Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-JPVG-R3Q7-3W8J

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL

When compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount is NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to S_AUTOMOUNT and corresponding dentry flags is retained regardless of CONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in VFS follow_automount() when traversing a DFS referral link: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: __traverse_mounts+0xb5/0x220 ? cifs_revalidate_mapping+0x65/0xc0 [cifs] step_into+0x195/0x610 ? lookup_fast+0xe2/0xf0 path_lookupat+0x64/0x140 filename_lookup+0xc2/0x140 ? __create_object+0x299/0x380 ? kmem_cache_alloc+0x119/0x220 ? user_path_at_empty+0x31/0x50 user_path_at_empty+0x31/0x50 __x64_sys_chdir+0x2a/0xd0 ? exit_to_user_mode_prepare+0xca/0x100 do_syscall_64+0x42/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc

This fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler when CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to avoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This approach was chosen as it provides more control over the error path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL\n\nWhen compiled with CONFIG_CIFS_DFS_UPCALL disabled, cifs_dfs_d_automount\nis NULL. cifs.ko logic for mapping CIFS_FATTR_DFS_REFERRAL attributes to\nS_AUTOMOUNT and corresponding dentry flags is retained regardless of\nCONFIG_CIFS_DFS_UPCALL, leading to a NULL pointer dereference in\nVFS follow_automount() when traversing a DFS referral link:\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  ...\n  Call Trace:\n   \u003cTASK\u003e\n   __traverse_mounts+0xb5/0x220\n   ? cifs_revalidate_mapping+0x65/0xc0 [cifs]\n   step_into+0x195/0x610\n   ? lookup_fast+0xe2/0xf0\n   path_lookupat+0x64/0x140\n   filename_lookup+0xc2/0x140\n   ? __create_object+0x299/0x380\n   ? kmem_cache_alloc+0x119/0x220\n   ? user_path_at_empty+0x31/0x50\n   user_path_at_empty+0x31/0x50\n   __x64_sys_chdir+0x2a/0xd0\n   ? exit_to_user_mode_prepare+0xca/0x100\n   do_syscall_64+0x42/0x90\n   entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThis fix adds an inline cifs_dfs_d_automount() {return -EREMOTE} handler\nwhen CONFIG_CIFS_DFS_UPCALL is disabled. An alternative would be to\navoid flagging S_AUTOMOUNT, etc. without CONFIG_CIFS_DFS_UPCALL. This\napproach was chosen as it provides more control over the error path.",
  "id": "GHSA-jpvg-r3q7-3w8j",
  "modified": "2025-12-03T21:31:00Z",
  "published": "2025-09-15T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53246"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/179a88a8558bbf42991d361595281f3e45d7edfc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e144b68208e98fd4602c842a7149ba5f41d87fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26a32a212bc540f4773cd6af8cf73e967d72569c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/657d7c215ca974d366ab1808213f716e1e3aa950"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8afb1fabcec1929db46977e84baeee0cc0e79242"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cd7dbc9c46d51e00a0a8372e07cc1cbb8d24a77"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b64305185b76f1d5145ce594ff48f3f0e70695bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7d854c33ab48e55fc233699bbefe39ec9bb5c05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPVJ-J5PH-XP9W

Vulnerability from github – Published: 2023-03-16 15:30 – Updated: 2025-02-26 21:30
VLAI
Details

An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse endpoints function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-16T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker to cause a denial of service via the parse endpoints function.",
  "id": "GHSA-jpvj-j5ph-xp9w",
  "modified": "2025-02-26T21:30:25Z",
  "published": "2023-03-16T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/appneta/tcpreplay/issues/785"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3ER3YTFR3XIDMYEB7LMFWFTPVQALBHC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE3J4LKYFNKPKNSLDQK4JG36THQMQH3V"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UK2BRH3W3ECF5FDXP6QM3ZEDTHIOE4M5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3ER3YTFR3XIDMYEB7LMFWFTPVQALBHC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UE3J4LKYFNKPKNSLDQK4JG36THQMQH3V"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UK2BRH3W3ECF5FDXP6QM3ZEDTHIOE4M5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPWC-C28P-36CC

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-23 18:31
VLAI
Details

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP Reset packet missing an expected ResetType field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T23:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma \u003c= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Reset` packet missing an expected `ResetType` field.",
  "id": "GHSA-jpwc-c28p-36cc",
  "modified": "2025-01-23T18:31:18Z",
  "published": "2025-01-22T00:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37025"
    },
    {
      "type": "WEB",
      "url": "https://cellularsecurity.org/ransacked"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPWH-P39R-3586

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06
VLAI
Details

NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:21Z",
    "severity": "MODERATE"
  },
  "details": "NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.",
  "id": "GHSA-jpwh-p39r-3586",
  "modified": "2024-04-04T07:06:43Z",
  "published": "2023-08-22T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40264"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/freeimage/bugs/335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ2V-J4FW-M4MG

Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash

There is a code path in dequeue_entities() that can set the slice of a sched_entity to U64_MAX, which sometimes results in a crash.

The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case:

  1. In the if (entity_is_task(se)) else block at the beginning of dequeue_entities(), slice is set to cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.
  2. The first for_each_sched_entity() loop dequeues the entity.
  3. If the entity was its parent's only child, then the next iteration tries to dequeue the parent.
  4. If the parent's dequeue needs to be delayed, then it breaks from the first for_each_sched_entity() loop without updating slice.
  5. The second for_each_sched_entity() loop sets the parent's ->slice to the saved slice, which is still U64_MAX.

This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was:

  1. In update_entity_lag(), se->slice is used to calculate limit, which ends up as a huge negative number.
  2. limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number.
  3. In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number.
  4. The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number.
  5. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfs_rq->min_vruntime) * load calulation to overflow.
  6. Nothing appears to be eligible, so pick_eevdf() returns NULL.
  7. pick_next_entity() tries to dereference the return value of pick_eevdf() and crashes.

Dumping the cfs_rq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64_MAX on live systems (which was usually "benign" since the rest of the runqueue needed to be in a particular state to crash).

Fix it in dequeue_entities() by always setting slice from the first non-empty cfs_rq.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T07:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/eevdf: Fix se-\u003eslice being set to U64_MAX and resulting crash\n\nThere is a code path in dequeue_entities() that can set the slice of a\nsched_entity to U64_MAX, which sometimes results in a crash.\n\nThe offending case is when dequeue_entities() is called to dequeue a\ndelayed group entity, and then the entity\u0027s parent\u0027s dequeue is delayed.\nIn that case:\n\n1. In the if (entity_is_task(se)) else block at the beginning of\n   dequeue_entities(), slice is set to\n   cfs_rq_min_slice(group_cfs_rq(se)). If the entity was delayed, then\n   it has no queued tasks, so cfs_rq_min_slice() returns U64_MAX.\n2. The first for_each_sched_entity() loop dequeues the entity.\n3. If the entity was its parent\u0027s only child, then the next iteration\n   tries to dequeue the parent.\n4. If the parent\u0027s dequeue needs to be delayed, then it breaks from the\n   first for_each_sched_entity() loop _without updating slice_.\n5. The second for_each_sched_entity() loop sets the parent\u0027s -\u003eslice to\n   the saved slice, which is still U64_MAX.\n\nThis throws off subsequent calculations with potentially catastrophic\nresults. A manifestation we saw in production was:\n\n6. In update_entity_lag(), se-\u003eslice is used to calculate limit, which\n   ends up as a huge negative number.\n7. limit is used in se-\u003evlag = clamp(vlag, -limit, limit). Because limit\n   is negative, vlag \u003e limit, so se-\u003evlag is set to the same huge\n   negative number.\n8. In place_entity(), se-\u003evlag is scaled, which overflows and results in\n   another huge (positive or negative) number.\n9. The adjusted lag is subtracted from se-\u003evruntime, which increases or\n   decreases se-\u003evruntime by a huge number.\n10. pick_eevdf() calls entity_eligible()/vruntime_eligible(), which\n    incorrectly returns false because the vruntime is so far from the\n    other vruntimes on the queue, causing the\n    (vruntime - cfs_rq-\u003emin_vruntime) * load calulation to overflow.\n11. Nothing appears to be eligible, so pick_eevdf() returns NULL.\n12. pick_next_entity() tries to dereference the return value of\n    pick_eevdf() and crashes.\n\nDumping the cfs_rq states from the core dumps with drgn showed tell-tale\nhuge vruntime ranges and bogus vlag values, and I also traced se-\u003eslice\nbeing set to U64_MAX on live systems (which was usually \"benign\" since\nthe rest of the runqueue needed to be in a particular state to crash).\n\nFix it in dequeue_entities() by always setting slice from the first\nnon-empty cfs_rq.",
  "id": "GHSA-jq2v-j4fw-m4mg",
  "modified": "2025-11-12T21:31:01Z",
  "published": "2025-05-08T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37821"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50a665496881262519f115f1bfe5822f30580eb0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/86b37810fa1e40b93171da023070b99ccbb4ea04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bbce3de72be56e4b5f68924b7da9630cc89aa1a8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ65-29V4-4X35

Vulnerability from github – Published: 2021-08-25 20:45 – Updated: 2021-08-19 21:21
VLAI
Summary
Null pointer deference in openssl-src
Details

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "openssl-src"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "111.6.0"
            },
            {
              "fixed": "111.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:21:21Z",
    "nvd_published_at": "2020-04-21T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).",
  "id": "GHSA-jq65-29v4-4x35",
  "modified": "2021-08-19T21:21:21Z",
  "published": "2021-08-25T20:45:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1967"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2021-10"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2020-11"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2020-04"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2020-03"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_20_05"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openssl.org/news/secadv/20200421.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4661"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200717-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200424-0003"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202004-10"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irsl/CVE-2020-1967"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/May/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Null pointer deference in openssl-src "
}

GHSA-JQ66-W858-F282

Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2025-04-20 03:35
VLAI
Details

The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-03T05:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file.",
  "id": "GHSA-jq66-w858-f282",
  "modified": "2025-04-20T03:35:20Z",
  "published": "2022-05-14T01:44:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libarchive/libarchive/issues/842"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00037.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3736-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4360"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97327"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ77-Q43W-6Q5M

Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipw2x00: Fix potential NULL dereference in libipw_xmit()

crypt and crypt->ops could be null, so we need to checking null before dereference

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipw2x00: Fix potential NULL dereference in libipw_xmit()\n\ncrypt and crypt-\u003eops could be null, so we need to checking null\nbefore dereference",
  "id": "GHSA-jq77-q43w-6q5m",
  "modified": "2025-03-10T21:31:09Z",
  "published": "2025-03-10T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49544"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/167affc11781d7d35c4c3a7630a549ac74dd0b21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ff6b0727c8988f25eeb670b6c038c1120bb58dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48d4a820fd33f012e5f63735a59d15b5a3882882"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/528d2023ccf4748fd542582955236c1634a7d293"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f7ea274e88c0eeffe6bd6dbf6cf5c479d356af6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fb1b9beb085bb767ae43e441db5ac6fcd66a04d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98d1dc32f890642476dbb78ed3437a456bf421b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4628e0d3754ab2fc98ee6e3d21851ba45798077"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8366bbabe1d207cf7c5b11ae50e223ae6fc278b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ7F-47XV-X2XG

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

phy: freescale: imx8qm-hsio: fix NULL pointer dereference

During the probe the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the devicetree node. But in imx_hsio_configure_clk_pad() this pointer is unconditionally used which could result in a NULL pointer dereference. So check the pointer before to use it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: freescale: imx8qm-hsio: fix NULL pointer dereference\n\nDuring the probe the refclk_pad pointer is set to NULL if the\n\u0027fsl,refclk-pad-mode\u0027 property is not defined in the devicetree node. But\nin imx_hsio_configure_clk_pad() this pointer is unconditionally used which\ncould result in a NULL pointer dereference. So check the pointer before to\nuse it.",
  "id": "GHSA-jq7f-47xv-x2xg",
  "modified": "2026-06-25T21:31:19Z",
  "published": "2026-05-27T15:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45874"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4dd5d4c0361af0a3fd24f45c815996abf4429770"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d29e81e9cdec84d4b9acb1736550d35e86c88af"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a771b386cb6c6e582e7b50f8eeff3347ff887f71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd8b9ba3d9701832cfb5dcefd8b43250df28dbc2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ82-JQVW-64W3

Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-07 00:01
VLAI
Details

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-30T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a \"telnet/tcp server failing (looping), service terminated\" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.",
  "id": "GHSA-jq82-jqvw-64w3",
  "modified": "2022-09-07T00:01:54Z",
  "published": "2022-08-31T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39028"
    },
    {
      "type": "WEB",
      "url": "https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/commit/?id=113da8021710d871c7dd72d2a4d5615d42d64289"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.