CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-MH27-4Q3P-7MC8
Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Don't expose hw_counters outside of init net namespace
Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one:
[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] [42021.953842] [] ? show_regs+0x64/0x70 [42021.959030] [] ? __die+0x78/0xc0 [42021.963874] [] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [] dev_attr_show+0x1e/0x50 [42022.000803] [] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [] seq_read_iter+0xf4/0x410 [42022.011954] [] vfs_read+0x16e/0x2f0 [42022.017058] [] ksys_read+0x6e/0xe0 [42022.022073] [] do_syscall_64+0x6a/0xa0 [42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2
The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/*
The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption.
However the real problem is that hw counters should never been exposed outside of the non-init net namespace.
Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization.
With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters
ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters
{
"affected": [],
"aliases": [
"CVE-2025-22089"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T15:16:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Don\u0027t expose hw_counters outside of init net namespace\n\nCommit 467f432a521a (\"RDMA/core: Split port and device counter sysfs\nattributes\") accidentally almost exposed hw counters to non-init net\nnamespaces. It didn\u0027t expose them fully, as an attempt to read any of\nthose counters leads to a crash like this one:\n\n[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[42021.814463] #PF: supervisor read access in kernel mode\n[42021.819549] #PF: error_code(0x0000) - not-present page\n[42021.824636] PGD 0 P4D 0\n[42021.827145] Oops: 0000 [#1] SMP PTI\n[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX\n[42021.841697] Hardware name: XXX\n[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff \u003c48\u003e 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48\n[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287\n[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000\n[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0\n[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000\n[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530\n[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000\n[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000\n[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0\n[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[42021.949324] Call Trace:\n[42021.951756] \u003cTASK\u003e\n[42021.953842] [\u003cffffffff86c58674\u003e] ? show_regs+0x64/0x70\n[42021.959030] [\u003cffffffff86c58468\u003e] ? __die+0x78/0xc0\n[42021.963874] [\u003cffffffff86c9ef75\u003e] ? page_fault_oops+0x2b5/0x3b0\n[42021.969749] [\u003cffffffff87674b92\u003e] ? exc_page_fault+0x1a2/0x3c0\n[42021.975549] [\u003cffffffff87801326\u003e] ? asm_exc_page_fault+0x26/0x30\n[42021.981517] [\u003cffffffffc0775680\u003e] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]\n[42021.988482] [\u003cffffffffc077564e\u003e] ? hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.995438] [\u003cffffffff86ac7f8e\u003e] dev_attr_show+0x1e/0x50\n[42022.000803] [\u003cffffffff86a3eeb1\u003e] sysfs_kf_seq_show+0x81/0xe0\n[42022.006508] [\u003cffffffff86a11134\u003e] seq_read_iter+0xf4/0x410\n[42022.011954] [\u003cffffffff869f4b2e\u003e] vfs_read+0x16e/0x2f0\n[42022.017058] [\u003cffffffff869f50ee\u003e] ksys_read+0x6e/0xe0\n[42022.022073] [\u003cffffffff8766f1ca\u003e] do_syscall_64+0x6a/0xa0\n[42022.027441] [\u003cffffffff8780013b\u003e] entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe problem can be reproduced using the following steps:\n ip netns add foo\n ip netns exec foo bash\n cat /sys/class/infiniband/mlx4_0/hw_counters/*\n\nThe panic occurs because of casting the device pointer into an\nib_device pointer using container_of() in hw_stat_device_show() is\nwrong and leads to a memory corruption.\n\nHowever the real problem is that hw counters should never been exposed\noutside of the non-init net namespace.\n\nFix this by saving the index of the corresponding attribute group\n(it might be 1 or 2 depending on the presence of driver-specific\nattributes) and zeroing the pointer to hw_counters group for compat\ndevices during the initialization.\n\nWith this fix applied hw_counters are not available in a non-init\nnet namespace:\n find /sys/class/infiniband/mlx4_0/ -name hw_counters\n /sys/class/infiniband/mlx4_0/ports/1/hw_counters\n /sys/class/infiniband/mlx4_0/ports/2/hw_counters\n /sys/class/infiniband/mlx4_0/hw_counters\n\n ip netns add foo\n ip netns exec foo bash\n find /sys/class/infiniband/mlx4_0/ -name hw_counters",
"id": "GHSA-mh27-4q3p-7mc8",
"modified": "2025-11-03T21:33:37Z",
"published": "2025-04-16T15:34:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22089"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH2M-V35P-JGMM
Vulnerability from github – Published: 2022-05-17 03:21 – Updated: 2022-05-17 03:21An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2016-9631"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-12T02:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the Tatsuya Kinoshita w3m fork before 0.5.3-33. w3m allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted HTML page.",
"id": "GHSA-mh2m-v35p-jgmm",
"modified": "2022-05-17T03:21:45Z",
"published": "2022-05-17T03:21:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9631"
},
{
"type": "WEB",
"url": "https://github.com/tats/w3m/issues/42"
},
{
"type": "WEB",
"url": "https://github.com/tats/w3m/blob/master/ChangeLog"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/11/24/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH3R-435P-PH74
Vulnerability from github – Published: 2022-05-17 02:51 – Updated: 2022-05-17 02:51The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.
{
"affected": [],
"aliases": [
"CVE-2017-7381"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-03T05:59:00Z",
"severity": "MODERATE"
},
"details": "The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.",
"id": "GHSA-mh3r-435p-ph74",
"modified": "2022-05-17T02:51:25Z",
"published": "2022-05-17T02:51:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7381"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97296"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH46-2WFG-437Q
Vulnerability from github – Published: 2022-05-14 03:41 – Updated: 2022-05-14 03:41Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1200 V200R006C10, V200R006C13, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR1200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR150 V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR150-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR160 V200R006C10, V200R006C12, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR200 V200R006C10, V200R007C00, V200R007C01, V200R008C20, V200R008C30, AR200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR2200 V200R006C10, V200R006C13, V200R006C16, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR2200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR3200 V200R006C10, V200R006C11, V200R007C00, V200R007C01, V200R007C02, V200R008C00, V200R008C10, V200R008C20, V200R008C30, AR3600 V200R006C10, V200R007C00, V200R007C01, V200R008C20, AR510 V200R006C10, V200R006C12, V200R006C13, V200R006C15, V200R006C16, V200R006C17, V200R007C00, V200R008C20, V200R008C30, DP300 V500R002C00, MAX PRESENCE V100R001C00, NetEngine16EX V200R006C10, V200R007C00, V200R008C20, V200R008C30, RP200 V500R002C00, V600R006C00, SRG1300 V200R006C10, V200R007C00, V200R007C02, V200R008C20, V200R008C30, SRG2300 V200R006C10, V200R007C00, V200R007C02, V200R008C20, V200R008C30, SRG3300 V200R006C10, V200R007C00, V200R008C20, V200R008C30, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, TP3106 V100R002C00, TP3206 V100R002C00, V100R002C10 have a null pointer dereference vulnerability. Due to insufficient input validation, an authenticated, local attacker may craft a specific XML file to the affected products to cause null pointer dereference. Successful exploit will cause some service abnormal.
{
"affected": [],
"aliases": [
"CVE-2017-17294"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-15T16:29:00Z",
"severity": "LOW"
},
"details": "Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1200 V200R006C10, V200R006C13, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR1200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR150 V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR150-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR160 V200R006C10, V200R006C12, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR200 V200R006C10, V200R007C00, V200R007C01, V200R008C20, V200R008C30, AR200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR2200 V200R006C10, V200R006C13, V200R006C16, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30, AR2200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR3200 V200R006C10, V200R006C11, V200R007C00, V200R007C01, V200R007C02, V200R008C00, V200R008C10, V200R008C20, V200R008C30, AR3600 V200R006C10, V200R007C00, V200R007C01, V200R008C20, AR510 V200R006C10, V200R006C12, V200R006C13, V200R006C15, V200R006C16, V200R006C17, V200R007C00, V200R008C20, V200R008C30, DP300 V500R002C00, MAX PRESENCE V100R001C00, NetEngine16EX V200R006C10, V200R007C00, V200R008C20, V200R008C30, RP200 V500R002C00, V600R006C00, SRG1300 V200R006C10, V200R007C00, V200R007C02, V200R008C20, V200R008C30, SRG2300 V200R006C10, V200R007C00, V200R007C02, V200R008C20, V200R008C30, SRG3300 V200R006C10, V200R007C00, V200R008C20, V200R008C30, TE30 V100R001C02, V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00, TP3106 V100R002C00, TP3206 V100R002C00, V100R002C10 have a null pointer dereference vulnerability. Due to insufficient input validation, an authenticated, local attacker may craft a specific XML file to the affected products to cause null pointer dereference. Successful exploit will cause some service abnormal.",
"id": "GHSA-mh46-2wfg-437q",
"modified": "2022-05-14T03:41:28Z",
"published": "2022-05-14T03:41:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17294"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171213-06-xml-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MH6C-CJ4F-F948
Vulnerability from github – Published: 2025-03-06 18:31 – Updated: 2025-03-25 15:31In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: avoid NULL pointer dereference
When iterating over the links of a vif, we need to make sure that the pointer is valid (in other words - that the link exists) before dereferncing it. Use for_each_vif_active_link that also does the check.
{
"affected": [],
"aliases": [
"CVE-2024-58062"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T16:15:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: avoid NULL pointer dereference\n\nWhen iterating over the links of a vif, we need to make sure that the\npointer is valid (in other words - that the link exists) before\ndereferncing it.\nUse for_each_vif_active_link that also does the check.",
"id": "GHSA-mh6c-cj4f-f948",
"modified": "2025-03-25T15:31:22Z",
"published": "2025-03-06T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58062"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f6fb4b7611eb6371c493c42fefad84a1742bcbb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf704a7624f99eb2ffca1a16c69183e85544a613"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbb563ad5032a07ac83c746ce5c8de5f25b5ffd0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHC4-95PW-JJV5
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent bad output lengths in smb2_ioctl_query_info()
When calling smb2_ioctl_query_info() with smb_query_info::flags=PASSTHRU_FSCTL and smb_query_info::output_buffer_length=0, the following would return 0x10
buffer = memdup_user(arg + sizeof(struct smb_query_info),
qi.output_buffer_length);
if (IS_ERR(buffer)) {
kfree(vars);
return PTR_ERR(buffer);
}
rather than a valid pointer thus making IS_ERR() check fail. This would then cause a NULL ptr deference in @buffer when accessing it later in smb2_ioctl_query_ioctl(). While at it, prevent having a @buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO FileEndOfFileInformation requests when smb_query_info::flags=PASSTHRU_SET_INFO.
Here is a small C reproducer which triggers a NULL ptr in @buffer when passing an invalid smb_query_info::flags
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#define die(s) perror(s), exit(1)
#define QUERY_INFO 0xc018cf07
int main(int argc, char *argv[])
{
int fd;
if (argc < 2)
exit(1);
fd = open(argv[1], O_RDONLY);
if (fd == -1)
die("open");
if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
die("ioctl");
close(fd);
return 0;
}
mount.cifs //srv/share /mnt -o ...
gcc repro.c && ./a.out /mnt/f0
[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
[ 114.146131] Call Trace:
[ 114.146291] <TASK>
[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]
[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
[ 114.147775] ? dentry_path_raw+0xa6/0xf0
[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]
[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]
[ 114.149371] ? lock_downgrade+0x6f0/0x6f0
[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]
[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70
[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0
[ 114.150562] ? __up_read+0x192/0x710
[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0
[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0
[ 114.151296] __x64_sys_ioctl+0x127/0x190
[ 114.151549] do_syscall_64+0x3b/0x90
[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 114.152079] RIP: 0033:0x7f7aead043df
[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24
---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-49271"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent bad output lengths in smb2_ioctl_query_info()\n\nWhen calling smb2_ioctl_query_info() with\nsmb_query_info::flags=PASSTHRU_FSCTL and\nsmb_query_info::output_buffer_length=0, the following would return\n0x10\n\n\tbuffer = memdup_user(arg + sizeof(struct smb_query_info),\n\t\t\t qi.output_buffer_length);\n\tif (IS_ERR(buffer)) {\n\t\tkfree(vars);\n\t\treturn PTR_ERR(buffer);\n\t}\n\nrather than a valid pointer thus making IS_ERR() check fail. This\nwould then cause a NULL ptr deference in @buffer when accessing it\nlater in smb2_ioctl_query_ioctl(). While at it, prevent having a\n@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO\nFileEndOfFileInformation requests when\nsmb_query_info::flags=PASSTHRU_SET_INFO.\n\nHere is a small C reproducer which triggers a NULL ptr in @buffer when\npassing an invalid smb_query_info::flags\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003cstdint.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003cfcntl.h\u003e\n\t#include \u003csys/ioctl.h\u003e\n\n\t#define die(s) perror(s), exit(1)\n\t#define QUERY_INFO 0xc018cf07\n\n\tint main(int argc, char *argv[])\n\t{\n\t\tint fd;\n\n\t\tif (argc \u003c 2)\n\t\t\texit(1);\n\t\tfd = open(argv[1], O_RDONLY);\n\t\tif (fd == -1)\n\t\t\tdie(\"open\");\n\t\tif (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)\n\t\t\tdie(\"ioctl\");\n\t\tclose(fd);\n\t\treturn 0;\n\t}\n\n\tmount.cifs //srv/share /mnt -o ...\n\tgcc repro.c \u0026\u0026 ./a.out /mnt/f0\n\n\t[ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\n\t[ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\t[ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1\n\t[ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n\t[ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]\n\t[ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24\n\t[ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256\n\t[ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d\n\t[ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380\n\t[ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003\n\t[ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288\n\t[ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000\n\t[ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000\n\t[ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\t[ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0\n\t[ 114.146131] Call Trace:\n\t[ 114.146291] \u003cTASK\u003e\n\t[ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs]\n\t[ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs]\n\t[ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]\n\t[ 114.147775] ? dentry_path_raw+0xa6/0xf0\n\t[ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]\n\t[ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs]\n\t[ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs]\n\t[ 114.149371] ? lock_downgrade+0x6f0/0x6f0\n\t[ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs]\n\t[ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70\n\t[ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0\n\t[ 114.150562] ? __up_read+0x192/0x710\n\t[ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0\n\t[ 114.151025] ? __x64_sys_openat+0x11f/0x1d0\n\t[ 114.151296] __x64_sys_ioctl+0x127/0x190\n\t[ 114.151549] do_syscall_64+0x3b/0x90\n\t[ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\t[ 114.152079] RIP: 0033:0x7f7aead043df\n\t[ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24\n---truncated---",
"id": "GHSA-mhc4-95pw-jjv5",
"modified": "2025-09-22T21:30:16Z",
"published": "2025-09-22T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49271"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7529fbee10d82493c5cb109e51788bf74816d1c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9963ccea6087268e1275b992dca5d0dd4b938765"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b92e358757b91c2827af112cae9af513f26a3f34"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f143f8334fb9eb2f6c7c15b9da1472d9c965fd84"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHHW-J772-75H5
Vulnerability from github – Published: 2024-08-17 09:30 – Updated: 2024-08-19 21:35In the Linux kernel, the following vulnerability has been resolved:
net: mediatek: Fix potential NULL pointer dereference in dummy net_device handling
Move the freeing of the dummy net_device from mtk_free_dev() to mtk_remove().
Previously, if alloc_netdev_dummy() failed in mtk_probe(), eth->dummy_dev would be NULL. The error path would then call mtk_free_dev(), which in turn called free_netdev() assuming dummy_dev was allocated (but it was not), potentially causing a NULL pointer dereference.
By moving free_netdev() to mtk_remove(), we ensure it's only called when mtk_probe() has succeeded and dummy_dev is fully allocated. This addresses a potential NULL pointer dereference detected by Smatch[1].
{
"affected": [],
"aliases": [
"CVE-2024-42282"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-17T09:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mediatek: Fix potential NULL pointer dereference in dummy net_device handling\n\nMove the freeing of the dummy net_device from mtk_free_dev() to\nmtk_remove().\n\nPreviously, if alloc_netdev_dummy() failed in mtk_probe(),\neth-\u003edummy_dev would be NULL. The error path would then call\nmtk_free_dev(), which in turn called free_netdev() assuming dummy_dev\nwas allocated (but it was not), potentially causing a NULL pointer\ndereference.\n\nBy moving free_netdev() to mtk_remove(), we ensure it\u0027s only called when\nmtk_probe() has succeeded and dummy_dev is fully allocated. This\naddresses a potential NULL pointer dereference detected by Smatch[1].",
"id": "GHSA-mhhw-j772-75h5",
"modified": "2024-08-19T21:35:09Z",
"published": "2024-08-17T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42282"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16f3a28cf5f876a7f3550d8f4c870a7b41bcfaef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af6bd5c9901b13a26eaf4d57d97a813297791596"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHPV-QVQJ-2PX4
Vulnerability from github – Published: 2025-02-17 03:31 – Updated: 2025-02-17 03:31A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2025-1371"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-17T03:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-mhpv-qvqj-2px4",
"modified": "2025-02-17T03:31:11Z",
"published": "2025-02-17T03:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1371"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/attachment.cgi?id=15926"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32655"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32655#c2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.295978"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.295978"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.496484"
},
{
"type": "WEB",
"url": "https://www.gnu.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MHQ5-FGP5-4GPG
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-11-24 21:30In the Linux kernel, the following vulnerability has been resolved:
usb: ucsi_acpi: Increase the command completion timeout
Commit 130a96d698d7 ("usb: typec: ucsi: acpi: Increase command completion timeout value") increased the timeout from 5 seconds to 60 seconds due to issues related to alternate mode discovery.
After the alternate mode discovery switch to polled mode the timeout was reduced, but instead of being set back to 5 seconds it was reduced to 1 second.
This is causing problems when using a Lenovo ThinkPad X1 yoga gen7 connected over Type-C to a LG 27UL850-W (charging DP over Type-C).
When the monitor is already connected at boot the following error is logged: "PPM init failed (-110)", /sys/class/typec is empty and on unplugging the NULL pointer deref fixed earlier in this series happens.
When the monitor is connected after boot the following error is logged instead: "GET_CONNECTOR_STATUS failed (-110)".
Setting the timeout back to 5 seconds fixes both cases.
{
"affected": [],
"aliases": [
"CVE-2023-53168"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ucsi_acpi: Increase the command completion timeout\n\nCommit 130a96d698d7 (\"usb: typec: ucsi: acpi: Increase command\ncompletion timeout value\") increased the timeout from 5 seconds\nto 60 seconds due to issues related to alternate mode discovery.\n\nAfter the alternate mode discovery switch to polled mode\nthe timeout was reduced, but instead of being set back to\n5 seconds it was reduced to 1 second.\n\nThis is causing problems when using a Lenovo ThinkPad X1 yoga gen7\nconnected over Type-C to a LG 27UL850-W (charging DP over Type-C).\n\nWhen the monitor is already connected at boot the following error\nis logged: \"PPM init failed (-110)\", /sys/class/typec is empty and\non unplugging the NULL pointer deref fixed earlier in this series\nhappens.\n\nWhen the monitor is connected after boot the following error\nis logged instead: \"GET_CONNECTOR_STATUS failed (-110)\".\n\nSetting the timeout back to 5 seconds fixes both cases.",
"id": "GHSA-mhq5-fgp5-4gpg",
"modified": "2025-11-24T21:30:57Z",
"published": "2025-09-15T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53168"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/02d210f434249a7edbc160969b75df030dc6934d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e8525f37871741a52370627633962f8bdcab15a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8346d21d1d8a63f46f60e6899f4f80b1306acf32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHRJ-PFXM-4X9V
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
VXLAN FDB entries can point to either a remote destination or an FDB nexthop group. The latter is usually used in EVPN deployments where learning is disabled.
However, when learning is enabled, an incoming packet might try to refresh an FDB entry that points to an FDB nexthop group and therefore does not have a remote. Such packets should be dropped, but they are only dropped after dereferencing the non-existent remote, resulting in a NPD [1] which can be reproduced using [2].
Fix by dropping such packets earlier. Remove the misleading comment from first_remote_rcu().
[1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:vxlan_snoop+0x98/0x1e0 [...] Call Trace: vxlan_encap_bypass+0x209/0x240 encap_bypass_if_local+0xb1/0x100 vxlan_xmit_one+0x1375/0x17e0 vxlan_xmit+0x6b4/0x15f0 dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 packet_sendmsg+0x113a/0x1850 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2] #!/bin/bash
ip address add 192.0.2.1/32 dev lo ip address add 192.0.2.2/32 dev lo
ip nexthop add id 1 via 192.0.2.3 fdb ip nexthop add id 10 group 1 fdb
ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning
bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020 bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10
mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q
{
"affected": [],
"aliases": [
"CVE-2025-39851"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T16:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD when refreshing an FDB entry with a nexthop object\n\nVXLAN FDB entries can point to either a remote destination or an FDB\nnexthop group. The latter is usually used in EVPN deployments where\nlearning is disabled.\n\nHowever, when learning is enabled, an incoming packet might try to\nrefresh an FDB entry that points to an FDB nexthop group and therefore\ndoes not have a remote. Such packets should be dropped, but they are\nonly dropped after dereferencing the non-existent remote, resulting in a\nNPD [1] which can be reproduced using [2].\n\nFix by dropping such packets earlier. Remove the misleading comment from\nfirst_remote_rcu().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nCPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:vxlan_snoop+0x98/0x1e0\n[...]\nCall Trace:\n \u003cTASK\u003e\n vxlan_encap_bypass+0x209/0x240\n encap_bypass_if_local+0xb1/0x100\n vxlan_xmit_one+0x1375/0x17e0\n vxlan_xmit+0x6b4/0x15f0\n dev_hard_start_xmit+0x5d/0x1c0\n __dev_queue_xmit+0x246/0xfd0\n packet_sendmsg+0x113a/0x1850\n __sock_sendmsg+0x38/0x70\n __sys_sendto+0x126/0x180\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\n #!/bin/bash\n\n ip address add 192.0.2.1/32 dev lo\n ip address add 192.0.2.2/32 dev lo\n\n ip nexthop add id 1 via 192.0.2.3 fdb\n ip nexthop add id 10 group 1 fdb\n\n ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass\n ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning\n\n bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020\n bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10\n\n mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q",
"id": "GHSA-mhrj-pfxm-4x9v",
"modified": "2025-12-12T21:31:32Z",
"published": "2025-09-22T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39851"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e8630f24c14d9c655d19eabe2e52a9e9f713307"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ff4f3104da6507e0f118c63c4560dfdeb59dce3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6ead38147ebb813f08be6ea8ef547a0e4c09559a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.