Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-MCF7-H35P-C29H

Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-12-30 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

aio: Fix null ptr deref in aio_complete() wakeup

list_del_init_careful() needs to be the last access to the wait queue entry - it effectively unlocks access.

Previously, finish_wait() would see the empty list head and skip taking the lock, and then we'd return - but the completion path would still attempt to do the wakeup after the task_struct pointer had been overwritten.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: Fix null ptr deref in aio_complete() wakeup\n\nlist_del_init_careful() needs to be the last access to the wait queue\nentry - it effectively unlocks access.\n\nPreviously, finish_wait() would see the empty list head and skip taking\nthe lock, and then we\u0027d return - but the completion path would still\nattempt to do the wakeup after the task_struct pointer had been\noverwritten.",
  "id": "GHSA-mcf7-h35p-c29h",
  "modified": "2024-12-30T18:30:41Z",
  "published": "2024-05-19T09:34:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35874"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9678bcc6234d83759fe091c197f5017a32b468da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/caeb4b0a11b3393e43f7fa8e0a5a18462acc66bd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCJ2-PGR8-H65P

Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2025-11-04 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ima: Avoid blocking in RCU read-side critical section

A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen.

The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC.

[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-12T13:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Avoid blocking in RCU read-side critical section\n\nA panic happens in ima_match_policy:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000010\nPGD 42f873067 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 5 PID: 1286325 Comm: kubeletmonit.sh\nKdump: loaded Tainted: P\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n               BIOS 0.0.0 02/06/2015\nRIP: 0010:ima_match_policy+0x84/0x450\nCode: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39\n      7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d\n      f2 b9 f4 00 0f 84 9c 01 00 00 \u003c44\u003e 85 73 10 74 ea\n      44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f\nRSP: 0018:ff71570009e07a80 EFLAGS: 00010207\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200\nRDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000\nRBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739\nR10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970\nR13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001\nFS:  00007f5195b51740(0000)\nGS:ff3e278b12d40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ima_get_action+0x22/0x30\n process_measurement+0xb0/0x830\n ? page_add_file_rmap+0x15/0x170\n ? alloc_set_pte+0x269/0x4c0\n ? prep_new_page+0x81/0x140\n ? simple_xattr_get+0x75/0xa0\n ? selinux_file_open+0x9d/0xf0\n ima_file_check+0x64/0x90\n path_openat+0x571/0x1720\n do_filp_open+0x9b/0x110\n ? page_counter_try_charge+0x57/0xc0\n ? files_cgroup_alloc_fd+0x38/0x60\n ? __alloc_fd+0xd4/0x250\n ? do_sys_open+0x1bd/0x250\n do_sys_open+0x1bd/0x250\n do_syscall_64+0x5d/0x1d0\n entry_SYSCALL_64_after_hwframe+0x65/0xca\n\nCommit c7423dbdbc9e (\"ima: Handle -ESTALE returned by\nima_filter_rule_match()\") introduced call to ima_lsm_copy_rule within a\nRCU read-side critical section which contains kmalloc with GFP_KERNEL.\nThis implies a possible sleep and violates limitations of RCU read-side\ncritical sections on non-PREEMPT systems.\n\nSleeping within RCU read-side critical section might cause\nsynchronize_rcu() returning early and break RCU protection, allowing a\nUAF to happen.\n\nThe root cause of this issue could be described as follows:\n|\tThread A\t|\tThread B\t|\n|\t\t\t|ima_match_policy\t|\n|\t\t\t|  rcu_read_lock\t|\n|ima_lsm_update_rule\t|\t\t\t|\n|  synchronize_rcu\t|\t\t\t|\n|\t\t\t|    kmalloc(GFP_KERNEL)|\n|\t\t\t|      sleep\t\t|\n==\u003e synchronize_rcu returns early\n|  kfree(entry)\t\t|\t\t\t|\n|\t\t\t|    entry = entry-\u003enext|\n==\u003e UAF happens and entry now becomes NULL (or could be anything).\n|\t\t\t|    entry-\u003eaction\t|\n==\u003e Accessing entry might cause panic.\n\nTo fix this issue, we are converting all kmalloc that is called within\nRCU read-side critical section to use GFP_ATOMIC.\n\n[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]",
  "id": "GHSA-mcj2-pgr8-h65p",
  "modified": "2025-11-04T00:30:54Z",
  "published": "2024-07-12T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40947"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/58275455893066149e9f4df2223ab2fdbdc59f9c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a95c5bfbf02a0a7f5983280fe284a0ff0836c34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c3906c3738562b1fedc6f1cfc81756a7cfefff0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a38e02265c681b51997a264aaf743095e2ee400a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6176a802c4bfb83bf7524591aa75f44a639a853"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCMW-VR9C-GRH2

Vulnerability from github – Published: 2026-01-14 15:33 – Updated: 2026-03-25 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: ensure node page reads complete before f2fs_put_super() finishes

Xfstests generic/335, generic/336 sometimes crash with the following message:

F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ---[ end trace 0000000000000000 ]---

It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-14T15:15:59Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: ensure node page reads complete before f2fs_put_super() finishes\n\nXfstests generic/335, generic/336 sometimes crash with the following message:\n\nF2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/super.c:1939!\nOops: invalid opcode: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G        W           6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_put_super+0x3b3/0x3c0\nCall Trace:\n \u003cTASK\u003e\n generic_shutdown_super+0x7e/0x190\n kill_block_super+0x1a/0x40\n kill_f2fs_super+0x9d/0x190\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x5c/0xa0\n exit_to_user_mode_loop+0xb7/0xc0\n do_syscall_64+0x1ae/0x1c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n---[ end trace 0000000000000000 ]---\n\nIt appears that sometimes it is possible that f2fs_put_super() is called before\nall node page reads are completed.\nAdding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.",
  "id": "GHSA-mcmw-vr9c-grh2",
  "modified": "2026-03-25T21:30:22Z",
  "published": "2026-01-14T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71107"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCP5-GM6H-CFH4

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

crypto: octeontx2 - remove CONFIG_DM_CRYPT check

No issues were found while using the driver with dm-crypt enabled. So CONFIG_DM_CRYPT check in the driver can be removed.

This also fixes the NULL pointer dereference in driver release if CONFIG_DM_CRYPT is enabled.

... Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... Call trace: crypto_unregister_alg+0x68/0xfc crypto_unregister_skciphers+0x44/0x60 otx2_cpt_crypto_exit+0x100/0x1a0 otx2_cptvf_remove+0xf8/0x200 pci_device_remove+0x3c/0xd4 __device_release_driver+0x188/0x234 device_release_driver+0x2c/0x4c ...

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: octeontx2 - remove CONFIG_DM_CRYPT check\n\nNo issues were found while using the driver with dm-crypt enabled. So\nCONFIG_DM_CRYPT check in the driver can be removed.\n\nThis also fixes the NULL pointer dereference in driver release if\nCONFIG_DM_CRYPT is enabled.\n\n...\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n...\nCall trace:\n crypto_unregister_alg+0x68/0xfc\n crypto_unregister_skciphers+0x44/0x60\n otx2_cpt_crypto_exit+0x100/0x1a0\n otx2_cptvf_remove+0xf8/0x200\n pci_device_remove+0x3c/0xd4\n __device_release_driver+0x188/0x234\n device_release_driver+0x2c/0x4c\n...",
  "id": "GHSA-mcp5-gm6h-cfh4",
  "modified": "2025-09-22T21:30:16Z",
  "published": "2025-09-22T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49262"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d841af23ae8f398c85dd1ff2dc24b5ec8ba4569"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1bf728f3388ac3a2c2dffa57e25622e90b9f6f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a462214866eebbca87e13ff6d73092b1c4895624"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6374086f249295121384bfaa7cdcc8d461146f0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCRM-9H74-FXH7

Vulnerability from github – Published: 2024-10-21 12:30 – Updated: 2024-10-24 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netkit: Assign missing bpf_net_context

During the introduction of struct bpf_net_context handling for XDP-redirect, the netkit driver has been missed, which also requires it because NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the per-CPU variables. Otherwise we see the following crash:

BUG: kernel NULL pointer dereference, address: 0000000000000038
bpf_redirect()
netkit_xmit()
dev_hard_start_xmit()

Set the bpf_net_context before invoking netkit_xmit() program within the netkit driver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T12:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetkit: Assign missing bpf_net_context\n\nDuring the introduction of struct bpf_net_context handling for\nXDP-redirect, the netkit driver has been missed, which also requires it\nbecause NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the\nper-CPU variables. Otherwise we see the following crash:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000038\n\tbpf_redirect()\n\tnetkit_xmit()\n\tdev_hard_start_xmit()\n\nSet the bpf_net_context before invoking netkit_xmit() program within the\nnetkit driver.",
  "id": "GHSA-mcrm-9h74-fxh7",
  "modified": "2024-10-24T15:31:08Z",
  "published": "2024-10-21T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47708"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/157f29152b61ca41809dd7ead29f5733adeced19"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/182c6fed8c7f62cddce0126ec1fc0da2b700fb11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCW3-QQP9-M3R9

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

A null pointer dereference was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.4, Safari 14.1.1, iOS 14.6 and iPadOS 14.6. A remote attacker may be able to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A null pointer dereference was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.4, Safari 14.1.1, iOS 14.6 and iPadOS 14.6. A remote attacker may be able to cause a denial of service.",
  "id": "GHSA-mcw3-qqp9-m3r9",
  "modified": "2022-05-24T19:13:24Z",
  "published": "2022-05-24T19:13:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30698"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212528"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212529"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212534"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MF8X-9RCG-P86Q

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv

The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB.

The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash.

The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npci/hotplug/pnv_php: Fix hotplug driver crash on Powernv\n\nThe hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel\ncrash when we try to hot-unplug/disable the PCIe switch/bridge from\nthe PHB.\n\nThe crash occurs because although the MSI data structure has been\nreleased during disable/hot-unplug path and it has been assigned\nwith NULL, still during unregistration the code was again trying to\nexplicitly disable the MSI which causes the NULL pointer dereference and\nkernel crash.\n\nThe patch fixes the check during unregistration path to prevent invoking\npci_disable_msi/msix() since its data structure is already freed.",
  "id": "GHSA-mf8x-9rcg-p86q",
  "modified": "2025-11-04T00:31:29Z",
  "published": "2024-09-18T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46761"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/335e35b748527f0c06ded9eebb65387f60647fda"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/438d522227374042b5c8798f8ce83bbe479dca4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4eb4085c1346d19d4a05c55246eb93e74e671048"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b82d4d5c736f4fd2ed224c35f554f50d1953d21e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc1faed19db95abf0933b104910a3fb01b138f59"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfc44075b19740d372f989f21dd03168bfda0689"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0d8094dc740cfacf3775bbc6a1c4720459e8de4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4c681999d385e28f84808bbf3a85ea8e982da55"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFC2-Q3P4-2QJV

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: accept TCA_STAB only for root qdisc

Most qdiscs maintain their backlog using qdisc_pkt_len(skb) on the assumption it is invariant between the enqueue() and dequeue() handlers.

Unfortunately syzbot can crash a host rather easily using a TBF + SFQ combination, with an STAB on SFQ [1]

We can't support TCA_STAB on arbitrary level, this would require to maintain per-qdisc storage.

[1] [ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 88.798611] #PF: supervisor read access in kernel mode [ 88.799014] #PF: error_code(0x0000) - not-present page [ 88.799506] PGD 0 P4D 0 [ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI [ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117 [ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00 All code ======== 0: 0f b7 50 12 movzwl 0x12(%rax),%edx 4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax b: 00 c: 48 89 d6 mov %rdx,%rsi f: 48 29 d0 sub %rdx,%rax 12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx 19: 48 c1 e0 03 shl $0x3,%rax 1d: 48 01 c2 add %rax,%rdx 20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx) 25: 7e c0 jle 0xffffffffffffffe7 27: 48 8b 3a mov (%rdx),%rdi 2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction 2d: 4c 89 02 mov %r8,(%rdx) 30: 49 89 50 08 mov %rdx,0x8(%r8) 34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 3b: 00 3c: 48 rex.W 3d: c7 .byte 0xc7 3e: 07 (bad) ...

Code starting with the faulting instruction

0: 4c 8b 07 mov (%rdi),%r8 3: 4c 89 02 mov %r8,(%rdx) 6: 49 89 50 08 mov %rdx,0x8(%r8) a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi) 11: 00 12: 48 rex.W 13: c7 .byte 0xc7 14: 07 (bad) ... [ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206 [ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800 [ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000 [ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f [ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140 [ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac [ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000 [ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0 [ 88.808165] Call Trace: [ 88.808459] [ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715) [ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) [ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) [ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq [ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq [ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: accept TCA_STAB only for root qdisc\n\nMost qdiscs maintain their backlog using qdisc_pkt_len(skb)\non the assumption it is invariant between the enqueue()\nand dequeue() handlers.\n\nUnfortunately syzbot can crash a host rather easily using\na TBF + SFQ combination, with an STAB on SFQ [1]\n\nWe can\u0027t support TCA_STAB on arbitrary level, this would\nrequire to maintain per-qdisc storage.\n\n[1]\n[   88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[   88.798611] #PF: supervisor read access in kernel mode\n[   88.799014] #PF: error_code(0x0000) - not-present page\n[   88.799506] PGD 0 P4D 0\n[   88.799829] Oops: Oops: 0000 [#1] SMP NOPTI\n[   88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117\n[   88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a \u003c4c\u003e 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00\nAll code\n========\n   0:\t0f b7 50 12          \tmovzwl 0x12(%rax),%edx\n   4:\t48 8d 04 d5 00 00 00 \tlea    0x0(,%rdx,8),%rax\n   b:\t00\n   c:\t48 89 d6             \tmov    %rdx,%rsi\n   f:\t48 29 d0             \tsub    %rdx,%rax\n  12:\t48 8b 91 c0 01 00 00 \tmov    0x1c0(%rcx),%rdx\n  19:\t48 c1 e0 03          \tshl    $0x3,%rax\n  1d:\t48 01 c2             \tadd    %rax,%rdx\n  20:\t66 83 7a 1a 00       \tcmpw   $0x0,0x1a(%rdx)\n  25:\t7e c0                \tjle    0xffffffffffffffe7\n  27:\t48 8b 3a             \tmov    (%rdx),%rdi\n  2a:*\t4c 8b 07             \tmov    (%rdi),%r8\t\t\u003c-- trapping instruction\n  2d:\t4c 89 02             \tmov    %r8,(%rdx)\n  30:\t49 89 50 08          \tmov    %rdx,0x8(%r8)\n  34:\t48 c7 47 08 00 00 00 \tmovq   $0x0,0x8(%rdi)\n  3b:\t00\n  3c:\t48                   \trex.W\n  3d:\tc7                   \t.byte 0xc7\n  3e:\t07                   \t(bad)\n\t...\n\nCode starting with the faulting instruction\n===========================================\n   0:\t4c 8b 07             \tmov    (%rdi),%r8\n   3:\t4c 89 02             \tmov    %r8,(%rdx)\n   6:\t49 89 50 08          \tmov    %rdx,0x8(%r8)\n   a:\t48 c7 47 08 00 00 00 \tmovq   $0x0,0x8(%rdi)\n  11:\t00\n  12:\t48                   \trex.W\n  13:\tc7                   \t.byte 0xc7\n  14:\t07                   \t(bad)\n\t...\n[   88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206\n[   88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800\n[   88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000\n[   88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f\n[   88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140\n[   88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac\n[   88.806734] FS:  00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000\n[   88.807225] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0\n[   88.808165] Call Trace:\n[   88.808459]  \u003cTASK\u003e\n[   88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[   88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)\n[   88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)\n[   88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n[   88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[   88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq\n[   88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g\n---truncated---",
  "id": "GHSA-mfc2-q3p4-2qjv",
  "modified": "2026-05-12T15:30:39Z",
  "published": "2024-10-21T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50039"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1edf039ee01788ffc25625fe58a903ae2efa213e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2acbb9539bc2284e30d2aeb789c3d96287014264"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cb7cf1540ddff5473d6baeb530228d19bc97b8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3dc6ee96473cc2962c6db4297d4631f261be150f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76feedc74b90270390fbfdf74a2e944e96872363"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fb6503592d39065316f45d267c5527b4e7cd995"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adbc3eef43fc94c7c8436da832691ae02333a972"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFCG-4W9Q-F9MR

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu: Defer probe of clients after smmu device bound

Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called.

Following is how the race occurs:

T1:Smmu device probe T2: Client device probe

really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() / null ptr assigned to smmu / / null ptr dereference while smmu->streamid_mask / driver_bound() klist_add_tail()

When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes.

Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver.

[will: Add comment]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Defer probe of clients after smmu device bound\n\nNull pointer dereference occurs due to a race between smmu\ndriver probe and client driver probe, when of_dma_configure()\nfor client is called after the iommu_device_register() for smmu driver\nprobe has executed but before the driver_bound() for smmu driver\nhas been called.\n\nFollowing is how the race occurs:\n\nT1:Smmu device probe\t\tT2: Client device probe\n\nreally_probe()\narm_smmu_device_probe()\niommu_device_register()\n\t\t\t\t\treally_probe()\n\t\t\t\t\tplatform_dma_configure()\n\t\t\t\t\tof_dma_configure()\n\t\t\t\t\tof_dma_configure_id()\n\t\t\t\t\tof_iommu_configure()\n\t\t\t\t\tiommu_probe_device()\n\t\t\t\t\tiommu_init_device()\n\t\t\t\t\tarm_smmu_probe_device()\n\t\t\t\t\tarm_smmu_get_by_fwnode()\n\t\t\t\t\t\tdriver_find_device_by_fwnode()\n\t\t\t\t\t\tdriver_find_device()\n\t\t\t\t\t\tnext_device()\n\t\t\t\t\t\tklist_next()\n\t\t\t\t\t\t    /* null ptr\n\t\t\t\t\t\t       assigned to smmu */\n\t\t\t\t\t/* null ptr dereference\n\t\t\t\t\t   while smmu-\u003estreamid_mask */\ndriver_bound()\n\tklist_add_tail()\n\nWhen this null smmu pointer is dereferenced later in\narm_smmu_probe_device, the device crashes.\n\nFix this by deferring the probe of the client device\nuntil the smmu device has bound to the arm smmu driver.\n\n[will: Add comment]",
  "id": "GHSA-mfcg-4w9q-f9mr",
  "modified": "2025-11-03T21:31:51Z",
  "published": "2024-12-27T15:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56568"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/229e6ee43d2a160a1592b83aad620d6027084aad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a9485918a042e3114890dfbe19839a1897f8b2c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5018696b19bc6c021e934a8a59f4b1dd8c0ac9f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2527d07c7e9cda2c6165d5edccf74752baac1b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc02407ea952e20c544a078a6be2e6f008327973"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8f794f387ad21c4696e5cd0626cb6f8a5f6aea5"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFG7-X5M7-6P8W

Vulnerability from github – Published: 2019-04-30 15:37 – Updated: 2024-10-28 14:27
VLAI
Summary
NULL Pointer Dereference in Google TensorFlow
Details

NULL pointer dereference in Google TensorFlow before 1.12.1 could cause a denial of service via an invalid GIF file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-9635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-04-30T15:16:24Z",
    "nvd_published_at": "2019-04-24T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "NULL pointer dereference in Google TensorFlow before 1.12.1 could cause a denial of service via an invalid GIF file.",
  "id": "GHSA-mfg7-x5m7-6p8w",
  "modified": "2024-10-28T14:27:38Z",
  "published": "2019-04-30T15:37:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/e41cb124cd0b325821af85cdacd9d8a12e206418"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mfg7-x5m7-6p8w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2019-228.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2019-235.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2019-210.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-001.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NULL Pointer Dereference in Google TensorFlow"
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.