CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-JPVG-R3Q7-3W8J
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:31In the Linux kernel, the following vulnerability has been resolved:
cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to S_AUTOMOUNT and corresponding dentry flags is retained regardless of CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in VFS follow_automount() when traversing a DFS referral link: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: __traverse_mounts+0xb5/0x220 ? cifs_revalidate_mapping+0x65/0xc0 [cifs] step_into+0x195/0x610 ? lookup_fast+0xe2/0xf0 path_lookupat+0x64/0x140 filename_lookup+0xc2/0x140 ? __create_object+0x299/0x380 ? kmem_cache_alloc+0x119/0x220 ? user_path_at_empty+0x31/0x50 user_path_at_empty+0x31/0x50 __x64_sys_chdir+0x2a/0xd0 ? exit_to_user_mode_prepare+0xca/0x100 do_syscall_64+0x42/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc
This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This approach was chosen as it provides more control over the error path.
{
"affected": [],
"aliases": [
"CVE-2023-53246"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:51Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL\n\nWhen compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount\nis NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to\nS_AUTOMOUNT and corresponding dentry flags is retained regardless of\nCONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in\nVFS follow_automount() when traversing a DFS referral link:\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ...\n Call Trace:\n \u003cTASK\u003e\n __traverse_mounts+0xb5/0x220\n ? cifs_revalidate_mapping+0x65/0xc0 [cifs]\n step_into+0x195/0x610\n ? lookup_fast+0xe2/0xf0\n path_lookupat+0x64/0x140\n filename_lookup+0xc2/0x140\n ? __create_object+0x299/0x380\n ? kmem_cache_alloc+0x119/0x220\n ? user_path_at_empty+0x31/0x50\n user_path_at_empty+0x31/0x50\n __x64_sys_chdir+0x2a/0xd0\n ? exit_to_user_mode_prepare+0xca/0x100\n do_syscall_64+0x42/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThis fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler\nwhen CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to\navoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This\napproach was chosen as it provides more control over the error path.",
"id": "GHSA-jpvg-r3q7-3w8j",
"modified": "2025-12-03T21:31:00Z",
"published": "2025-09-15T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53246"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/179a88a8558bbf42991d361595281f3e45d7edfc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e144b68208e98fd4602c842a7149ba5f41d87fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26a32a212bc540f4773cd6af8cf73e967d72569c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/657d7c215ca974d366ab1808213f716e1e3aa950"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8afb1fabcec1929db46977e84baeee0cc0e79242"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8cd7dbc9c46d51e00a0a8372e07cc1cbb8d24a77"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b64305185b76f1d5145ce594ff48f3f0e70695bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7d854c33ab48e55fc233699bbefe39ec9bb5c05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPVJ-J5PH-XP9W
Vulnerability from github – Published: 2023-03-16 15:30 – Updated: 2025-02-26 21:30An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse endpoints function.
{
"affected": [],
"aliases": [
"CVE-2023-27785"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-16T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse endpoints function.",
"id": "GHSA-jpvj-j5ph-xp9w",
"modified": "2025-02-26T21:30:25Z",
"published": "2023-03-16T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27785"
},
{
"type": "WEB",
"url": "https://github.com/appneta/tcpreplay/issues/785"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3ER3YTFR3XIDMYEB7LMFWFTPVQALBHC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE3J4LKYFNKPKNSLDQK4JG36THQMQH3V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UK2BRH3W3ECF5FDXP6QM3ZEDTHIOE4M5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3ER3YTFR3XIDMYEB7LMFWFTPVQALBHC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UE3J4LKYFNKPKNSLDQK4JG36THQMQH3V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UK2BRH3W3ECF5FDXP6QM3ZEDTHIOE4M5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPWC-C28P-36CC
Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-23 18:31A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP Reset packet missing an expected ResetType field.
{
"affected": [],
"aliases": [
"CVE-2023-37025"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T23:15:09Z",
"severity": "MODERATE"
},
"details": "A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma \u003c= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Reset` packet missing an expected `ResetType` field.",
"id": "GHSA-jpwc-c28p-36cc",
"modified": "2025-01-23T18:31:18Z",
"published": "2025-01-22T00:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37025"
},
{
"type": "WEB",
"url": "https://cellularsecurity.org/ransacked"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPWH-P39R-3586
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.
{
"affected": [],
"aliases": [
"CVE-2021-40264"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:21Z",
"severity": "MODERATE"
},
"details": "NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.",
"id": "GHSA-jpwh-p39r-3586",
"modified": "2024-04-04T07:06:43Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40264"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/freeimage/bugs/335"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ2V-J4FW-M4MG
Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash
There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash.
The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case:
- In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), slice is set to cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.
- The first for_each_sched_entity() loop dequeues the entity.
- If the entity was its parent's only child, then the next iteration tries to dequeue the parent.
- If the parent's dequeue needs to be delayed, then it breaks from the first for_each_sched_entity() loop without updating slice.
- The second for_each_sched_entity() loop sets the parent's ->slice to the saved slice, which is still U64_MAX.
This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was:
- In update_entity_lag(), se->slice is used to calculate limit, which ends up as a huge negative number.
- limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number.
- In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number.
- The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number.
- pick_eevdf() calls entity_eligible()/vruntime_eligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfs_rq->min_vruntime) * load calulation to overflow.
- Nothing appears to be eligible, so pick_eevdf() returns NULL.
- pick_next_entity() tries to dereference the return value of pick_eevdf() and crashes.
Dumping the cfs_rq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64_MAX on live systems (which was usually "benign" since the rest of the runqueue needed to be in a particular state to crash).
Fix it in dequeue_entities() by always setting slice from the first non-empty cfs_rq.
{
"affected": [],
"aliases": [
"CVE-2025-37821"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-08T07:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/eevdf: Fix se-\u003eslice being set to U64_MAX and resulting crash\n\nThere is a code path in dequeue_entities() that can set the slice of a\nsched_entity to U64_MAX, which sometimes results in a crash.\n\nThe offending case is when dequeue_entities() is called to dequeue a\ndelayed group entity, and then the entity\u0027s parent\u0027s dequeue is delayed.\nIn that case:\n\n1. In the if (entity_is_task(se)) else block at the beginning of\n dequeue_entities(), slice is set to\n cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then\n it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.\n2. The first for_each_sched_entity() loop dequeues the entity.\n3. If the entity was its parent\u0027s only child, then the next iteration\n tries to dequeue the parent.\n4. If the parent\u0027s dequeue needs to be delayed, then it breaks from the\n first for_each_sched_entity() loop _without updating slice_.\n5. The second for_each_sched_entity() loop sets the parent\u0027s -\u003eslice to\n the saved slice, which is still U64_MAX.\n\nThis throws off subsequent calculations with potentially catastrophic\nresults. A manifestation we saw in production was:\n\n6. In update_entity_lag(), se-\u003eslice is used to calculate limit, which\n ends up as a huge negative number.\n7. limit is used in se-\u003evlag = clamp(vlag, -limit, limit). Because limit\n is negative, vlag \u003e limit, so se-\u003evlag is set to the same huge\n negative number.\n8. In place_entity(), se-\u003evlag is scaled, which overflows and results in\n another huge (positive or negative) number.\n9. The adjusted lag is subtracted from se-\u003evruntime, which increases or\n decreases se-\u003evruntime by a huge number.\n10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which\n incorrectly returns false because the vruntime is so far from the\n other vruntimes on the queue, causing the\n (vruntime - cfs_rq-\u003emin_vruntime) * load calulation to overflow.\n11. Nothing appears to be eligible, so pick_eevdf() returns NULL.\n12. pick_next_entity() tries to dereference the return value of\n pick_eevdf() and crashes.\n\nDumping the cfs_rq states from the core dumps with drgn showed tell-tale\nhuge vruntime ranges and bogus vlag values, and I also traced se-\u003eslice\nbeing set to U64_MAX on live systems (which was usually \"benign\" since\nthe rest of the runqueue needed to be in a particular state to crash).\n\nFix it in dequeue_entities() by always setting slice from the first\nnon-empty cfs_rq.",
"id": "GHSA-jq2v-j4fw-m4mg",
"modified": "2025-11-12T21:31:01Z",
"published": "2025-05-08T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37821"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50a665496881262519f115f1bfe5822f30580eb0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86b37810fa1e40b93171da023070b99ccbb4ea04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbce3de72be56e4b5f68924b7da9630cc89aa1a8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ65-29V4-4X35
Vulnerability from github – Published: 2021-08-25 20:45 – Updated: 2021-08-19 21:21Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl-src"
},
"ranges": [
{
"events": [
{
"introduced": "111.6.0"
},
{
"fixed": "111.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1967"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:21:21Z",
"nvd_published_at": "2020-04-21T14:15:00Z",
"severity": "HIGH"
},
"details": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
"id": "GHSA-jq65-29v4-4x35",
"modified": "2021-08-19T21:21:21Z",
"published": "2021-08-25T20:45:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2020-11"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2020-04"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2020-03"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_05"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20200421.txt"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4661"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200717-0004"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200424-0003"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202004-10"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440"
},
{
"type": "WEB",
"url": "https://github.com/irsl/CVE-2020-1967"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/May/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/04/22/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Null pointer deference in openssl-src "
}
GHSA-JQ66-W858-F282
Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2025-04-20 03:35The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.
{
"affected": [],
"aliases": [
"CVE-2016-10209"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-03T05:59:00Z",
"severity": "MODERATE"
},
"details": "The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.",
"id": "GHSA-jq66-w858-f282",
"modified": "2025-04-20T03:35:20Z",
"published": "2022-05-14T01:44:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10209"
},
{
"type": "WEB",
"url": "https://github.com/libarchive/libarchive/issues/842"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00037.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3736-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4360"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97327"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ77-Q43W-6Q5M
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31In the Linux kernel, the following vulnerability has been resolved:
ipw2x00: Fix potential NULL dereference in libipw_xmit()
crypt and crypt->ops could be null, so we need to checking null before dereference
{
"affected": [],
"aliases": [
"CVE-2022-49544"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipw2x00: Fix potential NULL dereference in libipw_xmit()\n\ncrypt and crypt-\u003eops could be null, so we need to checking null\nbefore dereference",
"id": "GHSA-jq77-q43w-6q5m",
"modified": "2025-03-10T21:31:09Z",
"published": "2025-03-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49544"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/167affc11781d7d35c4c3a7630a549ac74dd0b21"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ff6b0727c8988f25eeb670b6c038c1120bb58dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48d4a820fd33f012e5f63735a59d15b5a3882882"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/528d2023ccf4748fd542582955236c1634a7d293"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f7ea274e88c0eeffe6bd6dbf6cf5c479d356af6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fb1b9beb085bb767ae43e441db5ac6fcd66a04d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98d1dc32f890642476dbb78ed3437a456bf421b0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4628e0d3754ab2fc98ee6e3d21851ba45798077"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e8366bbabe1d207cf7c5b11ae50e223ae6fc278b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ7F-47XV-X2XG
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
phy: freescale: imx8qm-hsio: fix NULL pointer dereference
During the probe the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the devicetree node. But in imx_hsio_configure_clk_pad() this pointer is unconditionally used which could result in a NULL pointer dereference. So check the pointer before to use it.
{
"affected": [],
"aliases": [
"CVE-2026-45874"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: freescale: imx8qm-hsio: fix NULL pointer dereference\n\nDuring the probe the refclk_pad pointer is set to NULL if the\n\u0027fsl,refclk-pad-mode\u0027 property is not defined in the devicetree node. But\nin imx_hsio_configure_clk_pad() this pointer is unconditionally used which\ncould result in a NULL pointer dereference. So check the pointer before to\nuse it.",
"id": "GHSA-jq7f-47xv-x2xg",
"modified": "2026-06-25T21:31:19Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45874"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4dd5d4c0361af0a3fd24f45c815996abf4429770"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d29e81e9cdec84d4b9acb1736550d35e86c88af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a771b386cb6c6e582e7b50f8eeff3347ff887f71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd8b9ba3d9701832cfb5dcefd8b43250df28dbc2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ82-JQVW-64W3
Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-07 00:01telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
{
"affected": [],
"aliases": [
"CVE-2022-39028"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-30T05:15:00Z",
"severity": "HIGH"
},
"details": "telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.",
"id": "GHSA-jq82-jqvw-64w3",
"modified": "2022-09-07T00:01:54Z",
"published": "2022-08-31T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028"
},
{
"type": "WEB",
"url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.