Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-G3FM-RGQ3-H9W3

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2024-06-06 21:30
VLAI
Details

MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-17T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.",
  "id": "GHSA-g3fm-rgq3-h9w3",
  "modified": "2024-06-06T21:30:35Z",
  "published": "2022-05-24T17:01:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/miniupnp/ngiflib/issues/16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3HM-FHHV-62R9

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

skbuff: skb_segment, Call zero copy functions before using skbuff frags

Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb") added the call to zero copy functions in skb_segment(). The change introduced a bug in skb_segment() because skb_orphan_frags() may possibly change the number of fragments or allocate new fragments altogether leaving nrfrags and frag to point to the old values. This can cause a panic with stacktrace like the one below.

[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc [ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 [ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0 [ 194.021892] Call Trace: [ 194.027422] [ 194.072861] tcp_gso_segment+0x107/0x540 [ 194.082031] inet_gso_segment+0x15c/0x3d0 [ 194.090783] skb_mac_gso_segment+0x9f/0x110 [ 194.095016] __skb_gso_segment+0xc1/0x190 [ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem] [ 194.107071] dev_qdisc_enqueue+0x16/0x70 [ 194.110884] __dev_queue_xmit+0x63b/0xb30 [ 194.121670] bond_start_xmit+0x159/0x380 [bonding] [ 194.128506] dev_hard_start_xmit+0xc3/0x1e0 [ 194.131787] __dev_queue_xmit+0x8a0/0xb30 [ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan] [ 194.141477] dev_hard_start_xmit+0xc3/0x1e0 [ 194.144622] sch_direct_xmit+0xe3/0x280 [ 194.147748] __dev_queue_xmit+0x54a/0xb30 [ 194.154131] tap_get_user+0x2a8/0x9c0 [tap] [ 194.157358] tap_sendmsg+0x52/0x8e0 [tap] [ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net] [ 194.173631] handle_tx+0xcd/0xe0 [vhost_net] [ 194.176959] vhost_worker+0x76/0xb0 [vhost] [ 194.183667] kthread+0x118/0x140 [ 194.190358] ret_from_fork+0x1f/0x30 [ 194.193670]

In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags local variable in skb_segment() stale. This resulted in the code hitting i >= nrfrags prematurely and trying to move to next frag_skb using list_skb pointer, which was NULL, and caused kernel panic. Move the call to zero copy functions before using frags and nr_frags.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: skb_segment, Call zero copy functions before using skbuff frags\n\nCommit bf5c25d60861 (\"skbuff: in skb_segment, call zerocopy functions\nonce per nskb\") added the call to zero copy functions in skb_segment().\nThe change introduced a bug in skb_segment() because skb_orphan_frags()\nmay possibly change the number of fragments or allocate new fragments\naltogether leaving nrfrags and frag to point to the old values. This can\ncause a panic with stacktrace like the one below.\n\n[  193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc\n[  193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G           O      5.15.123+ #26\n[  193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0\n[  194.021892] Call Trace:\n[  194.027422]  \u003cTASK\u003e\n[  194.072861]  tcp_gso_segment+0x107/0x540\n[  194.082031]  inet_gso_segment+0x15c/0x3d0\n[  194.090783]  skb_mac_gso_segment+0x9f/0x110\n[  194.095016]  __skb_gso_segment+0xc1/0x190\n[  194.103131]  netem_enqueue+0x290/0xb10 [sch_netem]\n[  194.107071]  dev_qdisc_enqueue+0x16/0x70\n[  194.110884]  __dev_queue_xmit+0x63b/0xb30\n[  194.121670]  bond_start_xmit+0x159/0x380 [bonding]\n[  194.128506]  dev_hard_start_xmit+0xc3/0x1e0\n[  194.131787]  __dev_queue_xmit+0x8a0/0xb30\n[  194.138225]  macvlan_start_xmit+0x4f/0x100 [macvlan]\n[  194.141477]  dev_hard_start_xmit+0xc3/0x1e0\n[  194.144622]  sch_direct_xmit+0xe3/0x280\n[  194.147748]  __dev_queue_xmit+0x54a/0xb30\n[  194.154131]  tap_get_user+0x2a8/0x9c0 [tap]\n[  194.157358]  tap_sendmsg+0x52/0x8e0 [tap]\n[  194.167049]  handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]\n[  194.173631]  handle_tx+0xcd/0xe0 [vhost_net]\n[  194.176959]  vhost_worker+0x76/0xb0 [vhost]\n[  194.183667]  kthread+0x118/0x140\n[  194.190358]  ret_from_fork+0x1f/0x30\n[  194.193670]  \u003c/TASK\u003e\n\nIn this case calling skb_orphan_frags() updated nr_frags leaving nrfrags\nlocal variable in skb_segment() stale. This resulted in the code hitting\ni \u003e= nrfrags prematurely and trying to move to next frag_skb using\nlist_skb pointer, which was NULL, and caused kernel panic. Move the call\nto zero copy functions before using frags and nr_frags.",
  "id": "GHSA-g3hm-fhhv-62r9",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53354"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04c3eee4e13f60bf6f9a366ad39f88a01a57166e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ea35288c83b3d501a88bc17f2df8f176b5cc96f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c26ed3c6abe86ddab0510529000b970b05c9b40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8836c266201c29a5acb4f582227686f47b65ad61"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d44403ec0676317b7f7edf2a035bb219fee3304e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5790386595d06ea9decfd9ba5f1ea48cf09aa02"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f99006e840a4dbc8f5a34cecc6b5b26c73ef49bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fcab3f661dbfd88e27ddbbe65368f3fa2d823175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3R8-4WH4-CPP2

Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2022-10-26 12:00
VLAI
Details

NULL Pointer Dereference in Conda vim prior to 8.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-21T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Dereference in Conda vim prior to 8.2.",
  "id": "GHSA-g3r8-4wh4-cpp2",
  "modified": "2022-10-26T12:00:36Z",
  "published": "2022-02-22T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0696"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/0f6e28f686dbb59ab3b562408ab9b2234797b9b1"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/7416c2cb-1809-4834-8989-e84ff033f15f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213488"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Oct/28"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Oct/41"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3RF-M85C-RX6H

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37
VLAI
Details

An issue was discovered in Mooltipass Moolticute through v0.42.1 and v0.42.x-testing through v0.42.5-testing. There is a NULL pointer dereference in MPDevice_win.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-30T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Mooltipass Moolticute through v0.42.1 and v0.42.x-testing through v0.42.5-testing. There is a NULL pointer dereference in MPDevice_win.cpp.",
  "id": "GHSA-g3rf-m85c-rx6h",
  "modified": "2024-04-04T02:37:12Z",
  "published": "2022-05-24T17:00:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mooltipass/moolticute/pull/483"
    },
    {
      "type": "WEB",
      "url": "https://securiteam.io/2019/10/27/a-null-pointer-dereference"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3RJ-XPPW-7C7V

Vulnerability from github – Published: 2025-08-29 18:30 – Updated: 2025-08-29 18:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T18:15:39Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If  can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.5.3145 build 20250526 and later\nQuTS hero h5.2.5.3138 build 20250519 and later",
  "id": "GHSA-g3rj-xppw-7c7v",
  "modified": "2025-08-29T18:30:53Z",
  "published": "2025-08-29T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30274"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G3V4-29H4-3GXQ

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-04 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()

r5l_flush_stripe_to_raid() will check if the list 'flushing_ios' is empty, and then submit 'flush_bio', however, r5l_log_flush_endio() is clearing the list first and then clear the bio, which will cause null-ptr-deref:

T1: submit flush io raid5d handle_active_stripes r5l_flush_stripe_to_raid // list is empty // add 'io_end_ios' to the list bio_init submit_bio // io1

T2: io1 is done r5l_log_flush_endio list_splice_tail_init // clear the list T3: submit new flush io ... r5l_flush_stripe_to_raid // list is empty // add 'io_end_ios' to the list bio_init bio_uninit // clear bio->bi_blkg submit_bio // null-ptr-deref

Fix this problem by clearing bio before clearing the list in r5l_log_flush_endio().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid()\n\nr5l_flush_stripe_to_raid() will check if the list \u0027flushing_ios\u0027 is\nempty, and then submit \u0027flush_bio\u0027, however, r5l_log_flush_endio()\nis clearing the list first and then clear the bio, which will cause\nnull-ptr-deref:\n\nT1: submit flush io\nraid5d\n handle_active_stripes\n  r5l_flush_stripe_to_raid\n   // list is empty\n   // add \u0027io_end_ios\u0027 to the list\n   bio_init\n   submit_bio\n   // io1\n\nT2: io1 is done\nr5l_log_flush_endio\n list_splice_tail_init\n // clear the list\n\t\t\tT3: submit new flush io\n\t\t\t...\n\t\t\tr5l_flush_stripe_to_raid\n\t\t\t // list is empty\n\t\t\t // add \u0027io_end_ios\u0027 to the list\n\t\t\t bio_init\n bio_uninit\n // clear bio-\u003ebi_blkg\n\t\t\t submit_bio\n\t\t\t // null-ptr-deref\n\nFix this problem by clearing bio before clearing the list in\nr5l_log_flush_endio().",
  "id": "GHSA-g3v4-29h4-3gxq",
  "modified": "2025-12-04T15:30:32Z",
  "published": "2025-09-15T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53210"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d0bd28c500173bfca78aa840f8f36d261ef1765"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/711fb92606208a8626b785da4f9f23d648a5b6c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a8b6d93991bf4b72b3f959baea35397c6c8e521"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e46b2e7be8059d156af8c011dd8d665229b65886"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3W4-C7GJ-JC69

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09
VLAI
Details

CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-18T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.",
  "id": "GHSA-g3w4-c7gj-jc69",
  "modified": "2022-05-24T17:09:17Z",
  "published": "2022-05-24T17:09:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8011"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/external/content/security-advisories/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832"
    },
    {
      "type": "WEB",
      "url": "https://techdocs.broadcom.com/us/product-content/status/announcement-documents/2019/ca20200205-01-security-notice-for-ca-unified-infrastructure-management.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G3WQ-CG32-6XWX

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: fix NULL-ptr deref in offchan check

If, e.g. in AP mode, the link was already created by userspace but not activated yet, it has a chandef but the chandef isn't valid and has no channel. Check for this and ignore this link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix NULL-ptr deref in offchan check\n\nIf, e.g. in AP mode, the link was already created by userspace\nbut not activated yet, it has a chandef but the chandef isn\u0027t\nvalid and has no channel. Check for this and ignore this link.",
  "id": "GHSA-g3wq-cg32-6xwx",
  "modified": "2025-11-10T18:30:29Z",
  "published": "2025-05-02T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53113"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/201a836c2385fdd2b9d0a8e7737bba5b26f1863a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87e80ea4fbc9ce2f2005905fdbcd38baaa47463a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f624bb6fad23df3270580b4fcef415c6e7bf7705"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3WV-HMMW-34HR

Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2025-11-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

platform/x86/intel/pmt: fix a crashlog NULL pointer access

Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage.

Without the ep, the crashlog usage causes the following NULL pointer exception:

BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110

Augment struct intel_pmt_entry with a pointer to the pcidev to avoid the NULL pointer exception.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/intel/pmt: fix a crashlog NULL pointer access\n\nUsage of the intel_pmt_read() for binary sysfs, requires a pcidev. The\ncurrent use of the endpoint value is only valid for telemetry endpoint\nusage.\n\nWithout the ep, the crashlog usage causes the following NULL pointer\nexception:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nOops: Oops: 0000 [#1] SMP NOPTI\nRIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class]\nCode:\nCall Trace:\n \u003cTASK\u003e\n ? sysfs_kf_bin_read+0xc0/0xe0\n kernfs_fop_read_iter+0xac/0x1a0\n vfs_read+0x26d/0x350\n ksys_read+0x6b/0xe0\n __x64_sys_read+0x1d/0x30\n x64_sys_call+0x1bc8/0x1d70\n do_syscall_64+0x6d/0x110\n\nAugment struct intel_pmt_entry with a pointer to the pcidev to avoid\nthe NULL pointer exception.",
  "id": "GHSA-g3wv-hmmw-34hr",
  "modified": "2025-11-28T15:30:29Z",
  "published": "2025-08-19T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38559"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/089d05266b2caf020ac2ae2cd2be78f580268f5d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18d53b543b5447478e259c96ca4688393f327c98"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54d5cd4719c5e87f33d271c9ac2e393147d934f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/860d93bd6a21f08883711196344c353bc3936a2b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G442-4WGF-H9JR

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-06-16T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.",
  "id": "GHSA-g442-4wgf-h9jr",
  "modified": "2022-05-13T01:14:38Z",
  "published": "2022-05-13T01:14:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2391"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1304794"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03374.html"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=fa1298c2d623522eda7b4f1f721fcb935abb7360"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu.org/?p=qemu.git;a=commit;h=fa1298c2d623522eda7b4f1f721fcb935abb7360"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/16/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/83263"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2974-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.