Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-GRWF-P35F-373J

Vulnerability from github – Published: 2022-01-06 00:00 – Updated: 2023-05-27 06:30
VLAI
Details

A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Box via __strlen_avx2, which causes a Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-05T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Box via __strlen_avx2, which causes a Denial of Service.",
  "id": "GHSA-grwf-p35f-373j",
  "modified": "2023-05-27T06:30:36Z",
  "published": "2022-01-06T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1990"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRWG-J658-3FMH

Vulnerability from github – Published: 2026-06-01 15:30 – Updated: 2026-06-02 00:31
VLAI
Details

A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T15:16:28Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.",
  "id": "GHSA-grwg-j658-3fmh",
  "modified": "2026-06-02T00:31:53Z",
  "published": "2026-06-01T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/3302"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/49/README.md"
    },
    {
      "type": "WEB",
      "url": "https://infosec.exchange/@sigdevel/116659111520602254"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/01/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV2Q-XCVG-JR5Q

Vulnerability from github – Published: 2022-05-14 03:15 – Updated: 2025-04-20 03:34
VLAI
Details

The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer dereference).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-23T18:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer dereference).",
  "id": "GHSA-gv2q-xcvg-jr5q",
  "modified": "2025-04-20T03:34:40Z",
  "published": "2022-05-14T03:15:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1388828"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3693-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/10/23/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/10/23/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93835"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV3J-JWR9-RF6P

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28
VLAI
Details

libhtp 0.5.15 allows remote attackers to cause a denial of service (NULL pointer dereference).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-0928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-28T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "libhtp 0.5.15 allows remote attackers to cause a denial of service (NULL pointer dereference).",
  "id": "GHSA-gv3j-jwr9-rf6p",
  "modified": "2022-05-13T01:28:00Z",
  "published": "2022-05-13T01:28:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0928"
    },
    {
      "type": "WEB",
      "url": "https://redmine.openinfosecfoundation.org/issues/1272"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/73117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV65-4GJF-WCQP

Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-18 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms

Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") introduced an access to the 'soc' field of struct mtk_pinctrl in mtk_eint_do_init() and for that an include of pinctrl-mtk-common-v2.h.

However, pinctrl drivers relying on the v1 common driver include pinctrl-mtk-common.h instead, which provides another definition of struct mtk_pinctrl that does not contain an 'soc' field.

Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it will now try to dereference an invalid pointer when called on v1 platforms. This has been observed on Genio 350 EVK (MT8365), which crashes very early in boot (the kernel trace can only be seen with earlycon).

In order to fix this, since 'struct mtk_pinctrl' was only needed to get a 'struct mtk_eint_pin', make 'struct mtk_eint_pin' a parameter of mtk_eint_do_init() so that callers need to supply it, removing mtk_eint_do_init()'s dependency on any particular 'struct mtk_pinctrl'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:24Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms\n\nCommit 3ef9f710efcb (\"pinctrl: mediatek: Add EINT support for multiple\naddresses\") introduced an access to the \u0027soc\u0027 field of struct\nmtk_pinctrl in mtk_eint_do_init() and for that an include of\npinctrl-mtk-common-v2.h.\n\nHowever, pinctrl drivers relying on the v1 common driver include\npinctrl-mtk-common.h instead, which provides another definition of\nstruct mtk_pinctrl that does not contain an \u0027soc\u0027 field.\n\nSince mtk_eint_do_init() can be called both by v1 and v2 drivers, it\nwill now try to dereference an invalid pointer when called on v1\nplatforms. This has been observed on Genio 350 EVK (MT8365), which\ncrashes very early in boot (the kernel trace can only be seen with\nearlycon).\n\nIn order to fix this, since \u0027struct mtk_pinctrl\u0027 was only needed to get\na \u0027struct mtk_eint_pin\u0027, make \u0027struct mtk_eint_pin\u0027 a parameter\nof mtk_eint_do_init() so that callers need to supply it, removing\nmtk_eint_do_init()\u0027s dependency on any particular \u0027struct mtk_pinctrl\u0027.",
  "id": "GHSA-gv65-4gjf-wcqp",
  "modified": "2025-11-18T18:32:48Z",
  "published": "2025-07-10T09:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38266"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c9977b263475373b31bbf86af94a5c9ae2be42c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ebe21ede792cef851847648962c363cac67d17f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV6P-37WW-QHQ7

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mmc: vub300: fix NULL-deref on disconnect

Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix NULL-deref on disconnect\n\nMake sure to deregister the controller before dropping the reference to\nthe driver data on disconnect to avoid NULL-pointer dereferences or\nuse-after-free.",
  "id": "GHSA-gv6p-37ww-qhq7",
  "modified": "2026-07-14T15:31:54Z",
  "published": "2026-04-24T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31651"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/517b58e1d067115f80d198feee10192da4c424d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53f2642d77ab5f1f303388bff5500363c6cf962c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6446516e626ce7c44bdadbcbb3d7677a2c52ce93"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6468cab1173f44f7a4b7a05ce8abfdfd1ce1557a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d09e75759cb2afc0732acfb5a14a93c03805a61"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba3b9429de94958dc0060d9816a915dd75c34919"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c83a282615d8f7ba28cebddd54600b419d562d82"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dff34ef879c5e73298443956a8b391311ba78d57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV6X-94M7-C6HH

Vulnerability from github – Published: 2026-07-15 15:33 – Updated: 2026-07-15 15:33
VLAI
Details

When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate.

Impact: The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-15T15:16:44Z",
    "severity": "HIGH"
  },
  "details": "When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. \n\n\n\nImpact:\nThe NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only.\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-gv6x-94m7-c6hh",
  "modified": "2026-07-15T15:33:06Z",
  "published": "2026-07-15T15:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52865"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000161834"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GV9G-W43H-W5VW

Vulnerability from github – Published: 2024-07-16 12:30 – Updated: 2024-08-21 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create

If there are failures then we must not leave the non-NULL pointers with the error value, otherwise rpcrdma_ep_destroy gets confused and tries free them, resulting in an Oops.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T12:15:02Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create\n\nIf there are failures then we must not leave the non-NULL pointers with\nthe error value, otherwise `rpcrdma_ep_destroy` gets confused and tries\nfree them, resulting in an Oops.",
  "id": "GHSA-gv9g-w43h-w5vw",
  "modified": "2024-08-21T18:31:26Z",
  "published": "2024-07-16T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48773"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e7433fb95ccc01629a5edaa4ced0cd8c98d0ae0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2526d4d8b209dc5ac1fbeb468149774888b2a141"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9921c866dc369577c3ebb9adf2383b01b58c18de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9c10b5b3b67b3750a10c8b089b2e05f5e176e33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV9J-3945-3X3R

Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-07-08 06:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: Bounds-check devid in __rlookup_amd_iommu()

iommu_device_register() walks every device on the PCI bus via bus_for_each_dev() and calls amd_iommu_probe_device() for each. The inlined check_device() path computes the device's sbdf, calls rlookup_amd_iommu() to find the owning IOMMU, and only afterwards verifies devid <= pci_seg->last_bdf. __rlookup_amd_iommu() indexes rlookup_table[devid] with no bounds check of its own, so for a PCI device whose BDF is not described by the IVRS, the lookup reads past the end of the allocation before the caller's bounds check can run.

This was harmless before commit e874c666b15b ("iommu/amd: Change rlookup, irq_lookup, and alias to use kvalloc()"): the table was a zeroed page-order allocation, so the over-read returned NULL and the caller's NULL check skipped the device. After that commit the table is a tight kvcalloc() and the over-read returns adjacent slab contents, which check_device() then dereferences as a struct amd_iommu *, causing a boot-time GPF.

Seen on Google Compute Engine ct6e VMs, where the virtualized IVRS describes only the four TPU endpoints 00:04.0-07.0; the gVNIC at 00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation, into the adjacent kmalloc-512 slab object:

pci 0000:00:04.0: Adding to iommu group 0 pci 0000:00:05.0: Adding to iommu group 1 pci 0000:00:06.0: Adding to iommu group 2 pci 0000:00:07.0: Adding to iommu group 3 Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025 RIP: 0010:amd_iommu_probe_device+0x54/0x3a0 Call Trace: __iommu_probe_device+0x107/0x520 probe_iommu_group+0x29/0x50 bus_for_each_dev+0x7e/0xe0 iommu_device_register+0xc9/0x240 iommu_go_to_state+0x9c0/0x1c60 amd_iommu_init+0x14/0x40 pci_iommu_init+0x16/0x60 do_one_initcall+0x47/0x2f0

Guard the array access in __rlookup_amd_iommu(). With the fix applied on 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T20:17:20Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Bounds-check devid in __rlookup_amd_iommu()\n\niommu_device_register() walks every device on the PCI bus via\nbus_for_each_dev() and calls amd_iommu_probe_device() for each. The\ninlined check_device() path computes the device\u0027s sbdf, calls\nrlookup_amd_iommu() to find the owning IOMMU, and only afterwards\nverifies devid \u003c= pci_seg-\u003elast_bdf. __rlookup_amd_iommu() indexes\nrlookup_table[devid] with no bounds check of its own, so for a PCI\ndevice whose BDF is not described by the IVRS, the lookup reads past\nthe end of the allocation before the caller\u0027s bounds check can run.\n\nThis was harmless before commit e874c666b15b (\"iommu/amd: Change\nrlookup, irq_lookup, and alias to use kvalloc()\"): the table was a\nzeroed page-order allocation, so the over-read returned NULL and the\ncaller\u0027s NULL check skipped the device. After that commit the table is\na tight kvcalloc() and the over-read returns adjacent slab contents,\nwhich check_device() then dereferences as a struct amd_iommu *,\ncausing a boot-time GPF.\n\nSeen on Google Compute Engine ct6e VMs, where the virtualized IVRS\ndescribes only the four TPU endpoints 00:04.0-07.0; the gVNIC at\n00:08.0 (devid 0x40) indexes 56 bytes past the 456-byte allocation,\ninto the adjacent kmalloc-512 slab object:\n\n  pci 0000:00:04.0: Adding to iommu group 0\n  pci 0000:00:05.0: Adding to iommu group 1\n  pci 0000:00:06.0: Adding to iommu group 2\n  pci 0000:00:07.0: Adding to iommu group 3\n  Oops: general protection fault, probably for non-canonical address 0x3a64695f78746382: 0000 [#1] SMP NOPTI\n  CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.22 #1\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/06/2025\n  RIP: 0010:amd_iommu_probe_device+0x54/0x3a0\n  Call Trace:\n   __iommu_probe_device+0x107/0x520\n   probe_iommu_group+0x29/0x50\n   bus_for_each_dev+0x7e/0xe0\n   iommu_device_register+0xc9/0x240\n   iommu_go_to_state+0x9c0/0x1c60\n   amd_iommu_init+0x14/0x40\n   pci_iommu_init+0x16/0x60\n   do_one_initcall+0x47/0x2f0\n\nGuard the array access in __rlookup_amd_iommu(). With the fix applied\non 6.18.22, the gVNIC at 00:08.0 is skipped cleanly and the VM boots.",
  "id": "GHSA-gv9j-3945-3x3r",
  "modified": "2026-07-08T06:31:35Z",
  "published": "2026-06-26T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53283"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07d0f496fe7ec5abe3bee7e38be709521567bb33"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79db4cbab81f07ce69a93d379ebd40d3709ecfb2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0a0f01787ecece814414b0665df879b69849d09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVC2-C45P-M2R9

Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-17 00:01
VLAI
Details

Null pointer dereference in libr/bin/format/mach0/mach0.c in radareorg/radare2 in GitHub repository radareorg/radare2 prior to 5.7.0. It is likely to be exploitable. For more general description of heap buffer overflow, see CWE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Null pointer dereference in libr/bin/format/mach0/mach0.c in radareorg/radare2 in GitHub repository radareorg/radare2 prior to 5.7.0. It is likely to be exploitable. For more general description of heap buffer overflow, see [CWE](https://cwe.mitre.org/data/definitions/476.html).",
  "id": "GHSA-gvc2-c45p-m2r9",
  "modified": "2022-05-17T00:01:19Z",
  "published": "2022-05-11T00:01:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radareorg/radare2/commit/a5aafb99c3965259c84ddcf45a91144bf7eb4cf1"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c07e4918-cf86-4d2e-8969-5fb63575b449"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.