CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-JV66-MPPC-FXJF
Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30In the Linux kernel, the following vulnerability has been resolved:
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
Fixes the below NULL pointer dereference:
[...] [ 14.471200] Call Trace: [ 14.471562] [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] _syssendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] _sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...]
The test scenario has the following flow:
thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); *** lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock **** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait
While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.
We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue.
{
"affected": [],
"aliases": [
"CVE-2022-50409"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n [...]\n [ 14.471200] Call Trace:\n [ 14.471562] \u003cTASK\u003e\n [ 14.471882] lock_acquire+0x245/0x2e0\n [ 14.472416] ? remove_wait_queue+0x12/0x50\n [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50\n [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50\n [ 14.474318] ? remove_wait_queue+0x12/0x50\n [ 14.474907] remove_wait_queue+0x12/0x50\n [ 14.475480] sk_stream_wait_memory+0x20d/0x340\n [ 14.476127] ? do_wait_intr_irq+0x80/0x80\n [ 14.476704] do_tcp_sendpages+0x287/0x600\n [ 14.477283] tcp_bpf_push+0xab/0x260\n [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500\n [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0\n [ 14.479096] tcp_bpf_send_verdict+0x105/0x470\n [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0\n [ 14.480311] sock_sendmsg+0x2d/0x40\n [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0\n [ 14.481390] ? copy_msghdr_from_user+0x62/0x80\n [ 14.482048] ___sys_sendmsg+0x78/0xb0\n [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150\n [ 14.483215] ? __do_fault+0x2a/0x1a0\n [ 14.483738] ? do_fault+0x15e/0x5d0\n [ 14.484246] ? __handle_mm_fault+0x56b/0x1040\n [ 14.484874] ? lock_is_held_type+0xdf/0x130\n [ 14.485474] ? find_held_lock+0x2d/0x90\n [ 14.486046] ? __sys_sendmsg+0x41/0x70\n [ 14.486587] __sys_sendmsg+0x41/0x70\n [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350\n [ 14.487822] do_syscall_64+0x34/0x80\n [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n [...]\n\nThe test scenario has the following flow:\n\nthread1 thread2\n----------- ---------------\n tcp_bpf_sendmsg\n tcp_bpf_send_verdict\n tcp_bpf_sendmsg_redir sock_close\n tcp_bpf_push_locked __sock_release\n tcp_bpf_push //inet_release\n do_tcp_sendpages sock-\u003eops-\u003erelease\n sk_stream_wait_memory \t // tcp_close\n sk_wait_event sk-\u003esk_prot-\u003eclose\n release_sock(__sk);\n ***\n lock_sock(sk);\n __tcp_close\n sock_orphan(sk)\n sk-\u003esk_wq = NULL\n release_sock\n ****\n lock_sock(__sk);\n remove_wait_queue(sk_sleep(sk), \u0026wait);\n sk_sleep(sk)\n //NULL pointer dereference\n \u0026rcu_dereference_raw(sk-\u003esk_wq)-\u003ewait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn\u0027t increase the f_count of psock-\u003esk_redir-\u003esk_socket-\u003efile in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue.",
"id": "GHSA-jv66-mppc-fxjf",
"modified": "2025-12-11T15:30:30Z",
"published": "2025-09-18T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50409"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f48ab20b80f39c0d85119243109d02946fde6d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5fe03917bb017d9af68a95f989f1c122eebc69a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV67-JXG9-Q8V4
Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2024-11-04 18:31In the Linux kernel, the following vulnerability has been resolved:
iommufd: Fix iopt_access_list_id overwrite bug
Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360
Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64
The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails.
Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully.
{
"affected": [],
"aliases": [
"CVE-2024-26786"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T09:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n Call Trace:\n iommufd_access_change_ioas+0x2fe/0x4e0\n iommufd_access_destroy_object+0x50/0xb0\n iommufd_object_remove+0x2a3/0x490\n iommufd_object_destroy_user\n iommufd_access_destroy+0x71/0xb0\n iommufd_test_staccess_release+0x89/0xd0\n __fput+0x272/0xb50\n __fput_sync+0x4b/0x60\n __do_sys_close\n __se_sys_close\n __x64_sys_close+0x8b/0x110\n do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access-\u003eiopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully.",
"id": "GHSA-jv67-jxg9-q8v4",
"modified": "2024-11-04T18:31:17Z",
"published": "2024-04-04T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26786"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV74-J9M3-C37V
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16A vulnerability in mfc driver prior to SMR Oct-2021 Release 1 allows memory corruption via NULL-pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2021-25491"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in mfc driver prior to SMR Oct-2021 Release 1 allows memory corruption via NULL-pointer dereference.",
"id": "GHSA-jv74-j9m3-c37v",
"modified": "2022-05-24T19:16:42Z",
"published": "2022-05-24T19:16:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25491"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JV9R-93Q3-FCF8
Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
batman-adv: dat: handle forward allocation error
batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb for each DHT candidate, but does not check the return value before passing it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences the skb unconditionally, so a failed allocation triggers a NULL pointer dereference.
Skip forwarding to the current DHT candidate on allocation failure.
{
"affected": [],
"aliases": [
"CVE-2026-52922"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T08:16:22Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: dat: handle forward allocation error\n\nbatadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb\nfor each DHT candidate, but does not check the return value before passing\nit to batadv_send_skb_prepare_unicast_4addr(). That function dereferences\nthe skb unconditionally, so a failed allocation triggers a NULL pointer\ndereference.\n\nSkip forwarding to the current DHT candidate on allocation failure.",
"id": "GHSA-jv9r-93q3-fcf8",
"modified": "2026-06-28T09:31:36Z",
"published": "2026-06-24T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52922"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d8826a2d3657cea66fb0370f9e521575a673871"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2edb8aeb3cdda9d00ec4997252dc5bcd6f54d8ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d420d9ee70a220a2cd95aa0dd2e15acad66a505"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/866ac1d57040ed0b44ca732e3c66b3aa6b93011c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9bcebaedfb8479cb4affb23c7a0d000ca9a20e73"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9cceea8eeba710def2a5707ee00f00c74a9a1cac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce0c381199402a2c58f4599f4f6ed100d872d0da"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf48e75fc4fe0d5cc7721c82d454221d01367b93"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JVM5-JGXH-5564
Vulnerability from github – Published: 2025-10-09 18:30 – Updated: 2025-10-09 18:30A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.
{
"affected": [],
"aliases": [
"CVE-2025-11550"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-09T18:15:48Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Tenda W12 3.0.0.6(3948). The impacted element is the function wifiScheduledSet of the file /goform/modules of the component HTTP Request Handler. The manipulation of the argument wifiScheduledSet results in null pointer dereference. The attack may be performed from remote. The exploit has been made public and could be used.",
"id": "GHSA-jvm5-jgxh-5564",
"modified": "2025-10-09T18:30:38Z",
"published": "2025-10-09T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11550"
},
{
"type": "WEB",
"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/NPD/Tenda_W12/cgiWifiScheduledSet/cgiWifiScheduledSet.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.327709"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.327709"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.670118"
},
{
"type": "WEB",
"url": "https://www.tenda.com.cn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JVM7-G4W5-FQ7F
Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c.
{
"affected": [],
"aliases": [
"CVE-2021-33446"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-26T13:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in mjs_next() in mjs.c.",
"id": "GHSA-jvm7-g4w5-fq7f",
"modified": "2022-07-29T00:00:25Z",
"published": "2022-07-27T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33446"
},
{
"type": "WEB",
"url": "https://github.com/cesanta/mjs/issues/168"
},
{
"type": "WEB",
"url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JVMG-77FX-PXW2
Vulnerability from github – Published: 2024-07-29 15:30 – Updated: 2024-08-08 18:31In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda: fix null deref on system suspend entry
When system enters suspend with an active stream, SOF core calls hw_params_upon_resume(). On Intel platforms with HDA DMA used to manage the link DMA, this leads to call chain of
hda_dsp_set_hw_params_upon_resume() -> hda_dsp_dais_suspend() -> hda_dai_suspend() -> hda_ipc4_post_trigger()
A bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first, which clears hext_stream->link_substream, and then hda_ipc4_post_trigger() is called with a NULL snd_pcm_substream pointer.
{
"affected": [],
"aliases": [
"CVE-2024-41037"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T15:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: fix null deref on system suspend entry\n\nWhen system enters suspend with an active stream, SOF core\ncalls hw_params_upon_resume(). On Intel platforms with HDA DMA used\nto manage the link DMA, this leads to call chain of\n\n hda_dsp_set_hw_params_upon_resume()\n -\u003e hda_dsp_dais_suspend()\n -\u003e hda_dai_suspend()\n -\u003e hda_ipc4_post_trigger()\n\nA bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first,\nwhich clears hext_stream-\u003elink_substream, and then hda_ipc4_post_trigger()\nis called with a NULL snd_pcm_substream pointer.",
"id": "GHSA-jvmg-77fx-pxw2",
"modified": "2024-08-08T18:31:19Z",
"published": "2024-07-29T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41037"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8246bbf818ed7b8d5afc92b951e6d562b45c2450"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9065693dcc13f287b9e4991f43aee70cf5538fdd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/993af0f2d9f24e3c18a445ae22b34190d1fcad61"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JVWR-FMGQ-5Q3G
Vulnerability from github – Published: 2024-02-22 12:30 – Updated: 2024-02-22 12:30A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, Fortiproxy version 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 allows attacker to denial of service via specially crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2023-29179"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-22T10:15:07Z",
"severity": "MODERATE"
},
"details": "A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, Fortiproxy version 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 allows attacker to denial of service via specially crafted HTTP requests.",
"id": "GHSA-jvwr-fmgq-5q3g",
"modified": "2024-02-22T12:30:55Z",
"published": "2024-02-22T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29179"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-125"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW27-2859-7H38
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix a Null pointer dereference vulnerability
[Why] A null pointer dereference vulnerability exists in the AMD display driver's (DC module) cleanup function dc_destruct(). When display control context (dc->ctx) construction fails (due to memory allocation failure), this pointer remains NULL. During subsequent error handling when dc_destruct() is called, there's no NULL check before dereferencing the perf_trace member (dc->ctx->perf_trace), causing a kernel null pointer dereference crash.
[How] Check if dc->ctx is non-NULL before dereferencing.
(Updated commit text and removed unnecessary error message) (cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404)
{
"affected": [],
"aliases": [
"CVE-2025-39705"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a Null pointer dereference vulnerability\n\n[Why]\nA null pointer dereference vulnerability exists in the AMD display driver\u0027s\n(DC module) cleanup function dc_destruct().\nWhen display control context (dc-\u003ectx) construction fails\n(due to memory allocation failure), this pointer remains NULL.\nDuring subsequent error handling when dc_destruct() is called,\nthere\u0027s no NULL check before dereferencing the perf_trace member\n(dc-\u003ectx-\u003eperf_trace), causing a kernel null pointer dereference crash.\n\n[How]\nCheck if dc-\u003ectx is non-NULL before dereferencing.\n\n(Updated commit text and removed unnecessary error message)\n(cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404)",
"id": "GHSA-jw27-2859-7h38",
"modified": "2025-11-25T21:32:04Z",
"published": "2025-09-05T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39705"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0961673cc5f0055957aa46f25eb4ef6c07e00165"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1bcf63a44381691d6192872801f830ce3250e367"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ade995b9b25b3c6e8dc42c27070340f1358d8c8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW3X-9G83-4HVR
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2024-04-07 03:30gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing atteckers to crash an application via a specific function call sequence.
{
"affected": [],
"aliases": [
"CVE-2018-14553"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T13:15:00Z",
"severity": "MODERATE"
},
"details": "gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing atteckers to crash an application via a specific function call sequence.",
"id": "GHSA-jw3x-9g83-4hvr",
"modified": "2024-04-07T03:30:46Z",
"published": "2022-05-24T17:08:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14553"
},
{
"type": "WEB",
"url": "https://github.com/libgd/libgd/pull/580"
},
{
"type": "WEB",
"url": "https://github.com/fcabralpacheco/libgd/commit/441cbfed60ebf6cb63b8ce120ed0a82b15e7aaf8"
},
{
"type": "WEB",
"url": "https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599032"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4316-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4316-2"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.