Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-G4X3-C7QW-7JMF

Vulnerability from github – Published: 2025-09-26 15:30 – Updated: 2025-09-26 15:30
VLAI
Details

A vulnerability was identified in BehaviorTree up to 4.7.0. This vulnerability affects the function XMLParser::PImpl::loadDocImpl of the file /src/xml_parsing.cpp of the component XML Parser. The manipulation leads to null pointer dereference. The attack can only be performed from a local environment. The exploit is publicly available and might be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T13:15:40Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in BehaviorTree up to 4.7.0. This vulnerability affects the function XMLParser::PImpl::loadDocImpl of the file /src/xml_parsing.cpp of the component XML Parser. The manipulation leads to null pointer dereference. The attack can only be performed from a local environment. The exploit is publicly available and might be used.",
  "id": "GHSA-g4x3-c7qw-7jmf",
  "modified": "2025-09-26T15:30:28Z",
  "published": "2025-09-26T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BehaviorTree/BehaviorTree.CPP/issues/1003"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BehaviorTree/BehaviorTree.CPP/pull/1004"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/22245915/poc.zip"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325956"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325956"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.654075"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G4X4-MR34-3PW3

Vulnerability from github – Published: 2026-02-25 15:31 – Updated: 2026-02-25 15:31
VLAI
Details

NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T15:20:55Z",
    "severity": "MODERATE"
  },
  "details": "NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service",
  "id": "GHSA-g4x4-mr34-3pw3",
  "modified": "2026-02-25T15:31:43Z",
  "published": "2026-02-25T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3202"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/21000"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-06.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G57F-G3M7-5229

Vulnerability from github – Published: 2025-07-07 03:30 – Updated: 2025-07-07 03:30
VLAI
Details

Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-07T03:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Null pointer dereference vulnerability in the PDF preview module\nImpact: Successful exploitation of this vulnerability may affect function stability.",
  "id": "GHSA-g57f-g3m7-5229",
  "modified": "2025-07-07T03:30:23Z",
  "published": "2025-07-07T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53184"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G58V-GQQ5-MHVJ

Vulnerability from github – Published: 2022-05-17 02:58 – Updated: 2025-04-20 03:32
VLAI
Details

The get_vlc2 function in get_bits.h in Libav 11.9 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted mp3 file. NOTE: this issue exists due to an incomplete fix for CVE-2016-8675.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-15T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The get_vlc2 function in get_bits.h in Libav 11.9 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted mp3 file.  NOTE: this issue exists due to an incomplete fix for CVE-2016-8675.",
  "id": "GHSA-g58v-gqq5-mhvj",
  "modified": "2025-04-20T03:32:57Z",
  "published": "2022-05-17T02:58:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8676"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2016/09/07/libav-null-pointer-dereference-in-get_vlc2_get_bits_h"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/10/16/13"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/12/04/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93468"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5MH-VXPW-8CVF

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-mdp: Fix error handling in probe function

Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak.

Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:40Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mtk-mdp: Fix error handling in probe function\n\nAdd mtk_mdp_unregister_m2m_device() on the error handling path to prevent\nresource leak.\n\nAdd check for the return value of vpu_get_plat_device() to prevent null\npointer dereference. And vpu_get_plat_device() increases the reference\ncount of the returned platform device. Add platform_device_put() to\nprevent reference leak.",
  "id": "GHSA-g5mh-vxpw-8cvf",
  "modified": "2026-05-08T15:31:17Z",
  "published": "2026-05-06T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43207"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0bc43eaf021347f8d5aba87712c36b799695eec6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12cafc15d24611bfb43c82877b1bbb7454a85d5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e8f53a7382943411557e370f1a4f3946624a30e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a8a3232abac5b972058a5f2cb3e33199d2a8648"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d9c67976eda502edc6b3a148a1c5b6a18b69a98"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3fc99fe5b25613dd61c57bc70b8479adff4f60d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c8737d33d4e8ffae87e5d5edac17f8a705235cc2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5P4-MH5H-5M3Q

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-24 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: fix null pointer access

Writing a string without delimiters (' ', '\n', '\0') to the under gpu_od/fan_ctrl sysfs or pp_power_profile_mode for the CUSTOM profile will result in a null pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix null pointer access\n\nWriting a string without delimiters (\u0027 \u0027, \u0027\\n\u0027, \u0027\\0\u0027) to the under\ngpu_od/fan_ctrl sysfs or pp_power_profile_mode for the CUSTOM profile\nwill result in a null pointer dereference.",
  "id": "GHSA-g5p4-mh5h-5m3q",
  "modified": "2025-11-24T21:30:56Z",
  "published": "2025-09-05T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38705"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d8cc029e5595760c7d18c64632e8e40a86a9b2e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a83ffafd02a7af59848755c109d544e3894af737"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cef79c18538e9ce2ca6e5b3fa95c38ec41dcd07a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d524d40e3a6152a3ea1125af729f8cd8ca65efde"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5RR-9WFM-MGQ5

Vulnerability from github – Published: 2025-07-28 12:30 – Updated: 2025-12-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()

syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]

l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()").

Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL.

Let's not access to the killed socket in l2cap_sock_resume_cb().

[0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52

CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T12:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan-\u003edata is NULL.\n\nLet\u0027s not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847",
  "id": "GHSA-g5rr-9wfm-mgq5",
  "modified": "2025-12-22T21:30:31Z",
  "published": "2025-07-28T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38473"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5VP-298M-R34Q

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nexthop: fix IPv6 route referencing IPv4 nexthop

syzbot reported a panic [1] [2].

When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups containing this nexthop is not updated. This is because nh_group_v4_update is only called when replacing AF_INET to AF_INET6, but the reverse direction (AF_INET6 to AF_INET) is missed.

This allows a stale has_v4=false to bypass fib6_check_nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF_INET members. Subsequent route lookups then call nexthop_fib6_nh() which returns NULL for the AF_INET member, leading to a NULL pointer dereference.

Fix by calling nh_group_v4_update whenever the family changes, not just AF_INET to AF_INET6.

Reproducer: # AF_INET6 blackhole ip -6 nexthop add id 1 blackhole # group with has_v4=false ip nexthop add id 100 group 1 # replace with AF_INET (no -6), has_v4 stays false ip nexthop replace id 1 blackhole # pass stale has_v4 check ip -6 route add 2001:db8::/64 nhid 100 # panic ping -6 2001:db8::1

[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: fix IPv6 route referencing IPv4 nexthop\n\nsyzbot reported a panic [1] [2].\n\nWhen an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag\nof all groups containing this nexthop is not updated. This is because\nnh_group_v4_update is only called when replacing AF_INET to AF_INET6,\nbut the reverse direction (AF_INET6 to AF_INET) is missed.\n\nThis allows a stale has_v4=false to bypass fib6_check_nexthop, causing\nIPv6 routes to be attached to groups that effectively contain only AF_INET\nmembers. Subsequent route lookups then call nexthop_fib6_nh() which\nreturns NULL for the AF_INET member, leading to a NULL pointer\ndereference.\n\nFix by calling nh_group_v4_update whenever the family changes, not just\nAF_INET to AF_INET6.\n\nReproducer:\n\t# AF_INET6 blackhole\n\tip -6 nexthop add id 1 blackhole\n\t# group with has_v4=false\n\tip nexthop add id 100 group 1\n\t# replace with AF_INET (no -6), has_v4 stays false\n\tip nexthop replace id 1 blackhole\n\t# pass stale has_v4 check\n\tip -6 route add 2001:db8::/64 nhid 100\n\t# panic\n\tping -6 2001:db8::1\n\n[1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0\n[2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3",
  "id": "GHSA-g5vp-298m-r34q",
  "modified": "2026-07-14T18:31:49Z",
  "published": "2026-06-24T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53012"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29c95185ba32b621fbc3800fb86e7dc3edf5c2be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/613c8f4a501421dd258b07ea614205d4e16ec845"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6275796f22bb382f3e9aa58ed0b4ef7bdad78cb8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c2d6770a5f4545a307eb66979bef7656a34d621"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aaac3bed034239e1d75732211d9b05f30b0b4f35"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad85961004fd4bd2f31209ac4b07612c6cefb9e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3b7e850e1541f0520c4a12ec884255c30427ff6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ceffe81a0be92afc0cd1340bc8ca46559cce9bb4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5WQ-3R27-V2X7

Vulnerability from github – Published: 2025-01-18 00:30 – Updated: 2025-01-21 18:31
VLAI
Details

In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible way to crash the emergency callback mode due to a missing null check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-17T23:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible way to crash the emergency callback mode due to a missing null check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-g5wq-3r27-v2x7",
  "modified": "2025-01-21T18:31:07Z",
  "published": "2025-01-18T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9447"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G63X-CH35-X5P5

Vulnerability from github – Published: 2024-03-26 18:32 – Updated: 2024-11-07 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()

In edp_setup_replay(), 'struct dc dc' & 'struct dmub_replay replay' was dereferenced before the pointer 'link' & 'replay' NULL check.

Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-26T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), \u0027struct dc *dc\u0027 \u0026 \u0027struct dmub_replay *replay\u0027\nwas dereferenced before the pointer \u0027link\u0027 \u0026 \u0027replay\u0027 NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check \u0027link\u0027 (see line 933)",
  "id": "GHSA-g63x-ch35-x5p5",
  "modified": "2024-11-07T00:30:35Z",
  "published": "2024-03-26T18:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.