Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6298 vulnerabilities reference this CWE, most recent first.

GHSA-MP85-7MRQ-R866

Vulnerability from github – Published: 2025-12-05 18:12 – Updated: 2025-12-05 18:12
VLAI
Summary
Envoy crashes when JWT authentication is configured with the remote JWKS fetching
Details

Summary

Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails.

Details

This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object.

The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives.

PoC

  • allow_missing_or_failed or allow_missing is enabled
  • The client send 2 Authorization headers
  • the remote JWKS fetching failed
  • There will be crash

Impact

DoS and Crash

Mitigation

  • Disable the allow_missing_or_failed or allow_missing
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.36.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "fixed": "1.36.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.35.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.35.0"
            },
            {
              "fixed": "1.35.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.34.10"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.34.0"
            },
            {
              "fixed": "1.34.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.33.12"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-05T18:12:39Z",
    "nvd_published_at": "2025-12-03T18:15:46Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nEnvoy crashes when JWT authentication is configured with the remote JWKS fetching, `allow_missing_or_failed` is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails.\n\n### Details\nThis is caused by a re-entry bug in the `JwksFetcherImpl`. When the first token\u0027s JWKS fetch fails, `onJwksError()` callback triggers processing of the second token, which calls fetch() again on the same fetcher object.\n\nThe original callback\u0027s reset() then clears the second fetch\u0027s state (`receiver_ and request_`) which causes a crash when the async HTTP response arrives.\n\n### PoC\n* `allow_missing_or_failed` or `allow_missing` is enabled\n* The client send 2 Authorization headers\n* the remote JWKS fetching failed\n* There will be crash\n\n### Impact\nDoS and Crash\n\n### Mitigation\n* Disable the `allow_missing_or_failed` or `allow_missing`",
  "id": "GHSA-mp85-7mrq-r866",
  "modified": "2025-12-05T18:12:39Z",
  "published": "2025-12-05T18:12:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64527"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy crashes when JWT authentication is configured with the remote JWKS fetching"
}

GHSA-MP88-8GQ5-G25X

Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2024-05-16 09:33
VLAI
Details

Animate versions 24.0.2, 23.0.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T09:15:11Z",
    "severity": "HIGH"
  },
  "details": "Animate versions 24.0.2, 23.0.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-mp88-8gq5-g25x",
  "modified": "2024-05-16T09:33:08Z",
  "published": "2024-05-16T09:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30295"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/animate/apsb24-36.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MP8H-QMXP-C39W

Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-13 00:00
VLAI
Details

On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-476",
      "CWE-822"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-04T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.",
  "id": "GHSA-mp8h-qmxp-c39w",
  "modified": "2022-05-13T00:00:38Z",
  "published": "2022-05-05T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20796"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RV6BLIATIJE74SQ6NG5ZC4JK5MMDQ2R"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BX5ZXNHP4NFYQ5BFSKY3WT7NTBZUYG7L"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N4NNBIJVG6Z4PDIKUZXTYXICYUAYAZ56"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-01"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-dos-vL9x58p4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPJJ-88PQ-258Q

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix metadata dst->dev xmit null pointer dereference

When we try to transmit an skb with metadata_dst attached (i.e. dst->dev == NULL) through xfrm interface we can hit a null pointer dereference[1] in xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a loopback skb device when there's no policy which dereferences dst->dev unconditionally. Not having dst->dev can be interepreted as it not being a loopback device, so just add a check for a null dst_orig->dev.

With this fix xfrm interface's Tx error counters go up as usual.

[1] net-next calltrace captured via netconsole: BUG: kernel NULL pointer dereference, address: 00000000000000c0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60 Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02 RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80 RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0 Call Trace: xfrmi_xmit+0xde/0x460 ? tcf_bpf_act+0x13d/0x2a0 dev_hard_start_xmit+0x72/0x1e0 __dev_queue_xmit+0x251/0xd30 ip_finish_output2+0x140/0x550 ip_push_pending_frames+0x56/0x80 raw_sendmsg+0x663/0x10a0 ? try_charge_memcg+0x3fd/0x7a0 ? __mod_memcg_lruvec_state+0x93/0x110 ? sock_sendmsg+0x30/0x40 sock_sendmsg+0x30/0x40 __sys_sendto+0xeb/0x130 ? handle_mm_fault+0xae/0x280 ? do_user_addr_fault+0x1e7/0x680 ? kvm_read_and_reset_apf_flags+0x3b/0x50 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff35cac1366 Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89 RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366 RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003 RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001 Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole] CR2: 00000000000000c0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: policy: fix metadata dst-\u003edev xmit null pointer dereference\n\nWhen we try to transmit an skb with metadata_dst attached (i.e. dst-\u003edev\n== NULL) through xfrm interface we can hit a null pointer dereference[1]\nin xfrmi_xmit2() -\u003e xfrm_lookup_with_ifid() due to the check for a\nloopback skb device when there\u0027s no policy which dereferences dst-\u003edev\nunconditionally. Not having dst-\u003edev can be interepreted as it not being\na loopback device, so just add a check for a null dst_orig-\u003edev.\n\nWith this fix xfrm interface\u0027s Tx error counters go up as usual.\n\n[1] net-next calltrace captured via netconsole:\n  BUG: kernel NULL pointer dereference, address: 00000000000000c0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] PREEMPT SMP\n  CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014\n  RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60\n  Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 \u003cf6\u003e 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02\n  RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80\n  RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000\n  R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880\n  R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n  FS:  00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0\n  Call Trace:\n   \u003cTASK\u003e\n   xfrmi_xmit+0xde/0x460\n   ? tcf_bpf_act+0x13d/0x2a0\n   dev_hard_start_xmit+0x72/0x1e0\n   __dev_queue_xmit+0x251/0xd30\n   ip_finish_output2+0x140/0x550\n   ip_push_pending_frames+0x56/0x80\n   raw_sendmsg+0x663/0x10a0\n   ? try_charge_memcg+0x3fd/0x7a0\n   ? __mod_memcg_lruvec_state+0x93/0x110\n   ? sock_sendmsg+0x30/0x40\n   sock_sendmsg+0x30/0x40\n   __sys_sendto+0xeb/0x130\n   ? handle_mm_fault+0xae/0x280\n   ? do_user_addr_fault+0x1e7/0x680\n   ? kvm_read_and_reset_apf_flags+0x3b/0x50\n   __x64_sys_sendto+0x20/0x30\n   do_syscall_64+0x34/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n  RIP: 0033:0x7ff35cac1366\n  Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89\n  RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n  RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366\n  RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003\n  RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040\n  R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001\n   \u003c/TASK\u003e\n  Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]\n  CR2: 00000000000000c0",
  "id": "GHSA-mpjj-88pq-258q",
  "modified": "2025-11-14T18:31:24Z",
  "published": "2025-06-18T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50004"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17ecd4a4db4783392edd4944f5e8268205083f70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2761612bcde9776dd93ce60ce55ef0b7c7329153"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96f2758a6d028d1ac08616de9c3c7ff2a122ecf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e26d676c1f9f335510780b566a10475c47ce03d0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPRR-P5PF-VHC3

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-02 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Validate BOOT record_size

When the NTFS BOOT record_size field < 0, it represents a shift value. However, there is no sanity check on the shift result and the sbi->record_bits calculation through blksize_bits() assumes the size always > 256, which could lead to NPD while mounting a malformed NTFS image.

[ 318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 318.675682] #PF: supervisor read access in kernel mode [ 318.675869] #PF: error_code(0x0000) - not-present page [ 318.676246] PGD 0 P4D 0 [ 318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5 [ 318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0 [ 318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 [ 318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 [ 318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 [ 318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 [ 318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 [ 318.683618] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 [ 318.684280] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0 [ 318.685623] Call Trace: [ 318.686607] [ 318.686872] ? ntfs_alloc_inode+0x1a/0x60 [ 318.687235] attr_load_runs_vcn+0x2b/0xa0 [ 318.687468] mi_read+0xbb/0x250 [ 318.687576] ntfs_iget5+0x114/0xd90 [ 318.687750] ntfs_fill_super+0x588/0x11b0 [ 318.687953] ? put_ntfs+0x130/0x130 [ 318.688065] ? snprintf+0x49/0x70 [ 318.688164] ? put_ntfs+0x130/0x130 [ 318.688256] get_tree_bdev+0x16a/0x260 [ 318.688407] vfs_get_tree+0x20/0xb0 [ 318.688519] path_mount+0x2dc/0x9b0 [ 318.688877] do_mount+0x74/0x90 [ 318.689142] __x64_sys_mount+0x89/0xd0 [ 318.689636] do_syscall_64+0x3b/0x90 [ 318.689998] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 318.690318] RIP: 0033:0x7fd9e133c48a [ 318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a [ 318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0 [ 318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020 [ 318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0 [ 318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff [ 318.693007] [ 318.693271] Modules linked in: [ 318.693614] CR2: 0000000000000158 [ 318.694446] ---[ end trace 0000000000000000 ]--- [ 318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0 [ 318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180 [ 318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246 [ 318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080 [ 318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080 [ 318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000 [ 318.700973] FS: 00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000 [ ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate BOOT record_size\n\nWhen the NTFS BOOT record_size field \u003c 0, it represents a\nshift value. However, there is no sanity check on the shift result\nand the sbi-\u003erecord_bits calculation through blksize_bits() assumes\nthe size always \u003e 256, which could lead to NPD while mounting a\nmalformed NTFS image.\n\n[  318.675159] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[  318.675682] #PF: supervisor read access in kernel mode\n[  318.675869] #PF: error_code(0x0000) - not-present page\n[  318.676246] PGD 0 P4D 0\n[  318.676502] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  318.676934] CPU: 0 PID: 259 Comm: mount Not tainted 5.19.0 #5\n[  318.677289] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[  318.678136] RIP: 0010:ni_find_attr+0x2d/0x1c0\n[  318.678656] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180\n[  318.679848] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246\n[  318.680104] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080\n[  318.680790] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[  318.681679] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n[  318.682577] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080\n[  318.683015] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000\n[  318.683618] FS:  00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000\n[  318.684280] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  318.684651] CR2: 0000000000000158 CR3: 0000000002e1a000 CR4: 00000000000006f0\n[  318.685623] Call Trace:\n[  318.686607]  \u003cTASK\u003e\n[  318.686872]  ? ntfs_alloc_inode+0x1a/0x60\n[  318.687235]  attr_load_runs_vcn+0x2b/0xa0\n[  318.687468]  mi_read+0xbb/0x250\n[  318.687576]  ntfs_iget5+0x114/0xd90\n[  318.687750]  ntfs_fill_super+0x588/0x11b0\n[  318.687953]  ? put_ntfs+0x130/0x130\n[  318.688065]  ? snprintf+0x49/0x70\n[  318.688164]  ? put_ntfs+0x130/0x130\n[  318.688256]  get_tree_bdev+0x16a/0x260\n[  318.688407]  vfs_get_tree+0x20/0xb0\n[  318.688519]  path_mount+0x2dc/0x9b0\n[  318.688877]  do_mount+0x74/0x90\n[  318.689142]  __x64_sys_mount+0x89/0xd0\n[  318.689636]  do_syscall_64+0x3b/0x90\n[  318.689998]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  318.690318] RIP: 0033:0x7fd9e133c48a\n[  318.690687] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[  318.691357] RSP: 002b:00007ffd374406c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[  318.691632] RAX: ffffffffffffffda RBX: 0000564d0b051080 RCX: 00007fd9e133c48a\n[  318.691920] RDX: 0000564d0b051280 RSI: 0000564d0b051300 RDI: 0000564d0b0596a0\n[  318.692123] RBP: 0000000000000000 R08: 0000564d0b0512a0 R09: 0000000000000020\n[  318.692349] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564d0b0596a0\n[  318.692673] R13: 0000564d0b051280 R14: 0000000000000000 R15: 00000000ffffffff\n[  318.693007]  \u003c/TASK\u003e\n[  318.693271] Modules linked in:\n[  318.693614] CR2: 0000000000000158\n[  318.694446] ---[ end trace 0000000000000000 ]---\n[  318.694779] RIP: 0010:ni_find_attr+0x2d/0x1c0\n[  318.694952] Code: 89 ca 4d 89 c7 41 56 41 55 41 54 41 89 cc 55 48 89 fd 53 48 89 d3 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 180\n[  318.696042] RSP: 0018:ffffa6c8c0297bd8 EFLAGS: 00000246\n[  318.696531] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000080\n[  318.698114] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[  318.699286] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n[  318.699795] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000080\n[  318.700236] R13: ffff8d5582e68400 R14: 0000000000000100 R15: 0000000000000000\n[  318.700973] FS:  00007fd9e1c81e40(0000) GS:ffff8d55fdc00000(0000) knlGS:0000000000000000\n[\n---truncated---",
  "id": "GHSA-mprr-p5pf-vhc3",
  "modified": "2025-12-02T21:31:25Z",
  "published": "2025-09-15T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50262"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b66046266690454dc04e6307bcff4a5605b42a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8702e0dc987014f6d77740b693340f91344fd0ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af7a195deae349f15baa765d000a5188920d61dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db91a9c59162a9c56792ded88160442c0a2dabd5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPVH-7X64-2FC7

Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2022-05-24 17:04
VLAI
Details

exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-18T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.",
  "id": "GHSA-mpvh-7x64-2fc7",
  "modified": "2022-05-24T17:04:03Z",
  "published": "2022-05-24T17:04:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0514"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200114-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4298-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4638"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPVQ-C99J-QJ2V

Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2025-11-03 21:30
VLAI
Details

XMP Toolkit 2021.07 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-02T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "XMP Toolkit 2021.07 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-mpvq-c99j-qj2v",
  "modified": "2025-11-03T21:30:39Z",
  "published": "2022-05-04T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42528"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/xmpcore/apsb21-108.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00003.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPWV-4WMH-CVF7

Vulnerability from github – Published: 2026-01-23 09:30 – Updated: 2026-06-02 15:31
VLAI
Details

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T08:16:01Z",
    "severity": "LOW"
  },
  "details": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.",
  "id": "GHSA-mpwv-4wmh-cvf7",
  "modified": "2026-06-02T15:31:51Z",
  "published": "2026-01-23T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24515"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/pull/1131"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPX7-H62M-5FWV

Vulnerability from github – Published: 2022-05-14 03:37 – Updated: 2022-05-14 03:37
VLAI
Details

An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-27T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.",
  "id": "GHSA-mpx7-h62m-5fwv",
  "modified": "2022-05-14T03:37:09Z",
  "published": "2022-05-14T03:37:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6534"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Icinga/icinga2/pull/6104"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPXH-CQC3-VXPW

Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2024-09-09 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails

Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointer dereference on:

msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);

as gpu->pdev is only assigned in:

a6xx_gpu_init() | adreno_gpu_init | msm_gpu_init()

Instead of relying on handwavy null checks down the cleanup chain, explicitly de-allocate the LLC data and free a6xx_gpu instead.

Patchwork: https://patchwork.freedesktop.org/patch/588919/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-21T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails\n\nCalling a6xx_destroy() before adreno_gpu_init() leads to a null pointer\ndereference on:\n\nmsm_gpu_cleanup() : platform_set_drvdata(gpu-\u003epdev, NULL);\n\nas gpu-\u003epdev is only assigned in:\n\na6xx_gpu_init()\n|_ adreno_gpu_init\n    |_ msm_gpu_init()\n\nInstead of relying on handwavy null checks down the cleanup chain,\nexplicitly de-allocate the LLC data and free a6xx_gpu instead.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588919/",
  "id": "GHSA-mpxh-cqc3-vxpw",
  "modified": "2024-09-09T15:30:37Z",
  "published": "2024-06-21T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38390"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/247849eeb3fd88f8990ed73e33af70d5c10f9aec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46d4efcccc688cbacdd70a238bedca510acaa8e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/617e3d1680504a3f9d88e1582892c68be155498f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1955a6df91355fef72a3a254700acd3cc1fec0d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.