Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-JV66-MPPC-FXJF

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory

Fixes the below NULL pointer dereference:

[...] [ 14.471200] Call Trace: [ 14.471562] [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] _syssendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] _sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...]

The test scenario has the following flow:

thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); *** lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock **** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait

While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.

We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n  [...]\n  [   14.471200] Call Trace:\n  [   14.471562]  \u003cTASK\u003e\n  [   14.471882]  lock_acquire+0x245/0x2e0\n  [   14.472416]  ? remove_wait_queue+0x12/0x50\n  [   14.473014]  ? _raw_spin_lock_irqsave+0x17/0x50\n  [   14.473681]  _raw_spin_lock_irqsave+0x3d/0x50\n  [   14.474318]  ? remove_wait_queue+0x12/0x50\n  [   14.474907]  remove_wait_queue+0x12/0x50\n  [   14.475480]  sk_stream_wait_memory+0x20d/0x340\n  [   14.476127]  ? do_wait_intr_irq+0x80/0x80\n  [   14.476704]  do_tcp_sendpages+0x287/0x600\n  [   14.477283]  tcp_bpf_push+0xab/0x260\n  [   14.477817]  tcp_bpf_sendmsg_redir+0x297/0x500\n  [   14.478461]  ? __local_bh_enable_ip+0x77/0xe0\n  [   14.479096]  tcp_bpf_send_verdict+0x105/0x470\n  [   14.479729]  tcp_bpf_sendmsg+0x318/0x4f0\n  [   14.480311]  sock_sendmsg+0x2d/0x40\n  [   14.480822]  ____sys_sendmsg+0x1b4/0x1c0\n  [   14.481390]  ? copy_msghdr_from_user+0x62/0x80\n  [   14.482048]  ___sys_sendmsg+0x78/0xb0\n  [   14.482580]  ? vmf_insert_pfn_prot+0x91/0x150\n  [   14.483215]  ? __do_fault+0x2a/0x1a0\n  [   14.483738]  ? do_fault+0x15e/0x5d0\n  [   14.484246]  ? __handle_mm_fault+0x56b/0x1040\n  [   14.484874]  ? lock_is_held_type+0xdf/0x130\n  [   14.485474]  ? find_held_lock+0x2d/0x90\n  [   14.486046]  ? __sys_sendmsg+0x41/0x70\n  [   14.486587]  __sys_sendmsg+0x41/0x70\n  [   14.487105]  ? intel_pmu_drain_pebs_core+0x350/0x350\n  [   14.487822]  do_syscall_64+0x34/0x80\n  [   14.488345]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  [...]\n\nThe test scenario has the following flow:\n\nthread1                               thread2\n-----------                           ---------------\n tcp_bpf_sendmsg\n  tcp_bpf_send_verdict\n   tcp_bpf_sendmsg_redir              sock_close\n    tcp_bpf_push_locked                 __sock_release\n     tcp_bpf_push                         //inet_release\n      do_tcp_sendpages                    sock-\u003eops-\u003erelease\n       sk_stream_wait_memory          \t   // tcp_close\n          sk_wait_event                      sk-\u003esk_prot-\u003eclose\n           release_sock(__sk);\n            ***\n                                                lock_sock(sk);\n                                                  __tcp_close\n                                                    sock_orphan(sk)\n                                                      sk-\u003esk_wq  = NULL\n                                                release_sock\n            ****\n           lock_sock(__sk);\n          remove_wait_queue(sk_sleep(sk), \u0026wait);\n             sk_sleep(sk)\n             //NULL pointer dereference\n             \u0026rcu_dereference_raw(sk-\u003esk_wq)-\u003ewait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn\u0027t increase the f_count of psock-\u003esk_redir-\u003esk_socket-\u003efile in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue.",
  "id": "GHSA-jv66-mppc-fxjf",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50409"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f48ab20b80f39c0d85119243109d02946fde6d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fe03917bb017d9af68a95f989f1c122eebc69a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV67-JXG9-Q8V4

Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2024-11-04 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix iopt_access_list_id overwrite bug

Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360

Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64

The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails.

Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T09:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n  WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n  Call Trace:\n   iommufd_access_change_ioas+0x2fe/0x4e0\n   iommufd_access_destroy_object+0x50/0xb0\n   iommufd_object_remove+0x2a3/0x490\n   iommufd_object_destroy_user\n   iommufd_access_destroy+0x71/0xb0\n   iommufd_test_staccess_release+0x89/0xd0\n   __fput+0x272/0xb50\n   __fput_sync+0x4b/0x60\n   __do_sys_close\n   __se_sys_close\n   __x64_sys_close+0x8b/0x110\n   do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access-\u003eiopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully.",
  "id": "GHSA-jv67-jxg9-q8v4",
  "modified": "2024-11-04T18:31:17Z",
  "published": "2024-04-04T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26786"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV74-J9M3-C37V

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

A vulnerability in mfc driver prior to SMR Oct-2021 Release 1 allows memory corruption via NULL-pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in mfc driver prior to SMR Oct-2021 Release 1 allows memory corruption via NULL-pointer dereference.",
  "id": "GHSA-jv74-j9m3-c37v",
  "modified": "2022-05-24T19:16:42Z",
  "published": "2022-05-24T19:16:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25491"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JV9R-93Q3-FCF8

Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: dat: handle forward allocation error

batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb for each DHT candidate, but does not check the return value before passing it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences the skb unconditionally, so a failed allocation triggers a NULL pointer dereference.

Skip forwarding to the current DHT candidate on allocation failure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T08:16:22Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: dat: handle forward allocation error\n\nbatadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb\nfor each DHT candidate, but does not check the return value before passing\nit to batadv_send_skb_prepare_unicast_4addr(). That function dereferences\nthe skb unconditionally, so a failed allocation triggers a NULL pointer\ndereference.\n\nSkip forwarding to the current DHT candidate on allocation failure.",
  "id": "GHSA-jv9r-93q3-fcf8",
  "modified": "2026-06-28T09:31:36Z",
  "published": "2026-06-24T09:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52922"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d8826a2d3657cea66fb0370f9e521575a673871"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2edb8aeb3cdda9d00ec4997252dc5bcd6f54d8ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d420d9ee70a220a2cd95aa0dd2e15acad66a505"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/866ac1d57040ed0b44ca732e3c66b3aa6b93011c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9bcebaedfb8479cb4affb23c7a0d000ca9a20e73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9cceea8eeba710def2a5707ee00f00c74a9a1cac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce0c381199402a2c58f4599f4f6ed100d872d0da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf48e75fc4fe0d5cc7721c82d454221d01367b93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVM5-JGXH-5564

Vulnerability from github – Published: 2025-10-09 18:30 – Updated: 2025-10-09 18:30
VLAI
Details

A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-09T18:15:48Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.",
  "id": "GHSA-jvm5-jgxh-5564",
  "modified": "2025-10-09T18:30:38Z",
  "published": "2025-10-09T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11550"
    },
    {
      "type": "WEB",
      "url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.327709"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.327709"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.670118"
    },
    {
      "type": "WEB",
      "url": "https://www.tenda.com.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JVM7-G4W5-FQ7F

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c.",
  "id": "GHSA-jvm7-g4w5-fq7f",
  "modified": "2022-07-29T00:00:25Z",
  "published": "2022-07-27T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mjs/issues/168"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVMG-77FX-PXW2

Vulnerability from github – Published: 2024-07-29 15:30 – Updated: 2024-08-08 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: Intel: hda: fix null deref on system suspend entry

When system enters suspend with an active stream, SOF core calls hw_params_upon_resume(). On Intel platforms with HDA DMA used to manage the link DMA, this leads to call chain of

hda_dsp_set_hw_params_upon_resume() -> hda_dsp_dais_suspend() -> hda_dai_suspend() -> hda_ipc4_post_trigger()

A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first, which clears hext_stream->link_substream, and then hda_ipc4_post_trigger() is called with a NULL snd_pcm_substream pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T15:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: fix null deref on system suspend entry\n\nWhen system enters suspend with an active stream, SOF core\ncalls hw_params_upon_resume(). On Intel platforms with HDA DMA used\nto manage the link DMA, this leads to call chain of\n\n   hda_dsp_set_hw_params_upon_resume()\n -\u003e hda_dsp_dais_suspend()\n -\u003e hda_dai_suspend()\n -\u003e hda_ipc4_post_trigger()\n\nA bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first,\nwhich clears hext_stream-\u003elink_substream, and then hda_ipc4_post_trigger()\nis called with a NULL snd_pcm_substream pointer.",
  "id": "GHSA-jvmg-77fx-pxw2",
  "modified": "2024-08-08T18:31:19Z",
  "published": "2024-07-29T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41037"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8246bbf818ed7b8d5afc92b951e6d562b45c2450"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9065693dcc13f287b9e4991f43aee70cf5538fdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/993af0f2d9f24e3c18a445ae22b34190d1fcad61"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVWR-FMGQ-5Q3G

Vulnerability from github – Published: 2024-02-22 12:30 – Updated: 2024-02-22 12:30
VLAI
Details

A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, Fortiproxy version 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 allows attacker to denial of service via specially crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-22T10:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, Fortiproxy version 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 allows attacker to denial of service via  specially crafted HTTP requests.",
  "id": "GHSA-jvwr-fmgq-5q3g",
  "modified": "2024-02-22T12:30:55Z",
  "published": "2024-02-22T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29179"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JW27-2859-7H38

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix a Null pointer dereference vulnerability

[Why] A null pointer dereference vulnerability exists in the AMD display driver's (DC module) cleanup function dc_destruct(). When display control context (dc->ctx) construction fails (due to memory allocation failure), this pointer remains NULL. During subsequent error handling when dc_destruct() is called, there's no NULL check before dereferencing the perf_trace member (dc->ctx->perf_trace), causing a kernel null pointer dereference crash.

[How] Check if dc->ctx is non-NULL before dereferencing.

(Updated commit text and removed unnecessary error message) (cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a Null pointer dereference vulnerability\n\n[Why]\nA null pointer dereference vulnerability exists in the AMD display driver\u0027s\n(DC module) cleanup function dc_destruct().\nWhen display control context (dc-\u003ectx) construction fails\n(due to memory allocation failure), this pointer remains NULL.\nDuring subsequent error handling when dc_destruct() is called,\nthere\u0027s no NULL check before dereferencing the perf_trace member\n(dc-\u003ectx-\u003eperf_trace), causing a kernel null pointer dereference crash.\n\n[How]\nCheck if dc-\u003ectx is non-NULL before dereferencing.\n\n(Updated commit text and removed unnecessary error message)\n(cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404)",
  "id": "GHSA-jw27-2859-7h38",
  "modified": "2025-11-25T21:32:04Z",
  "published": "2025-09-05T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39705"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0961673cc5f0055957aa46f25eb4ef6c07e00165"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bcf63a44381691d6192872801f830ce3250e367"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ade995b9b25b3c6e8dc42c27070340f1358d8c8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JW3X-9G83-4HVR

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2024-04-07 03:30
VLAI
Details

gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing atteckers to crash an application via a specific function call sequence.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-11T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing atteckers to crash an application via a specific function call sequence.",
  "id": "GHSA-jw3x-9g83-4hvr",
  "modified": "2024-04-07T03:30:46Z",
  "published": "2022-05-24T17:08:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14553"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgd/libgd/pull/580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fcabralpacheco/libgd/commit/441cbfed60ebf6cb63b8ce120ed0a82b15e7aaf8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599032"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4316-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4316-2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.