CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-M279-RGMP-GM5J
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30In the Linux kernel, the following vulnerability has been resolved:
iio: accel: mma8452: use the correct logic to get mma8452_data
The original logic to get mma8452_data is wrong, the *dev point to the device belong to iio_dev. we can't use this dev to find the correct i2c_client. The original logic happen to work because it finally use dev->driver_data to get iio_dev. Here use the API to_i2c_client() is wrong and make reader confuse. To correct the logic, it should be like this
struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));
But after commit 8b7651f25962 ("iio: iio_device_alloc(): Remove unnecessary self drvdata"), the upper logic also can't work. When try to show the avialable scale in userspace, will meet kernel dump, kernel handle NULL pointer dereference.
So use dev_to_iio_dev() to correct the logic.
Dual fixes tags as the second reflects when the bug was exposed, whilst the first reflects when the original bug was introduced.
{
"affected": [],
"aliases": [
"CVE-2022-49285"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: mma8452: use the correct logic to get mma8452_data\n\nThe original logic to get mma8452_data is wrong, the *dev point to\nthe device belong to iio_dev. we can\u0027t use this dev to find the\ncorrect i2c_client. The original logic happen to work because it\nfinally use dev-\u003edriver_data to get iio_dev. Here use the API\nto_i2c_client() is wrong and make reader confuse. To correct the\nlogic, it should be like this\n\n struct mma8452_data *data = iio_priv(dev_get_drvdata(dev));\n\nBut after commit 8b7651f25962 (\"iio: iio_device_alloc(): Remove\nunnecessary self drvdata\"), the upper logic also can\u0027t work.\nWhen try to show the avialable scale in userspace, will meet kernel\ndump, kernel handle NULL pointer dereference.\n\nSo use dev_to_iio_dev() to correct the logic.\n\nDual fixes tags as the second reflects when the bug was exposed, whilst\nthe first reflects when the original bug was introduced.",
"id": "GHSA-m279-rgmp-gm5j",
"modified": "2025-09-22T21:30:16Z",
"published": "2025-09-22T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49285"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c0bb583a4444cce224e8661090cbffc98e2fe07"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c87b7b12f48db86ac9909894f4dc0107d7df6375"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2d9ebdbff79d87d27652578e6d1638ad3b5f3bf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M29H-H248-XJC9
Vulnerability from github – Published: 2025-03-18 21:31 – Updated: 2025-03-18 21:31In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
I got a null-ptr-deref report:
BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:fb_destroy_modelist+0x38/0x100 ... Call Trace: ufx_usb_probe.cold+0x2b5/0xac1 [smscufx] usb_probe_interface+0x1aa/0x3c0 [usbcore] really_probe+0x167/0x460 ... ret_from_fork+0x1f/0x30
If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will be called to destroy modelist in the error handling path. But modelist has not been initialized yet, so it will result in null-ptr-deref.
Initialize modelist before calling fb_alloc_cmap() to fix this bug.
{
"affected": [],
"aliases": [
"CVE-2021-47652"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T06:37:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()\n\nI got a null-ptr-deref report:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nRIP: 0010:fb_destroy_modelist+0x38/0x100\n...\nCall Trace:\n ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]\n usb_probe_interface+0x1aa/0x3c0 [usbcore]\n really_probe+0x167/0x460\n...\n ret_from_fork+0x1f/0x30\n\nIf fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will\nbe called to destroy modelist in the error handling path. But modelist\nhas not been initialized yet, so it will result in null-ptr-deref.\n\nInitialize modelist before calling fb_alloc_cmap() to fix this bug.",
"id": "GHSA-m29h-h248-xjc9",
"modified": "2025-03-18T21:31:59Z",
"published": "2025-03-18T21:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47652"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fd28daec73525382e5c992db8743bf76e42cd5c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1791f487f877a9e83d81c8677bd3e7b259e7cb27"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64ec3e678d76419f207b9cdd338dda438ca10b1c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9280ef235b05e8f19f8bc6d547b992f0a0ef398d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c420b540db4b5d69de0a36d8b9d9a6a79a04f05a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d1b6a1f0c23b7164250479bf92e2893291dca539"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d396c651e2b508b6179bb678cc029f3becbf5170"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da8b269cc0a2526ebeaccbe2484c999eb0f822cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd3a6cc7385b89ec2303f39dfc3bafa4e24cec4b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2J4-GWP6-P4H2
Vulnerability from github – Published: 2022-07-02 00:00 – Updated: 2022-07-09 00:00NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.
{
"affected": [],
"aliases": [
"CVE-2022-2279"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-01T09:15:00Z",
"severity": "MODERATE"
},
"details": "NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.",
"id": "GHSA-m2j4-gwp6-p4h2",
"modified": "2022-07-09T00:00:25Z",
"published": "2022-07-02T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2279"
},
{
"type": "WEB",
"url": "https://github.com/bfabiszewski/libmobi/commit/c0699c8693c47f14a2e57dec7292e862ac7adf9c"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/68c249e2-779d-4871-b7e3-851f03aca2de"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2P2-7MFV-GH5X
Vulnerability from github – Published: 2021-12-23 00:01 – Updated: 2023-05-27 06:30An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.
{
"affected": [],
"aliases": [
"CVE-2021-45267"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-22T18:15:00Z",
"severity": "MODERATE"
},
"details": "An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.",
"id": "GHSA-m2p2-7mfv-gh5x",
"modified": "2023-05-27T06:30:36Z",
"published": "2021-12-23T00:01:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45267"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1965"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2QV-9V9X-X3FP
Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector
Fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector routine if the chip does not support dbdc and the hw reports band_idx set to 1.
{
"affected": [],
"aliases": [
"CVE-2022-49484"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector\n\nFix possible NULL pointer dereference in mt7915_mac_fill_rx_vector\nroutine if the chip does not support dbdc and the hw reports band_idx\nset to 1.",
"id": "GHSA-m2qv-9v9x-x3fp",
"modified": "2025-03-17T18:31:50Z",
"published": "2025-03-17T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49484"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/268e8ef187eb8780d021b0e4f5ffa92dee5c4983"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/62fdc974894eec80d678523458cf99bbdb887e22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2RR-G8PF-8WRJ
Vulnerability from github – Published: 2026-05-26 15:32 – Updated: 2026-05-26 15:32IEC 60870-5-104 used in bidirectional mode is vulnerable for a NULL pointer dereferencing, if a specially crafted sequence of messages is sent for a certain time, causing Denial of Service impact. Product is only affected if IEC 60870-5-104 functionality in bidirectional mode (BCI) is configured.
{
"affected": [],
"aliases": [
"CVE-2026-8479"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T14:16:41Z",
"severity": "MODERATE"
},
"details": "IEC 60870-5-104 used in bidirectional mode is vulnerable\nfor a NULL pointer dereferencing, if a specially crafted\nsequence of messages is sent for a certain time, causing\nDenial of Service impact.\nProduct is only affected if IEC 60870-5-104 functionality in\nbidirectional mode (BCI) is configured.",
"id": "GHSA-m2rr-g8pf-8wrj",
"modified": "2026-05-26T15:32:10Z",
"published": "2026-05-26T15:32:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8479"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000252\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M2V6-2JMH-4C68
Vulnerability from github – Published: 2026-07-16 19:19 – Updated: 2026-07-16 19:19Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4): - Tenant has SecurityPolicy + TCPRoute RBAC (baseline) - Tenant namespace permitted to attach TCPRoute to a Gateway listener - spec.authorization omitted (the trigger) - No admission webhook blocks the shape
Description:
A namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/gateway"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0-rc.0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/gateway"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53719"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T19:19:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Vulnerability report without repro case. Repro case may be added later after harness is complete.\n\n**Preconditions (4):**\n- Tenant has SecurityPolicy + TCPRoute RBAC (baseline)\n- Tenant namespace permitted to attach TCPRoute to a Gateway listener\n- spec.authorization omitted (the trigger)\n- No admission webhook blocks the shape\n\n**Description:**\n\nA namespace-scoped tenant can deterministically panic the gatewayapi runner on every reconcile with a single CRD; the recover() in message/watchutil.go:53 keeps the process alive but unwinds the entire handle() callback in runner/runner.go:192, so xDS/Infra IR publishing stalls controller-wide until an admin deletes the object. Data plane keeps serving last-good config.",
"id": "GHSA-m2v6-2jmh-4c68",
"modified": "2026-07-16T19:19:17Z",
"published": "2026-07-16T19:19:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-m2v6-2jmh-4c68"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/gateway"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization"
}
GHSA-M2VV-J9F3-54J5
Vulnerability from github – Published: 2022-05-14 02:58 – Updated: 2022-05-14 02:58An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A NULL pointer dereference can occur in pbc_wmessage_string in wmessage.c.
{
"affected": [],
"aliases": [
"CVE-2018-14737"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-30T01:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A NULL pointer dereference can occur in pbc_wmessage_string in wmessage.c.",
"id": "GHSA-m2vv-j9f3-54j5",
"modified": "2022-05-14T02:58:20Z",
"published": "2022-05-14T02:58:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14737"
},
{
"type": "WEB",
"url": "https://github.com/cloudwu/pbc/issues/122#issuecomment-407303005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2W9-HMQH-M77H
Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
mctp i2c: handle NULL header address
daddr can be NULL if there is no neighbour table entry present, in that case the tx packet should be dropped.
saddr will usually be set by MCTP core, but check for NULL in case a packet is transmitted by a different protocol.
{
"affected": [],
"aliases": [
"CVE-2024-53043"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T18:15:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp i2c: handle NULL header address\n\ndaddr can be NULL if there is no neighbour table entry present,\nin that case the tx packet should be dropped.\n\nsaddr will usually be set by MCTP core, but check for NULL in case a\npacket is transmitted by a different protocol.",
"id": "GHSA-m2w9-hmqh-m77h",
"modified": "2025-11-04T00:32:04Z",
"published": "2024-11-19T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53043"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01e215975fd80af81b5b79f009d49ddd35976c13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4707893315802a0917231b94cb20cbe50ccbfe03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c222adadc1612e4f097688875962a28e3f5ab44"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e886e44397ba89f6e8da8471386112b4f5b67b7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2WH-W7W6-M2CJ
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-12-16 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null pointer check for get_first_active_display()
The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference in mod_hdcp_hdcp2_enable_encryption().
Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.
{
"affected": [],
"aliases": [
"CVE-2025-38362"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T13:15:25Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check for get_first_active_display()\n\nThe function mod_hdcp_hdcp1_enable_encryption() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference in\nmod_hdcp_hdcp2_enable_encryption().\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.",
"id": "GHSA-m2wh-w7w6-m2cj",
"modified": "2025-12-16T15:30:25Z",
"published": "2025-07-25T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38362"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ebcdf38887949def1a553ff3e45c98ed95a3cd0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34d3e10ab905f06445f8dbd8a3d9697095e71bae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ce9f2dc9ff7cc410e8c5d936ec551e26b9599a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5148c7ea69e9c5bf2f05081190f45ba96d3d1e7a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3005145eab98d36777660b8893466e4f630ae1c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c3e9826a22027a21d998d3e64882fa377b613006"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.