Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-M75F-WCJQ-49MW

Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30
VLAI
Details

The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-02T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.",
  "id": "GHSA-m75f-wcjq-49mw",
  "modified": "2022-05-13T01:30:45Z",
  "published": "2022-05-13T01:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7642"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2019:0327"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3032"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201811-17"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22887"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=116acb2c268c89c89186673a7c92620d21825b25"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M786-RXFF-X32M

Vulnerability from github – Published: 2023-06-06 06:30 – Updated: 2024-04-04 04:33
VLAI
Details

In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T06:15:50Z",
    "severity": "MODERATE"
  },
  "details": "In telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.",
  "id": "GHSA-m786-rxff-x32m",
  "modified": "2024-04-04T04:33:06Z",
  "published": "2023-06-06T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48444"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1664822361414762498"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7GH-37PM-CCHX

Vulnerability from github – Published: 2026-04-01 03:31 – Updated: 2026-04-01 03:31
VLAI
Details

The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T02:16:02Z",
    "severity": "MODERATE"
  },
  "details": "The application does not validate the presence of required appearance (AP) data before accessing stamp annotation resources. When a PDF contains a stamp annotation missing its AP entry, the code continues to dereference the associated object without a prior null or validity check, which allows a crafted document to trigger a null pointer dereference and crash the application, resulting in denial of service.",
  "id": "GHSA-m7gh-37pm-cchx",
  "modified": "2026-04-01T03:31:40Z",
  "published": "2026-04-01T03:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3776"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7GW-R3VF-GF9W

Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2022-05-14 01:14
VLAI
Details

In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(&gb) is called on an uninitialized get_bits context, which causes a NULL deref exception.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-03T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(\u0026gb) is called on an uninitialized get_bits context, which causes a NULL deref exception.",
  "id": "GHSA-m7gw-r3vf-gf9w",
  "modified": "2022-05-14T01:14:32Z",
  "published": "2022-05-14T01:14:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000460"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.libav.org/show_bug.cgi?id=952"
    },
    {
      "type": "WEB",
      "url": "https://chromium.googlesource.com/chromium/third_party/ffmpeg/+/8e313ca08800178efce00045e07dc494d437b70c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00041.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.ffmpeg.org/pipermail/ffmpeg-cvslog/2017-January/104221.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7R8-MGXR-2J4V

Vulnerability from github – Published: 2022-05-17 01:16 – Updated: 2022-05-17 01:16
VLAI
Details

The AP4_AtomSampleTable::GetSample function in Core/Ap4AtomSampleTable.cpp in Bento4 mp42ts before 1.5.0-616 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted mp4 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-06T08:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The AP4_AtomSampleTable::GetSample function in Core/Ap4AtomSampleTable.cpp in Bento4 mp42ts before 1.5.0-616 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted mp4 file.",
  "id": "GHSA-m7r8-mgxr-2j4v",
  "modified": "2022-05-17T01:16:31Z",
  "published": "2022-05-17T01:16:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/commit/4d3f0bebd5f8518fd775f671c12bea58c68e814e"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/open?id=0B6wBkDmxMGMKUjNscThnbTlSZ2s"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/open?id=0B9DojFnTUSNGZ1JfNUc1am9pcnc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7V2-W8FJ-6F24

Vulnerability from github – Published: 2024-04-10 21:30 – Updated: 2024-12-20 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: musb: tusb6010: check return value after calling platform_get_resource()

It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: tusb6010: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value.",
  "id": "GHSA-m7v2-w8fj-6f24",
  "modified": "2024-12-20T15:30:44Z",
  "published": "2024-04-10T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47181"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06cfb4cb2241e704d72e3045cf4d7dfb567fbce0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14651496a3de6807a17c310f63c894ea0c5d858e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ba7605856e05fa991d4654ac69e5ace66c767b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28be095eb612a489705d38c210afaf1103c5f4f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ee15f1af17407be381bcf06a78fa60b471242dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/679eee466d0f9ffa60a2b0c6ec19be5128927f04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3f43659eb0b9af2e6ef18a8d829374610b19e7a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f87a79c04a33ab4e5be598c7b0867e6ef193d702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7WR-Q7CM-56RH

Vulnerability from github – Published: 2024-04-10 21:30 – Updated: 2025-11-03 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix link down processing to address NULL pointer dereference

If an FC link down transition while PLOGIs are outstanding to fabric well known addresses, outstanding ABTS requests may result in a NULL pointer dereference. Driver unload requests may hang with repeated "2878" log messages.

The Link down processing results in ABTS requests for outstanding ELS requests. The Abort WQEs are sent for the ELSs before the driver had set the link state to down. Thus the driver is sending the Abort with the expectation that an ABTS will be sent on the wire. The Abort request is stalled waiting for the link to come up. In some conditions the driver may auto-complete the ELSs thus if the link does come up, the Abort completions may reference an invalid structure.

Fix by ensuring that Abort set the flag to avoid link traffic if issued due to conditions where the link failed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\n\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \"2878\" log\nmessages.\n\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\n\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed.",
  "id": "GHSA-m7wr-q7cm-56rh",
  "modified": "2025-11-03T18:31:14Z",
  "published": "2024-04-10T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47183"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04c1af683270e4709a594bb1691b8800b945035a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28de48a7cea495ab48082d9ff4ef63f7cb4e563a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M849-GVP2-QMMR

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: unset the binding mark of a reused connection

Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update().

BUG: kernel NULL pointer dereference, address: 0000000000000000

PF: supervisor read access in kernel mode

PF: error_code(0x0000) - not-present page

PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset the binding mark of a reused connection\n\nSteve French reported null pointer dereference error from sha256 lib.\ncifs.ko can send session setup requests on reused connection.\nIf reused connection is used for binding session, conn-\u003ebinding can\nstill remain true and generate_preauth_hash() will not set\nsess-\u003ePreauth_HashValue and it will be NULL.\nIt is used as a material to create an encryption key in\nksmbd_gen_smb311_encryptionkey. -\u003ePreauth_HashValue cause null pointer\ndereference error from crypto_shash_update().\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 8 PID: 429254 Comm: kworker/8:39\nHardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )\nWorkqueue: ksmbd-io handle_ksmbd_work [ksmbd]\nRIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]\n\u003cTASK\u003e\n? show_regs+0x6d/0x80\n? __die+0x24/0x80\n? page_fault_oops+0x99/0x1b0\n? do_user_addr_fault+0x2ee/0x6b0\n? exc_page_fault+0x83/0x1b0\n? asm_exc_page_fault+0x27/0x30\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]\n_sha256_update+0x77/0xa0 [sha256_ssse3]\nsha256_avx2_update+0x15/0x30 [sha256_ssse3]\ncrypto_shash_update+0x1e/0x40\nhmac_update+0x12/0x20\ncrypto_shash_update+0x1e/0x40\ngenerate_key+0x234/0x380 [ksmbd]\ngenerate_smb3encryptionkey+0x40/0x1c0 [ksmbd]\nksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]\nntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]\nsmb2_sess_setup+0x952/0xaa0 [ksmbd]\n__process_request+0xa3/0x1d0 [ksmbd]\n__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]\nhandle_ksmbd_work+0x2d/0xa0 [ksmbd]\nprocess_one_work+0x16c/0x350\nworker_thread+0x306/0x440\n? __pfx_worker_thread+0x10/0x10\nkthread+0xef/0x120\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x44/0x70\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n\u003c/TASK\u003e",
  "id": "GHSA-m849-gvp2-qmmr",
  "modified": "2025-11-04T00:31:29Z",
  "published": "2024-09-18T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46795"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41bc256da7e47b679df87c7fc7a5b393052b9cce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c8496f44f5bb5c06cdef5eb130ab259643392a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78c5a6f1f630172b19af4912e755e1da93ef0ab5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93d54a4b59c4b3d803d20aa645ab5ca71f3b3b02"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9914f1bd61d5e838bb1ab15a71076d37a6db65d1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M84F-8362-3V3C

Vulnerability from github – Published: 2022-05-14 01:21 – Updated: 2022-05-14 01:21
VLAI
Details

The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-15T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka \"SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability\".",
  "id": "GHSA-m84f-8362-3v3c",
  "modified": "2022-05-14T01:21:35Z",
  "published": "2022-05-14T01:21:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-0833"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44189"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102924"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M84Q-M2JG-26H3

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle

KASAN reported a null-ptr-deref error:

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 1373 Comm: modprobe Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:dmi_sysfs_entry_release ... Call Trace: kobject_put dmi_sysfs_register_handle (drivers/firmware/dmi-sysfs.c:540) dmi_sysfs dmi_decode_table (drivers/firmware/dmi_scan.c:133) dmi_walk (drivers/firmware/dmi_scan.c:1115) dmi_sysfs_init (drivers/firmware/dmi-sysfs.c:149) dmi_sysfs do_one_initcall (init/main.c:1296) ... Kernel panic - not syncing: Fatal exception Kernel Offset: 0x4000000 from 0xffffffff81000000 ---[ end Kernel panic - not syncing: Fatal exception ]---

It is because previous patch added kobject_put() to release the memory which will call dmi_sysfs_entry_release() and list_del().

However, list_add_tail(entry->list) is called after the error block, so the list_head is uninitialized and cannot be deleted.

Move error handling to after list_add_tail to fix this.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:52Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysfs_register_handle\n\nKASAN reported a null-ptr-deref error:\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 1373 Comm: modprobe\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:dmi_sysfs_entry_release\n...\nCall Trace:\n \u003cTASK\u003e\n kobject_put\n dmi_sysfs_register_handle (drivers/firmware/dmi-sysfs.c:540) dmi_sysfs\n dmi_decode_table (drivers/firmware/dmi_scan.c:133)\n dmi_walk (drivers/firmware/dmi_scan.c:1115)\n dmi_sysfs_init (drivers/firmware/dmi-sysfs.c:149) dmi_sysfs\n do_one_initcall (init/main.c:1296)\n ...\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x4000000 from 0xffffffff81000000\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nIt is because previous patch added kobject_put() to release the memory\nwhich will call  dmi_sysfs_entry_release() and list_del().\n\nHowever, list_add_tail(entry-\u003elist) is called after the error block,\nso the list_head is uninitialized and cannot be deleted.\n\nMove error handling to after list_add_tail to fix this.",
  "id": "GHSA-m84q-m2jg-26h3",
  "modified": "2025-12-03T18:30:20Z",
  "published": "2025-09-15T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53250"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18e126e97c961f7a93823795c879d7c085fe5098"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d0492d1d934642bdfd2057acc1b56f4b57be465"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4fe158259fb5fead52ff2b55841ec5c39492604"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e851996b32264e78a10863c2ac41a8689d7b9252"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.