Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-G682-7PJ4-66F8

Vulnerability from github – Published: 2022-05-14 03:29 – Updated: 2022-05-14 03:29
VLAI
Details

In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, untrusted pointer dereference in apr_cb_func can lead to an arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-03T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, untrusted pointer dereference in apr_cb_func can lead to an arbitrary code execution.",
  "id": "GHSA-g682-7pj4-66f8",
  "modified": "2022-05-14T03:29:28Z",
  "published": "2022-05-14T03:29:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3563"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6CV-6CRR-3RP7

Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-05 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()

Our syzkaller report a null pointer dereference, root cause is following:

__blk_mq_alloc_map_and_rqs set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs blk_mq_alloc_map_and_rqs blk_mq_alloc_rqs // failed due to oom alloc_pages_node // set->tags[hctx_idx] is still NULL blk_mq_free_rqs drv_tags = set->tags[hctx_idx]; // null pointer dereference is triggered blk_mq_clear_rq_mapping(drv_tags, ...)

This is because commit 63064be150e4 ("blk-mq: Add blk_mq_alloc_map_and_rqs()") merged the two steps:

1) set->tags[hctx_idx] = blk_mq_alloc_rq_map() 2) blk_mq_alloc_rqs(..., set->tags[hctx_idx])

into one step:

set->tags[hctx_idx] = blk_mq_alloc_map_and_rqs()

Since tags is not initialized yet in this case, fix the problem by checking if tags is NULL pointer in blk_mq_clear_rq_mapping().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix null pointer dereference in blk_mq_clear_rq_mapping()\n\nOur syzkaller report a null pointer dereference, root cause is\nfollowing:\n\n__blk_mq_alloc_map_and_rqs\n set-\u003etags[hctx_idx] = blk_mq_alloc_map_and_rqs\n  blk_mq_alloc_map_and_rqs\n   blk_mq_alloc_rqs\n    // failed due to oom\n    alloc_pages_node\n    // set-\u003etags[hctx_idx] is still NULL\n    blk_mq_free_rqs\n     drv_tags = set-\u003etags[hctx_idx];\n     // null pointer dereference is triggered\n     blk_mq_clear_rq_mapping(drv_tags, ...)\n\nThis is because commit 63064be150e4 (\"blk-mq:\nAdd blk_mq_alloc_map_and_rqs()\") merged the two steps:\n\n1) set-\u003etags[hctx_idx] = blk_mq_alloc_rq_map()\n2) blk_mq_alloc_rqs(..., set-\u003etags[hctx_idx])\n\ninto one step:\n\nset-\u003etags[hctx_idx] = blk_mq_alloc_map_and_rqs()\n\nSince tags is not initialized yet in this case, fix the problem by\nchecking if tags is NULL pointer in blk_mq_clear_rq_mapping().",
  "id": "GHSA-g6cv-6crr-3rp7",
  "modified": "2026-02-05T15:31:08Z",
  "published": "2025-10-07T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50530"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a440e6d04431e774dc084abe88c106e2a474c1a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76dd298094f484c6250ebd076fa53287477b2328"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6F6-9RXJ-6C4X

Vulnerability from github – Published: 2022-05-14 01:50 – Updated: 2022-05-14 01:50
VLAI
Details

In Libav 12.3, a NULL pointer dereference (RIP points to zero) issue in ff_mpa_synth_filter_float in libavcodec/mpegaudiodsp_template.c can cause a segmentation fault (application crash) via a crafted mov file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-09T11:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Libav 12.3, a NULL pointer dereference (RIP points to zero) issue in ff_mpa_synth_filter_float in libavcodec/mpegaudiodsp_template.c can cause a segmentation fault (application crash) via a crafted mov file.",
  "id": "GHSA-g6f6-9rxj-6c4x",
  "modified": "2022-05-14T01:50:09Z",
  "published": "2022-05-14T01:50:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19129"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.libav.org/show_bug.cgi?id=1138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6FV-R8QR-2WV7

Vulnerability from github – Published: 2024-03-15 06:30 – Updated: 2024-03-15 06:30
VLAI
Details

Zemana AntiLogger v2.74.204.664 is vulnerable to a Denial of Service (DoS) vulnerability by triggering the 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T05:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Zemana AntiLogger v2.74.204.664 is vulnerable to a Denial of Service (DoS) vulnerability by triggering the 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers.",
  "id": "GHSA-g6fv-r8qr-2wv7",
  "modified": "2024-03-15T06:30:33Z",
  "published": "2024-03-15T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2204"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/hassan"
    },
    {
      "type": "WEB",
      "url": "https://zemana.com/us/antilogger.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6GR-6RR9-69JW

Vulnerability from github – Published: 2025-06-03 06:31 – Updated: 2025-06-03 06:31
VLAI
Details

In cplog service, there is a possible system crash due to null pointer dereference. This could lead to local denial of service with no additional execution privileges needed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T06:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In cplog service, there is a possible system crash due to null pointer dereference. This could lead to local denial of service with no additional execution privileges needed.",
  "id": "GHSA-g6gr-6rr9-69jw",
  "modified": "2025-06-03T06:31:15Z",
  "published": "2025-06-03T06:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31711"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1929773763314909186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6J9-66RQ-G4JR

Vulnerability from github – Published: 2024-10-29 03:31 – Updated: 2025-02-21 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: stm32: check devm_kasprintf() returned value

devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value.

Found by code review.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T01:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: stm32: check devm_kasprintf() returned value\n\ndevm_kasprintf() can return a NULL pointer on failure but this returned\nvalue is not checked. Fix this lack and check the returned value.\n\nFound by code review.",
  "id": "GHSA-g6j9-66rq-g4jr",
  "modified": "2025-02-21T15:31:58Z",
  "published": "2024-10-29T03:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50070"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f266957ae1207b0717c2d69096bc70654ae9fcb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b36bb1fca2b87f6292ca2a8593f297c5e9fab41"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8d52de0a6c6b091b2771bcb98ce408cf9d69fe3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0f0e3f0552a566def55c844b0d44250c58e4df6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6P9-CJGH-R556

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in do_directive() in modules/preprocs/nasm/nasm-pp.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in do_directive() in modules/preprocs/nasm/nasm-pp.c.",
  "id": "GHSA-g6p9-cjgh-r556",
  "modified": "2022-07-29T00:00:34Z",
  "published": "2022-07-27T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33455"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yasm/yasm/issues/169"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G743-X9VQ-5FPV

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-04-23 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Fix crash when destroying a suspended hardware context

If userspace issues an ioctl to destroy a hardware context that has already been automatically suspended, the driver may crash because the mailbox channel pointer is NULL for the suspended context.

Fix this by checking the mailbox channel pointer in aie2_destroy_context() before accessing it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix crash when destroying a suspended hardware context\n\nIf userspace issues an ioctl to destroy a hardware context that has\nalready been automatically suspended, the driver may crash because the\nmailbox channel pointer is NULL for the suspended context.\n\nFix this by checking the mailbox channel pointer in aie2_destroy_context()\nbefore accessing it.",
  "id": "GHSA-g743-x9vq-5fpv",
  "modified": "2026-04-23T21:31:17Z",
  "published": "2026-03-25T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23341"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8363c02863332992a1822688da41f881d88d1631"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6317704edab95d66a62fc1861d9546284ab678e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G74W-W63G-R5X9

Vulnerability from github – Published: 2025-07-07 03:30 – Updated: 2025-07-07 03:30
VLAI
Details

Null pointer dereference vulnerability in the application exit cause module Impact: Successful exploitation of this vulnerability may affect function stability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-07T03:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Null pointer dereference vulnerability in the application exit cause module\nImpact: Successful exploitation of this vulnerability may affect function stability.",
  "id": "GHSA-g74w-w63g-r5x9",
  "modified": "2025-07-07T03:30:23Z",
  "published": "2025-07-07T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53170"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G75P-4V96-PXFF

Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19
VLAI
Details

An issue was discovered in Xen 4.5.x through 4.9.x. The function __gnttab_cache_flush handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However, the function does not check to see if the owning domain actually has a grant table or not. Some special domains, such as DOMID_XEN, DOMID_IO and DOMID_COW are created without grant tables. Hence, if __gnttab_cache_flush operates on a page owned by these special domains, it will attempt to dereference a NULL pointer in the domain struct.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-12T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner\u0027s grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However, the function does not check to see if the owning domain actually has a grant table or not. Some special domains, such as `DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant tables. Hence, if __gnttab_cache_flush operates on a page owned by these special domains, it will attempt to dereference a NULL pointer in the domain struct.",
  "id": "GHSA-g75p-4v96-pxff",
  "modified": "2022-05-17T00:19:55Z",
  "published": "2022-05-17T00:19:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14318"
    },
    {
      "type": "WEB",
      "url": "https://support.citrix.com/article/CTX227185"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4050"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100817"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039349"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-232.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.