
"CVE-2021-46948"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-27T19:04:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: farch: fix TX queue lookup in TX event handling\n\nWe\u0027re starting from a TXQ label, not a TXQ type, so\n efx_channel_get_tx_queue() is inappropriate (and could return NULL,\n leading to panics).",
"id": "GHSA-fvmx-33hg-gjq5",
"modified": "2024-04-10T21:30:28Z",
"published": "2024-02-27T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46948"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35c7a83ad1bb1d48ae249346e61b1132bcbf9052"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/83b09a1807415608b387c7bc748d329fefc5617e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf2b941d0a6f2d3b9f5fa3c4c21bdd54f71ce253"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e531db1ea6f98c9612cb2de093a107c7eadfb96c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FVXJ-2V36-VJX4
Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59There exists one NULL pointer dereference vulnerability in AP4_JsonInspector::AddField in Ap4Atom.cpp in Bento4 1.5.1-624, which can allow attackers to cause a denial-of-service via a crafted mp4 file. This vulnerability can be triggered by the executable mp4dump.
{
"affected": [],
"aliases": [
"CVE-2018-14543"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-23T08:29:00Z",
"severity": "MODERATE"
},
"details": "There exists one NULL pointer dereference vulnerability in AP4_JsonInspector::AddField in Ap4Atom.cpp in Bento4 1.5.1-624, which can allow attackers to cause a denial-of-service via a crafted mp4 file. This vulnerability can be triggered by the executable mp4dump.",
"id": "GHSA-fvxj-2v36-vjx4",
"modified": "2022-05-14T02:59:06Z",
"published": "2022-05-14T02:59:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14543"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/issues/292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FW2F-R9XJ-6GR9
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-15 15:32In the Linux kernel, the following vulnerability has been resolved:
usb: typec: Fix error pointer dereference
The variable tps->partner is checked for an error pointer and then if it is, it sends an error message but does not return and then immediately dereferenced a few lines below:
tps->partner = typec_register_partner(tps->port, &desc); if (IS_ERR(tps->partner)) dev_warn(tps->dev, "%s: failed to register partnet\n", func);
if (desc.identity) { typec_partner_set_identity(tps->partner); cd321x->cur_partner_identity = st.partner_identity; }
Add early return and fix spelling mistake in error message.
Detected by Smatch: drivers/usb/typec/tipd/core.c:827 cd321x_update_work() error: 'tps->partner' dereferencing possible ERR_PTR()
{
"affected": [],
"aliases": [
"CVE-2026-53028"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: Fix error pointer dereference\n\nThe variable tps-\u003epartner is checked for an error pointer and then if it\nis, it sends an error message but does not return and then immediately\ndereferenced a few lines below:\n\ntps-\u003epartner = typec_register_partner(tps-\u003eport, \u0026desc);\nif (IS_ERR(tps-\u003epartner))\n\tdev_warn(tps-\u003edev, \"%s: failed to register partnet\\n\", __func__);\n\nif (desc.identity) {\n\ttypec_partner_set_identity(tps-\u003epartner);\n\tcd321x-\u003ecur_partner_identity = st.partner_identity;\n}\n\nAdd early return and fix spelling mistake in error message.\n\nDetected by Smatch:\ndrivers/usb/typec/tipd/core.c:827 cd321x_update_work() error:\n\u0027tps-\u003epartner\u0027 dereferencing possible ERR_PTR()",
"id": "GHSA-fw2f-r9xj-6gr9",
"modified": "2026-07-15T15:32:45Z",
"published": "2026-06-24T18:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53028"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19951118fb22b5ad512379ee64510fe0e2c40eb3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e31082f92c913d74fefb4e60cd0284e605ba3a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2529d08fcb429ea01bb87c326342f41483f8b2f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FW3W-492M-RR7G
Vulnerability from github – Published: 2022-05-14 02:18 – Updated: 2022-05-14 02:18In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
{
"affected": [],
"aliases": [
"CVE-2018-16328"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-01T22:29:00Z",
"severity": "CRITICAL"
},
"details": "In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.",
"id": "GHSA-fw3w-492m-rr7g",
"modified": "2022-05-14T02:18:53Z",
"published": "2022-05-14T02:18:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16328"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/1224"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FW6V-6FQV-JXV4
Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
PCI: keystone: Fix if-statement expression in ks_pcie_quirk()
This code accidentally uses && where || was intended. It potentially results in a NULL dereference.
Thus, fix the if-statement expression to use the correct condition.
[kwilczynski: commit log]
{
"affected": [],
"aliases": [
"CVE-2024-47756"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T13:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix if-statement expression in ks_pcie_quirk()\n\nThis code accidentally uses \u0026\u0026 where || was intended. It potentially\nresults in a NULL dereference.\n\nThus, fix the if-statement expression to use the correct condition.\n\n[kwilczynski: commit log]",
"id": "GHSA-fw6v-6fqv-jxv4",
"modified": "2025-11-04T00:31:39Z",
"published": "2024-10-21T15:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47756"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2171c5cb2fbc3e03af7e8116cd58736c09328655"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23838bef2adb714ec37b2d6141dccf4a3a70bdef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6188a1c762eb9bbd444f47696eda77a5eae6207a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72210e52e19a27f615e0b5273d2bf012d0dc318d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c9afc3e75069fcfb067727973242cfbf00dd7eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c289903b7a216df5ea6e1850ddf1b958eea9921d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc5aeba07395c8dfa29bb878c8ce4d5180427221"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e85ab507882db165c10a858d7f685a0a38f0312e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FWFJ-54VH-4R92
Vulnerability from github – Published: 2024-11-07 12:30 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
scsi: target: core: Fix null-ptr-deref in target_alloc_device()
There is a null-ptr-deref issue reported by KASAN:
BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] ... kasan_report+0xb9/0xf0 target_alloc_device+0xbc4/0xbe0 [target_core_mod] core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] target_core_init_configfs+0x205/0x420 [target_core_mod] do_one_initcall+0xdd/0x4e0 ... entry_SYSCALL_64_after_hwframe+0x76/0x7e
In target_alloc_device(), if allocing memory for dev queues fails, then dev will be freed by dev->transport->free_device(), but dev->transport is not initialized at that time, which will lead to a null pointer reference problem.
Fixing this bug by freeing dev with hba->backend->ops->free_device().
{
"affected": [],
"aliases": [
"CVE-2024-50153"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-07T10:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Fix null-ptr-deref in target_alloc_device()\n\nThere is a null-ptr-deref issue reported by KASAN:\n\nBUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]\n...\n kasan_report+0xb9/0xf0\n target_alloc_device+0xbc4/0xbe0 [target_core_mod]\n core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]\n target_core_init_configfs+0x205/0x420 [target_core_mod]\n do_one_initcall+0xdd/0x4e0\n...\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nIn target_alloc_device(), if allocing memory for dev queues fails, then\ndev will be freed by dev-\u003etransport-\u003efree_device(), but dev-\u003etransport\nis not initialized at that time, which will lead to a null pointer\nreference problem.\n\nFixing this bug by freeing dev with hba-\u003ebackend-\u003eops-\u003efree_device().",
"id": "GHSA-fwfj-54vh-4r92",
"modified": "2026-05-12T15:30:40Z",
"published": "2024-11-07T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50153"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14a6a2adb440e4ae97bee73b2360946bd033dadd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39e02fa90323243187c91bb3e8f2f5f6a9aacfc7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/895ab729425ef9bf3b6d2f8d0853abe64896f314"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c1e6717f60d31f8af3937c23c4f1498529584e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b80e9bc85bd9af378e7eac83e15dd129557bbdb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fca6caeb4a61d240f031914413fcc69534f6dc03"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FWHJ-785H-43HH
Vulnerability from github – Published: 2026-03-05 20:54 – Updated: 2026-03-05 20:54Summary
An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via StartActionByGet (invalid action ID), then calling KillAction or RestartAction on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (Empty reply from server), enabling denial of service through panic/log/CPU amplification.
Details
The issue is caused by this flow:
-
StartActionByGetaccepts arbitraryactionIdand still calls executor:service/internal/api/api.go:239
-
Executor stores a log entry before binding validation:
service/internal/executor/executor.go:519
-
If binding is nil, execution stops, but the log entry remains:
service/internal/executor/executor.go:781
-
KillActiondereferencesexecReqLogEntry.Binding.Actionwithout checkingBinding:service/internal/api/api.go:79
-
RestartActionhas the same unsafe dereference:service/internal/api/api.go:1285
Because the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.
PoC
Environment:
- OliveTin default single frontend on http://localhost:1337
- Reproduced on main (commit 235493e) and tag 3000.11.0
1) Create orphan tracking ID with invalid action: ```bash T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet \ -H 'Content-Type: application/json' \ --data '{"actionId":"does-not-exist"}' \ | sed -n 's/."executionTrackingId":"([^"])".*/\1/p') echo "$T"
- Trigger panic in RestartAction:
curl -v -X POST http://localhost:1337/api/RestartAction \ -H 'Content-Type: application/json' \ --data "{\"executionTrackingId\":\"$T\"}"
- Trigger panic in KillAction:
curl -v -X POST http://localhost:1337/api/KillAction \ -H 'Content-Type: application/json' \ --data "{\"executionTrackingId\":\"$T\"}"
Observed client output:
- curl: (52) Empty reply from server
Observed server log:
- panic serving ... runtime error: invalid memory address or nil pointer dereference
- stack points to:
- service/internal/api/api.go:79 (KillAction)
- service/internal/api/api.go:1285 (RestartAction)
```
Impact
This is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/OliveTin/OliveTin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260304225158-bb14c5da3e64"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T20:54:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nAn unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via `StartActionByGet` (invalid action ID), then calling `KillAction` or `RestartAction` on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (`Empty reply from server`), enabling denial of service through panic/log/CPU amplification.\n\n### Details\nThe issue is caused by this flow:\n\n 1. `StartActionByGet` accepts arbitrary `actionId` and still calls executor:\n - `service/internal/api/api.go:239`\n\n 2. Executor stores a log entry before binding validation:\n - `service/internal/executor/executor.go:519`\n\n 3. If binding is nil, execution stops, but the log entry remains:\n - `service/internal/executor/executor.go:781`\n\n 4. `KillAction` dereferences `execReqLogEntry.Binding.Action` without checking `Binding`:\n - `service/internal/api/api.go:79`\n\n 5. `RestartAction` has the same unsafe dereference:\n - `service/internal/api/api.go:1285`\n\nBecause the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.\n\n\n### PoC\n Environment:\n - OliveTin default single frontend on `http://localhost:1337`\n - Reproduced on `main` (commit `235493e`) and tag `3000.11.0`\n\n 1) Create orphan tracking ID with invalid action:\n ```bash\n T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"actionId\":\"does-not-exist\"}\u0027 \\\n | sed -n \u0027s/.*\"executionTrackingId\":\"\\([^\"]*\\)\".*/\\1/p\u0027)\n echo \"$T\"\n\n 2. Trigger panic in RestartAction:\n\n curl -v -X POST http://localhost:1337/api/RestartAction \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \"{\\\"executionTrackingId\\\":\\\"$T\\\"}\"\n\n 3. Trigger panic in KillAction:\n\n curl -v -X POST http://localhost:1337/api/KillAction \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \"{\\\"executionTrackingId\\\":\\\"$T\\\"}\"\n\nObserved client output:\n\n - curl: (52) Empty reply from server\n\nObserved server log:\n\n - panic serving ... runtime error: invalid memory address or nil pointer dereference\n - stack points to:\n - service/internal/api/api.go:79 (KillAction)\n - service/internal/api/api.go:1285 (RestartAction)\n\n```\n### Impact\n\nThis is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.",
"id": "GHSA-fwhj-785h-43hh",
"modified": "2026-03-05T20:54:25Z",
"published": "2026-03-05T20:54:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-fwhj-785h-43hh"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/commit/bb14c5da3e64b03f207c7f38139eb60e97c278fc"
},
{
"type": "PACKAGE",
"url": "https://github.com/OliveTin/OliveTin"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "OliveTin has crash on NPE by calling APIs with invalid bindings or log references"
}
GHSA-FWJ8-62R8-8P8M
Vulnerability from github – Published: 2026-05-04 19:38 – Updated: 2026-05-08 21:47Summary
Missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file.
Details
It was found that TransferManager.UploadAllFiles iterates over tar entries but only checks for io.EOF from tr.Next(). When tr.Next() returns a non-EOF error, such as unexpected EOF from a truncated archive, the header hdr is nil and the code continues to access hdr.Name, causing a nil-pointer dereference that panics the daemon.
This may allow the Incus daemon to be crashed during S3 bucket restore if a truncated or corrupted backup archive is provided. A panic can occur when a malformed archive produces a non-EOF tar read error after the first entry. Any caller of UploadAllFiles that processes attacker-controlled archive content may be affected.
Affected File: https://github.com/lxc/incus/blob/v6.22.0/…server/storage/s3/transfer_manager.go#L127
The tar-iteration loop only checks for EOF:
Affected Code:
for {
hdr, err := tr.Next()
if err == io.EOF {
break // End of archive.
}
// Skip index.yaml file
if hdr.Name == "backup/index.yaml" {
When tr.Next() returns a non-EOF error, hdr is nil. The code does not check for this case and immediately dereferences hdr.Name.
This was confirmed as follows:
Command:
go test ./test/fuzz -run='FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar' -count=1 -v
Output:
=== RUN FuzzS3BucketUploadTarParsing
=== RUN FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar
s3_bucket_upload_fuzz_test.go:82: UploadAllFiles panicked: runtime error: invalid memory address
or nil pointer dereference
--- FAIL: FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar (0.00s)
FAIL
It is recommended to add a non-EOF error check after tr.Next().
Proposed Fix:
hdr, err := tr.Next()
if err == io.EOF {
break
}
if err != nil {
return fmt.Errorf("Error reading backup archive: %w", err)
}
A patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.
Credits
This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lxc/incus/v6/cmd/incusd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41647"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T19:38:48Z",
"nvd_published_at": "2026-05-07T14:16:03Z",
"severity": "MODERATE"
},
"details": "### Summary\nMissing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file.\n\n### Details\nIt was found that TransferManager.UploadAllFiles iterates over tar entries but only checks for io.EOF from tr.Next(). When tr.Next() returns a non-EOF error, such as unexpected EOF from a truncated archive, the header hdr is nil and the code continues to access hdr.Name, causing a nil-pointer dereference that panics the daemon.\n\nThis may allow the Incus daemon to be crashed during S3 bucket restore if a truncated or corrupted backup archive is provided. A panic can occur when a malformed archive produces a non-EOF tar read error after the first entry. Any caller of UploadAllFiles that processes attacker-controlled archive content may be affected.\n\nAffected File:\n[https://github.com/lxc/incus/blob/v6.22.0/\u2026server/storage/s3/transfer_manager.go#L127](https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/s3/transfer_manager.go#L127) \n\nThe tar-iteration loop only checks for EOF:\n\nAffected Code:\n```\nfor {\n hdr, err := tr.Next()\n if err == io.EOF {\n break // End of archive.\n }\n\n // Skip index.yaml file\n if hdr.Name == \"backup/index.yaml\" {\n```\n\nWhen tr.Next() returns a non-EOF error, hdr is nil. The code does not check for this case and immediately dereferences hdr.Name.\n\nThis was confirmed as follows:\n\nCommand:\n```\ngo test ./test/fuzz -run=\u0027FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar\u0027 -count=1 -v\n```\n\nOutput:\n```\n=== RUN FuzzS3BucketUploadTarParsing\n=== RUN FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar\n s3_bucket_upload_fuzz_test.go:82: UploadAllFiles panicked: runtime error: invalid memory address\n or nil pointer dereference\n--- FAIL: FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar (0.00s)\nFAIL\n```\n\nIt is recommended to add a non-EOF error check after tr.Next().\n\nProposed Fix:\n```\nhdr, err := tr.Next()\nif err == io.EOF {\n break\n}\n\nif err != nil {\n return fmt.Errorf(\"Error reading backup archive: %w\", err)\n}\n```\n\nA patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.\n\n### Credits\nThis issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)",
"id": "GHSA-fwj8-62r8-8p8m",
"modified": "2026-05-08T21:47:04Z",
"published": "2026-05-04T19:38:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41647"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxc/incus"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/releases/tag/v7.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incus has Nil-Pointer Dereference via S3 Bucket Import"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.