CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-H347-4RGX-68RR
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2024-11-07 18:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix a debugfs null pointer error
[WHY & HOW] Check whether get_subvp_en() callback exists before calling it.
{
"affected": [],
"aliases": [
"CVE-2023-52673"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T14:15:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY \u0026 HOW]\nCheck whether get_subvp_en() callback exists before calling it.",
"id": "GHSA-h347-4rgx-68rr",
"modified": "2024-11-07T18:31:20Z",
"published": "2024-05-17T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52673"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H35G-GH47-W446
Vulnerability from github – Published: 2023-10-30 03:30 – Updated: 2023-11-04 03:30In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2023-46867"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T03:15:07Z",
"severity": "MODERATE"
},
"details": "In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.",
"id": "GHSA-h35g-gh47-w446",
"modified": "2023-11-04T03:30:19Z",
"published": "2023-10-30T03:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46867"
},
{
"type": "WEB",
"url": "https://github.com/InternationalColorConsortium/DemoIccMAX/issues/54"
},
{
"type": "WEB",
"url": "https://github.com/InternationalColorConsortium/DemoIccMAX/pull/53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H35X-4F36-345V
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-02-03 15:32In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Prevent recovery invocation during probe and resume
Refactor IPC send and receive functions to allow correct handling of operations that should not trigger a recovery process.
Expose ivpu_send_receive_internal(), which is now utilized by the D0i3 entry, DCT initialization, and HWS initialization functions. These functions have been modified to return error codes gracefully, rather than initiating recovery.
The updated functions are invoked within ivpu_probe() and ivpu_resume(), ensuring that any errors encountered during these stages result in a proper teardown or shutdown sequence. The previous approach of triggering recovery within these functions could lead to a race condition, potentially causing undefined behavior and kernel crashes due to null pointer dereferences.
{
"affected": [],
"aliases": [
"CVE-2024-56540"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T14:15:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Prevent recovery invocation during probe and resume\n\nRefactor IPC send and receive functions to allow correct\nhandling of operations that should not trigger a recovery process.\n\nExpose ivpu_send_receive_internal(), which is now utilized by the D0i3\nentry, DCT initialization, and HWS initialization functions.\nThese functions have been modified to return error codes gracefully,\nrather than initiating recovery.\n\nThe updated functions are invoked within ivpu_probe() and ivpu_resume(),\nensuring that any errors encountered during these stages result in a proper\nteardown or shutdown sequence. The previous approach of triggering recovery\nwithin these functions could lead to a race condition, potentially causing\nundefined behavior and kernel crashes due to null pointer dereferences.",
"id": "GHSA-h35x-4f36-345v",
"modified": "2025-02-03T15:32:00Z",
"published": "2024-12-27T15:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56540"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/362ef76020ea6219a4df4ac5b738672b59527239"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5eaa497411197c41b0813d61ba3fbd6267049082"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cac822772c4dc27a285f09caf30072ab76d2bf38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3CH-QVJW-GR8J
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2020-35505"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-28T11:15:00Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the \u0027Information Transfer\u0027 command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-h3ch-qvjw-gr8j",
"modified": "2022-05-24T19:03:38Z",
"published": "2022-05-24T19:03:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35505"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1909769"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-27"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210713-0006"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/04/16/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/04/16/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3HR-9QQW-CVG3
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-05-20 00:31In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry
When a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path in netfs_unbuffered_write() unconditionally calls stream->prepare_write() without checking if it is NULL.
Filesystems such as 9P do not set the prepare_write operation, so stream->prepare_write remains NULL. When get_user_pages() fails with -EFAULT and the subrequest is flagged for retry, this results in a NULL pointer dereference at fs/netfs/direct_write.c:189.
Fix this by mirroring the pattern already used in write_retry.c: if stream->prepare_write is NULL, skip renegotiation and directly reissue the subrequest via netfs_reissue_write(), which handles iterator reset, IN_PROGRESS flag, stats update and reissue internally.
{
"affected": [],
"aliases": [
"CVE-2026-31437"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:36Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry\n\nWhen a write subrequest is marked NETFS_SREQ_NEED_RETRY, the retry path\nin netfs_unbuffered_write() unconditionally calls stream-\u003eprepare_write()\nwithout checking if it is NULL.\n\nFilesystems such as 9P do not set the prepare_write operation, so\nstream-\u003eprepare_write remains NULL. When get_user_pages() fails with\n-EFAULT and the subrequest is flagged for retry, this results in a NULL\npointer dereference at fs/netfs/direct_write.c:189.\n\nFix this by mirroring the pattern already used in write_retry.c: if\nstream-\u003eprepare_write is NULL, skip renegotiation and directly reissue\nthe subrequest via netfs_reissue_write(), which handles iterator reset,\nIN_PROGRESS flag, stats update and reissue internally.",
"id": "GHSA-h3hr-9qqw-cvg3",
"modified": "2026-05-20T00:31:40Z",
"published": "2026-04-22T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31437"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a5482f5ce891decbf36f2e6fab1e9fc4a76a684"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4d1b4ba9754bac3efebd06f583a44a7af52c0ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9075e420a1eb3b52c60f3b95893a55e77419ce8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3J5-6CRW-XHFJ
Vulnerability from github – Published: 2022-05-14 03:28 – Updated: 2022-05-14 03:28In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9635M, SD 210/SD 212/SD 205, SD 410/12, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, and SD 810, A NULL pointer dereference can occur during an SSL handshake.
{
"affected": [],
"aliases": [
"CVE-2016-10496"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-18T14:29:00Z",
"severity": "CRITICAL"
},
"details": "In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9635M, SD 210/SD 212/SD 205, SD 410/12, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, and SD 810, A NULL pointer dereference can occur during an SSL handshake.",
"id": "GHSA-h3j5-6crw-xhfj",
"modified": "2022-05-14T03:28:31Z",
"published": "2022-05-14T03:28:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10496"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-04-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3M2-QJG9-R764
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-13 21:31In the Linux kernel, the following vulnerability has been resolved:
dmaengine: dw-axi-dmac: do not print NULL LLI during error
During debugging we have seen an issue where axi_chan_dump_lli() is passed a NULL LLI pointer which ends up causing an OOPS due to trying to get fields from it. Simply print NULL LLI and exit to avoid this.
{
"affected": [],
"aliases": [
"CVE-2022-50024"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-axi-dmac: do not print NULL LLI during error\n\nDuring debugging we have seen an issue where axi_chan_dump_lli()\nis passed a NULL LLI pointer which ends up causing an OOPS due\nto trying to get fields from it. Simply print NULL LLI and exit\nto avoid this.",
"id": "GHSA-h3m2-qjg9-r764",
"modified": "2025-11-13T21:31:17Z",
"published": "2025-06-18T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50024"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86cb0defe0e275453bc39e856bb523eb425a6537"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad764df73ae5eada265fffc0408404703cbb2b8d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af76e6fdcf92f1a742b788d0dba5edd194267bf9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3M3-QF7R-5CM7
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-06-26 21:32In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
{
"affected": [],
"aliases": [
"CVE-2026-45836"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T17:16:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
"id": "GHSA-h3m3-qf7r-5cm7",
"modified": "2026-06-26T21:32:04Z",
"published": "2026-05-26T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45836"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e8d1a2a677a81caa60cf0aabd4217bd585fbba1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1863e7480feddb90125d0dd5a1b572972d75908"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd072f833147b0bc10c43a454624cb99d02f3fc7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3QM-53P9-W8C6
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-06 21:30In the Linux kernel, the following vulnerability has been resolved:
net: enetc: Do not configure preemptible TCs if SIs do not support
Both ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure MQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs() to configure preemptible TCs. However, only PF is able to configure preemptible TCs. Because only PF has related registers, while VF does not have these registers. So for VF, its hw->port pointer is NULL. Therefore, VF will access an invalid pointer when accessing a non-existent register, which will cause a crash issue. The simplified log is as follows.
root@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \ mqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1 [ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00 [ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400 [ 187.511140] Call trace: [ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400 [ 187.518918] enetc_setup_tc_mqprio+0x180/0x214 [ 187.523374] enetc_vf_setup_tc+0x1c/0x30 [ 187.527306] mqprio_enable_offload+0x144/0x178 [ 187.531766] mqprio_init+0x3ec/0x668 [ 187.535351] qdisc_create+0x15c/0x488 [ 187.539023] tc_modify_qdisc+0x398/0x73c [ 187.542958] rtnetlink_rcv_msg+0x128/0x378 [ 187.547064] netlink_rcv_skb+0x60/0x130 [ 187.550910] rtnetlink_rcv+0x18/0x24 [ 187.554492] netlink_unicast+0x300/0x36c [ 187.558425] netlink_sendmsg+0x1a8/0x420 [ 187.606759] ---[ end trace 0000000000000000 ]---
In addition, some PFs also do not support configuring preemptible TCs, such as eno1 and eno3 on LS1028A. It won't crash like it does for VFs, but we should prevent these PFs from accessing these unimplemented registers.
{
"affected": [],
"aliases": [
"CVE-2024-56649"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: Do not configure preemptible TCs if SIs do not support\n\nBoth ENETC PF and VF drivers share enetc_setup_tc_mqprio() to configure\nMQPRIO. And enetc_setup_tc_mqprio() calls enetc_change_preemptible_tcs()\nto configure preemptible TCs. However, only PF is able to configure\npreemptible TCs. Because only PF has related registers, while VF does not\nhave these registers. So for VF, its hw-\u003eport pointer is NULL. Therefore,\nVF will access an invalid pointer when accessing a non-existent register,\nwhich will cause a crash issue. The simplified log is as follows.\n\nroot@ls1028ardb:~# tc qdisc add dev eno0vf0 parent root handle 100: \\\nmqprio num_tc 4 map 0 0 1 1 2 2 3 3 queues 1@0 1@1 1@2 1@3 hw 1\n[ 187.290775] Unable to handle kernel paging request at virtual address 0000000000001f00\n[ 187.424831] pc : enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[ 187.430518] lr : enetc_mm_commit_preemptible_tcs+0x30c/0x400\n[ 187.511140] Call trace:\n[ 187.513588] enetc_mm_commit_preemptible_tcs+0x1c4/0x400\n[ 187.518918] enetc_setup_tc_mqprio+0x180/0x214\n[ 187.523374] enetc_vf_setup_tc+0x1c/0x30\n[ 187.527306] mqprio_enable_offload+0x144/0x178\n[ 187.531766] mqprio_init+0x3ec/0x668\n[ 187.535351] qdisc_create+0x15c/0x488\n[ 187.539023] tc_modify_qdisc+0x398/0x73c\n[ 187.542958] rtnetlink_rcv_msg+0x128/0x378\n[ 187.547064] netlink_rcv_skb+0x60/0x130\n[ 187.550910] rtnetlink_rcv+0x18/0x24\n[ 187.554492] netlink_unicast+0x300/0x36c\n[ 187.558425] netlink_sendmsg+0x1a8/0x420\n[ 187.606759] ---[ end trace 0000000000000000 ]---\n\nIn addition, some PFs also do not support configuring preemptible TCs,\nsuch as eno1 and eno3 on LS1028A. It won\u0027t crash like it does for VFs,\nbut we should prevent these PFs from accessing these unimplemented\nregisters.",
"id": "GHSA-h3qm-53p9-w8c6",
"modified": "2025-01-06T21:30:50Z",
"published": "2024-12-27T15:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56649"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66127f0d1ecf00604aeab71132bde398fd9ec7c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2420b8c81ec674552d00c55d46245e5c184b260"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b718b68a9964181e24d15138a09ce95785a19002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H43C-GG33-QJ9G
Vulnerability from github – Published: 2024-11-26 15:31 – Updated: 2024-11-27 18:34NSC_DeriveKey inadvertently assumed that the phKey parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows phKey to be NULL for certain mechanisms. This vulnerability affects Firefox < 133 and Thunderbird < 133.
{
"affected": [],
"aliases": [
"CVE-2024-11705"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T14:15:19Z",
"severity": "CRITICAL"
},
"details": "`NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows `phKey` to be NULL for certain mechanisms. This vulnerability affects Firefox \u003c 133 and Thunderbird \u003c 133.",
"id": "GHSA-h43c-gg33-qj9g",
"modified": "2024-11-27T18:34:03Z",
"published": "2024-11-26T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11705"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1921768"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-63"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-67"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.