Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-GHQH-9PPG-G8CF

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: update s_journal_inum if it changes after journal replay

When mounting a crafted ext4 image, s_journal_inum may change after journal replay, which is obviously unreasonable because we have successfully loaded and replayed the journal through the old s_journal_inum. And the new s_journal_inum bypasses some of the checks in ext4_get_journal(), which may trigger a null pointer dereference problem. So if s_journal_inum changes after the journal replay, we ignore the change, and rewrite the current journal_inum to the superblock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: update s_journal_inum if it changes after journal replay\n\nWhen mounting a crafted ext4 image, s_journal_inum may change after journal\nreplay, which is obviously unreasonable because we have successfully loaded\nand replayed the journal through the old s_journal_inum. And the new\ns_journal_inum bypasses some of the checks in ext4_get_journal(), which\nmay trigger a null pointer dereference problem. So if s_journal_inum\nchanges after the journal replay, we ignore the change, and rewrite the\ncurrent journal_inum to the superblock.",
  "id": "GHSA-ghqh-9ppg-g8cf",
  "modified": "2025-11-12T21:31:01Z",
  "published": "2025-05-02T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53091"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3039d8b8692408438a618fac2776b629852663c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/499fef2030fb754c68b1c7cb3a799a3bc1d0d925"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70e66bdeae4d0f7c8e87762f425b68aedd5e8955"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee0c5277d4fab920bd31345c49e193ecede9ecef"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHQP-926M-7JRX

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2026-01-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid possible NULL deref in modify_prefix_route()

syzbot found a NULL deref [1] in modify_prefix_route(), caused by one fib6_info without a fib6_table pointer set.

This can happen for net->ipv6.fib6_null_entry

[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089 Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84 RSP: 0018:ffffc900035d7268 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030 R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000 FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831 inet6_addr_modify net/ipv6/addrconf.c:4923 [inline] inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055 rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] _syssendmsg+0xaaf/0xc90 net/socket.c:2583 _sys_sendmsg+0x135/0x1e0 net/socket.c:2637 __sys_sendmsg+0x16e/0x220 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd1dcef8b79 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79 RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:24Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid possible NULL deref in modify_prefix_route()\n\nsyzbot found a NULL deref [1] in modify_prefix_route(), caused by one\nfib6_info without a fib6_table pointer set.\n\nThis can happen for net-\u003eipv6.fib6_null_entry\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\nCPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089\nCode: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84\nRSP: 0018:ffffc900035d7268 EFLAGS: 00010006\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001\nR10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030\nR13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000\nFS:  0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849\n  __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]\n  _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178\n  spin_lock_bh include/linux/spinlock.h:356 [inline]\n  modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831\n  inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]\n  inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055\n  rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920\n  netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541\n  netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n  netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347\n  netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891\n  sock_sendmsg_nosec net/socket.c:711 [inline]\n  __sock_sendmsg net/socket.c:726 [inline]\n  ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583\n  ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637\n  __sys_sendmsg+0x16e/0x220 net/socket.c:2669\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fd1dcef8b79\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79\nRDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004\nRBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c\nR13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001\n \u003c/TASK\u003e",
  "id": "GHSA-ghqp-926m-7jrx",
  "modified": "2026-01-11T18:30:26Z",
  "published": "2024-12-27T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56646"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01f95357e47219a9c4b29e177b717edbfab721b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/90f7d995b861fd77ae4885cc58e26a6a4e5ccdb9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a747e02430dfb3657141f99aa6b09331283fa493"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHRJ-5797-7659

Vulnerability from github – Published: 2026-04-22 12:30 – Updated: 2026-04-22 12:30
VLAI
Details

An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T10:16:51Z",
    "severity": "MODERATE"
  },
  "details": "An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.",
  "id": "GHSA-ghrj-5797-7659",
  "modified": "2026-04-22T12:30:30Z",
  "published": "2026-04-22T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33262"
    },
    {
      "type": "WEB",
      "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHV4-3PW7-86RJ

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-05-12 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

jfs: fix GPF in diFree

Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear:

struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap;
struct inomap *imap = JFS_IP(ipimap)->i_imap;

JFS_IP() will return invalid pointer when ipimap == NULL

Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:20Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix GPF in diFree\n\nAvoid passing inode with\nJFS_SBI(inode-\u003ei_sb)-\u003eipimap == NULL to\ndiFree()[1]. GFP will appear:\n\n\tstruct inode *ipimap = JFS_SBI(ip-\u003ei_sb)-\u003eipimap;\n\tstruct inomap *imap = JFS_IP(ipimap)-\u003ei_imap;\n\nJFS_IP() will return invalid pointer when ipimap == NULL\n\nCall Trace:\n diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1]\n jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154\n evict+0x2ed/0x750 fs/inode.c:578\n iput_final fs/inode.c:1654 [inline]\n iput.part.0+0x3fe/0x820 fs/inode.c:1680\n iput+0x58/0x70 fs/inode.c:1670",
  "id": "GHSA-ghv4-3pw7-86rj",
  "modified": "2025-05-12T21:30:55Z",
  "published": "2024-05-21T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47340"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bb27e27240289b47d3466f647a55c567adbdc3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42f102ea1943ecb10a0756bf75424de5d1d5beed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49def1b0644892e3b113673c13d650c3060b43bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/745c9a59422c63f661f4374ed5181740db4130a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bde24bde490f3139eee147efc6d60d6040fe975"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8018936950360f1c503bb385e158cfc5e4945d18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d574f985fe33efd6911f4d752de6f485a1ea732"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a21e5cb1a64c904f1f0ef7b2d386fc7d2b1d2ce2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aff8d95b69051d0cf4acc3d91f22299fdbb9dfb3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ2V-JR84-7J79

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-05-24 22:00
VLAI
Details

An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info->vdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-03T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info-\u003evdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).",
  "id": "GHSA-gj2v-jr84-7j79",
  "modified": "2022-05-24T22:00:03Z",
  "published": "2022-05-24T22:00:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12615"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc.git/commit/?id=80caf43549e7e41a695c6d1e11066286538b336f"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190710-0002"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K60924046"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K60924046?utm_source=f5support\u0026amp;utm_medium=RSS"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2014901.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GJ4P-F535-7C3J

Vulnerability from github – Published: 2026-01-23 18:31 – Updated: 2026-04-02 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

idpf: Fix RSS LUT NULL pointer crash on early ethtool operations

The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time.

Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes.

Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off

[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) - not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T16:15:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL pointer crash on early ethtool operations\n\nThe RSS LUT is not initialized until the interface comes up, causing\nthe following NULL pointer crash when ethtool operations like rxhash on/off\nare performed before the interface is brought up for the first time.\n\nMove RSS LUT initialization from ndo_open to vport creation to ensure LUT\nis always available. This enables RSS configuration via ethtool before\nbringing the interface up. Simplify LUT management by maintaining all\nchanges in the driver\u0027s soft copy and programming zeros to the indirection\ntable when rxhash is disabled. Defer HW programming until the interface\ncomes up if it is down during rxhash and LUT configuration changes.\n\nSteps to reproduce:\n** Load idpf driver; interfaces will be created\n\tmodprobe idpf\n** Before bringing the interfaces up, turn rxhash off\n\tethtool -K eth2 rxhash off\n\n[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[89408.371908] #PF: supervisor read access in kernel mode\n[89408.371924] #PF: error_code(0x0000) - not-present page\n[89408.371940] PGD 0 P4D 0\n[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003csnip\u003e\n[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130\n[89408.372310] Call Trace:\n[89408.372317]  \u003cTASK\u003e\n[89408.372326]  ? idpf_set_features+0xfc/0x180 [idpf]\n[89408.372363]  __netdev_update_features+0x295/0xde0\n[89408.372384]  ethnl_set_features+0x15e/0x460\n[89408.372406]  genl_family_rcv_msg_doit+0x11f/0x180\n[89408.372429]  genl_rcv_msg+0x1ad/0x2b0\n[89408.372446]  ? __pfx_ethnl_set_features+0x10/0x10\n[89408.372465]  ? __pfx_genl_rcv_msg+0x10/0x10\n[89408.372482]  netlink_rcv_skb+0x58/0x100\n[89408.372502]  genl_rcv+0x2c/0x50\n[89408.372516]  netlink_unicast+0x289/0x3e0\n[89408.372533]  netlink_sendmsg+0x215/0x440\n[89408.372551]  __sys_sendto+0x234/0x240\n[89408.372571]  __x64_sys_sendto+0x28/0x30\n[89408.372585]  x64_sys_call+0x1909/0x1da0\n[89408.372604]  do_syscall_64+0x7a/0xfa0\n[89408.373140]  ? clear_bhb_loop+0x60/0xb0\n[89408.373647]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[89408.378887]  \u003c/TASK\u003e\n\u003csnip\u003e",
  "id": "GHSA-gj4p-f535-7c3j",
  "modified": "2026-04-02T12:31:04Z",
  "published": "2026-01-23T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22985"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df2790b5228fbd3ed415b70a231cffdad0431618"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ7P-3XQJ-68G4

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-11 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB

Currently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while KFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with 4K pages, both values match (8KB), so allocation and reserved space are consistent.

However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB, while the reserved trap area remains 8KB. This mismatch causes the kernel to crash when running rocminfo or rccl unit tests.

Kernel attempted to read user page (2) - exploit attempt? (uid: 1001) BUG: Kernel NULL pointer dereference on read at 0x00000002 Faulting instruction address: 0xc0000000002c8a64 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries CPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E 6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY Tainted: [E]=UNSIGNED_MODULE Hardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries NIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730 REGS: c0000001e0957580 TRAP: 0300 Tainted: G E MSR: 8000000000009033 CR: 24008268 XER: 00000036 CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000 IRQMASK: 1 GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100 c00000013d814540 GPR04: 0000000000000002 c00000013d814550 0000000000000045 0000000000000000 GPR08: c00000013444d000 c00000013d814538 c00000013d814538 0000000084002268 GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff 0000000000020000 GPR16: 0000000000000000 0000000000000002 c00000015f653000 0000000000000000 GPR20: c000000138662400 c00000013d814540 0000000000000000 c00000013d814500 GPR24: 0000000000000000 0000000000000002 c0000001e0957888 c0000001e0957878 GPR28: c00000013d814548 0000000000000000 c00000013d814540 c0000001e0957888 NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0 LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00 Call Trace: 0xc0000001e0957890 (unreliable) __mutex_lock.constprop.0+0x58/0xd00 amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu] kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu] kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu] kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu] kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu] kfd_ioctl+0x514/0x670 [amdgpu] sys_ioctl+0x134/0x180 system_call_exception+0x114/0x300 system_call_vectored_common+0x15c/0x2ec

This patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and KFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve 64 KB for the trap in the address space, but only allocate 8 KB within it. With this approach, the allocation size never exceeds the reserved area.

(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB\n\nCurrently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while\nKFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with\n4K pages, both values match (8KB), so allocation and reserved space\nare consistent.\n\nHowever, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,\nwhile the reserved trap area remains 8KB. This mismatch causes the\nkernel to crash when running rocminfo or rccl unit tests.\n\nKernel attempted to read user page (2) - exploit attempt? (uid: 1001)\nBUG: Kernel NULL pointer dereference on read at 0x00000002\nFaulting instruction address: 0xc0000000002c8a64\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\nCPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E\n6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY\nTainted: [E]=UNSIGNED_MODULE\nHardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006\nof:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries\nNIP:  c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730\nREGS: c0000001e0957580 TRAP: 0300 Tainted: G E\nMSR:  8000000000009033 \u003cSF,EE,ME,IR,DR,RI,LE\u003e CR: 24008268\nXER: 00000036\nCFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000\nIRQMASK: 1\nGPR00: c00000000125d908 c0000001e0957820 c0000000016e8100\nc00000013d814540\nGPR04: 0000000000000002 c00000013d814550 0000000000000045\n0000000000000000\nGPR08: c00000013444d000 c00000013d814538 c00000013d814538\n0000000084002268\nGPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff\n0000000000020000\nGPR16: 0000000000000000 0000000000000002 c00000015f653000\n0000000000000000\nGPR20: c000000138662400 c00000013d814540 0000000000000000\nc00000013d814500\nGPR24: 0000000000000000 0000000000000002 c0000001e0957888\nc0000001e0957878\nGPR28: c00000013d814548 0000000000000000 c00000013d814540\nc0000001e0957888\nNIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0\nLR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00\nCall Trace:\n0xc0000001e0957890 (unreliable)\n__mutex_lock.constprop.0+0x58/0xd00\namdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]\nkfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]\nkfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]\nkfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]\nkfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]\nkfd_ioctl+0x514/0x670 [amdgpu]\nsys_ioctl+0x134/0x180\nsystem_call_exception+0x114/0x300\nsystem_call_vectored_common+0x15c/0x2ec\n\nThis patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and\nKFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve\n64 KB for the trap in the address space, but only allocate 8 KB within\nit. With this approach, the allocation size never exceeds the reserved\narea.\n\n(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)",
  "id": "GHSA-gj7p-3xqj-68g4",
  "modified": "2026-05-11T18:31:35Z",
  "published": "2026-05-01T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31765"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4487571ef17a30d274600b3bd6965f497a881299"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b2614a0ff05a2d2836311425091c8feca6f0c21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77c918eaa4c916751769242567407f61c6af142a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3508cf822c4d96d3e492210314f8f6f2da7df58"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ8F-PC7G-P9W6

Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2022-05-14 03:49
VLAI
Details

The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-27T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.",
  "id": "GHSA-gj8f-pc7g-p9w6",
  "modified": "2022-05-14T03:49:53Z",
  "published": "2022-05-14T03:49:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/31c1c0b46a7021802c3d1d18039fca30dba5a14e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3957"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/08/14/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/08/15/8"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100348"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ9H-FV77-FG5J

Vulnerability from github – Published: 2022-05-17 00:53 – Updated: 2022-05-17 00:53
VLAI
Details

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-01T18:59:00Z",
    "severity": "HIGH"
  },
  "details": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.",
  "id": "GHSA-gj9h-fv77-fg5j",
  "modified": "2022-05-17T00:53:08Z",
  "published": "2022-05-17T00:53:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8395"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201709-02"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=21431"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ9V-677H-MWCX

Vulnerability from github – Published: 2024-08-31 00:31 – Updated: 2024-08-31 00:31
VLAI
Details

Remote packet capture support is disabled by default in libpcap. When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex(). One of the function arguments can be a filesystem path, which normally means a directory with input data files. When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-31T00:15:05Z",
    "severity": "MODERATE"
  },
  "details": "Remote packet capture support is disabled by default in libpcap.  When a user builds libpcap with remote packet capture support enabled, one of the functions that become available is pcap_findalldevs_ex().  One of the function arguments can be a filesystem path, which normally means a directory with input data files.  When the specified path cannot be used as a directory, the function receives NULL from opendir(), but does not check the return value and passes the NULL value to readdir(), which causes a NULL pointer derefence.",
  "id": "GHSA-gj9v-677h-mwcx",
  "modified": "2024-08-31T00:31:06Z",
  "published": "2024-08-31T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8006"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/libpcap/commit/0f8a103469ce87d2b8d68c5130a46ddb7fb5eb29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/libpcap/commit/8a633ee5b9ecd9d38a587ac9b204e2380713b0d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.