Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6299 vulnerabilities reference this CWE, most recent first.

GHSA-MRF4-WFH4-QJ5W

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Purge vif txq in ieee80211_do_stop()

After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state.

Because vif.drv_priv is now cleared in this function, this could lead to driver crash.

For example in ath12k, ahvif is store in vif.drv_priv. Thus if ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below.

Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] batman_adv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k] sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P) ieee80211_handle_wake_tx_queue+0x16c/0x260 ieee80211_queue_skb+0xeec/0x1d20 ieee80211_tx+0x200/0x2c8 ieee80211_xmit+0x22c/0x338 __ieee80211_subif_start_xmit+0x7e8/0xc60 ieee80211_subif_start_xmit+0xc4/0xee0 __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0 ieee80211_subif_start_xmit_8023+0x124/0x488 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 br_dev_queue_push_xmit+0x120/0x4a8 __br_forward+0xe4/0x2b0 deliver_clone+0x5c/0xd0 br_flood+0x398/0x580 br_dev_xmit+0x454/0x9f8 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 ip6_finish_output2+0xc28/0x1b60 __ip6_finish_output+0x38c/0x638 ip6_output+0x1b4/0x338 ip6_local_out+0x7c/0xa8 ip6_send_skb+0x7c/0x1b0 ip6_push_pending_frames+0x94/0xd0 rawv6_sendmsg+0x1a98/0x2898 inet_sendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64_sys_sendto+0xc4/0x140 do_el0_svc+0x110/0x280 el0_svc+0x20/0x60 el0t_64_sync_handler+0x104/0x138 el0t_64_sync+0x154/0x158

To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could be dequeued after ieee80211_do_stop() (new packets cannot be queued because SDATA_STATE_RUNNING is cleared at this point).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T14:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Purge vif txq in ieee80211_do_stop()\n\nAfter ieee80211_do_stop() SKB from vif\u0027s txq could still be processed.\nIndeed another concurrent vif schedule_and_wake_txq call could cause\nthose packets to be dequeued (see ieee80211_handle_wake_tx_queue())\nwithout checking the sdata current state.\n\nBecause vif.drv_priv is now cleared in this function, this could lead to\ndriver crash.\n\nFor example in ath12k, ahvif is store in vif.drv_priv. Thus if\nath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif-\u003eah can be\nNULL, leading the ath12k_warn(ahvif-\u003eah,...) call in this function to\ntrigger the NULL deref below.\n\n  Unable to handle kernel paging request at virtual address dfffffc000000001\n  KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n  batman_adv: bat0: Interface deactivated: brbh1337\n  Mem abort info:\n    ESR = 0x0000000096000004\n    EC = 0x25: DABT (current EL), IL = 32 bits\n    SET = 0, FnV = 0\n    EA = 0, S1PTW = 0\n    FSC = 0x04: level 0 translation fault\n  Data abort info:\n    ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n    CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n  [dfffffc000000001] address between user and kernel address ranges\n  Internal error: Oops: 0000000096000004 [#1] SMP\n  CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114\n  Hardware name: HW (DT)\n  pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]\n  lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]\n  sp : ffffffc086ace450\n  x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4\n  x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e\n  x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0\n  x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958\n  x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8\n  x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03\n  x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40\n  x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0\n  x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001\n  x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008\n  Call trace:\n   ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)\n   ieee80211_handle_wake_tx_queue+0x16c/0x260\n   ieee80211_queue_skb+0xeec/0x1d20\n   ieee80211_tx+0x200/0x2c8\n   ieee80211_xmit+0x22c/0x338\n   __ieee80211_subif_start_xmit+0x7e8/0xc60\n   ieee80211_subif_start_xmit+0xc4/0xee0\n   __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0\n   ieee80211_subif_start_xmit_8023+0x124/0x488\n   dev_hard_start_xmit+0x160/0x5a8\n   __dev_queue_xmit+0x6f8/0x3120\n   br_dev_queue_push_xmit+0x120/0x4a8\n   __br_forward+0xe4/0x2b0\n   deliver_clone+0x5c/0xd0\n   br_flood+0x398/0x580\n   br_dev_xmit+0x454/0x9f8\n   dev_hard_start_xmit+0x160/0x5a8\n   __dev_queue_xmit+0x6f8/0x3120\n   ip6_finish_output2+0xc28/0x1b60\n   __ip6_finish_output+0x38c/0x638\n   ip6_output+0x1b4/0x338\n   ip6_local_out+0x7c/0xa8\n   ip6_send_skb+0x7c/0x1b0\n   ip6_push_pending_frames+0x94/0xd0\n   rawv6_sendmsg+0x1a98/0x2898\n   inet_sendmsg+0x94/0xe0\n   __sys_sendto+0x1e4/0x308\n   __arm64_sys_sendto+0xc4/0x140\n   do_el0_svc+0x110/0x280\n   el0_svc+0x20/0x60\n   el0t_64_sync_handler+0x104/0x138\n   el0t_64_sync+0x154/0x158\n\nTo avoid that, empty vif\u0027s txq at ieee80211_do_stop() so no packet could\nbe dequeued after ieee80211_do_stop() (new packets cannot be queued\nbecause SDATA_STATE_RUNNING is cleared at this point).",
  "id": "GHSA-mrf4-wfh4-qj5w",
  "modified": "2025-11-03T21:33:46Z",
  "published": "2025-05-01T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37794"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/305741e7e63234cbcf9b5c4e6aeca25ba0834be8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/378677eb8f44621ecc9ce659f7af61e5baa94d81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f6863dc407f25fcf23fc857f9ac51756a09ea2c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8bc34db7f771a464ff8f686b6f8d4e04963fec27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/929ec2c9ad34248ef625e137b6118b6e965797d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8df245b5b29f6de98d016dc18e2bb35ec70b0cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a932a5ce4eee0cbad20220f950fe7bd3534bcbc9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c74b84544dee27298a71715b3ce2c40d372b5a23"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRF7-WP64-3P45

Vulnerability from github – Published: 2023-03-08 00:30 – Updated: 2023-03-14 21:30
VLAI
Details

NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-07T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.",
  "id": "GHSA-mrf7-wp64-3p45",
  "modified": "2023-03-14T21:30:21Z",
  "published": "2023-03-08T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/7ac5023a5f1a37baafbe1043645f97ba3443d9f6"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b2989095-88f3-413a-9a39-c1c58a6e6815"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRG8-H43C-3Q4J

Vulnerability from github – Published: 2024-07-09 21:30 – Updated: 2024-07-09 21:30
VLAI
Details

A vulnerability was discovered in SS in Samsung Mobile Processor, Wearable Processor, and Modems with versions Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 2400, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, and Exynos Modem 5300 that involves a NULL pointer dereference which can cause abnormal termination of a mobile phone via a manipulated packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T20:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in SS in Samsung Mobile Processor, Wearable Processor, and Modems with versions Exynos 9820, Exynos 9825, Exynos 980, Exynos 990, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos 2400, Exynos 9110, Exynos W920, Exynos W930, Exynos Modem 5123, and Exynos Modem 5300 that involves a NULL pointer dereference which can cause abnormal termination of a mobile phone via a manipulated packet.",
  "id": "GHSA-mrg8-h43c-3q4j",
  "modified": "2024-07-09T21:30:37Z",
  "published": "2024-07-09T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28068"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-28068"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRH4-HF55-27FQ

Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2023-12-05 00:31
VLAI
Details

The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T23:15:24Z",
    "severity": "HIGH"
  },
  "details": "\n\n\n\n\n\n\n\n\nThe\nACEManager component of ALEOS 4.16 and earlier does not adequately perform\ninput sanitization during authentication, which could potentially result in a\nDenial of Service (DoS) condition for ACEManager without impairing other router\nfunctions. ACEManager recovers from the DoS condition by restarting within ten\nseconds of becoming unavailable.\n\n\n\n\n\n\n",
  "id": "GHSA-mrh4-hf55-27fq",
  "modified": "2023-12-05T00:31:08Z",
  "published": "2023-12-05T00:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40459"
    },
    {
      "type": "WEB",
      "url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRQ3-QX26-XJXJ

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-06 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: cros-ec-tunnel: defer probe if parent EC is not present

When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference.

That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device).

[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access in kernel mode [ 272.003351] #PF: error_code(0x0000) - not-present page [ 272.008485] PGD 0 P4D 0 [ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI [ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 [ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC [ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021 [ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel] [ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 [ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 [ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 [ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 [ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 [ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 [ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 [ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 [ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 [ 272.129155] Call Trace: [ 272.131606] [ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110 [ 272.137985] platform_probe+0x69/0xa0 [ 272.141652] really_probe+0x152/0x310 [ 272.145318] __driver_probe_device+0x77/0x110 [ 272.149678] driver_probe_device+0x1e/0x190 [ 272.153864] __driver_attach+0x10b/0x1e0 [ 272.157790] ? driver_attach+0x20/0x20 [ 272.161542] bus_for_each_dev+0x107/0x150 [ 272.165553] bus_add_driver+0x15d/0x270 [ 272.169392] driver_register+0x65/0x110 [ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] [ 272.182617] do_one_initcall+0x110/0x350 [ 272.186543] ? security_kernfs_init_security+0x49/0xd0 [ 272.191682] ? __kernfs_new_node+0x1b9/0x240 [ 272.195954] ? security_kernfs_init_security+0x49/0xd0 [ 272.201093] ? __kernfs_new_node+0x1b9/0x240 [ 272.205365] ? kernfs_link_sibling+0x105/0x130 [ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0 [ 272.214773] ? kernfs_activate+0x57/0x70 [ 272.218699] ? kernfs_add_one+0x118/0x160 [ 272.222710] ? __kernfs_create_file+0x71/0xa0 [ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110 [ 272.232033] ? internal_create_group+0x453/0x4a0 [ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0 [ 272.241355] ? __free_frozen_pages+0x1dc/0x420 [ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0 [ 272.250505] ? load_module+0x1509/0x16f0 [ 272.254431] do_init_module+0x60/0x230 [ 272.258181] __se_sys_finit_module+0x27a/0x370 [ 272.262627] do_syscall_64+0x6a/0xf0 [ 272.266206] ? do_syscall_64+0x76/0xf0 [ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90 [ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 272.279887] RIP: 0033:0x7b9309168d39 [ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 [ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000 ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T14:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cros-ec-tunnel: defer probe if parent EC is not present\n\nWhen i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent\ndevice will not be found, leading to NULL pointer dereference.\n\nThat can also be reproduced by unbinding the controller driver and then\nloading i2c-cros-ec-tunnel module (or binding the device).\n\n[  271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[  271.998215] #PF: supervisor read access in kernel mode\n[  272.003351] #PF: error_code(0x0000) - not-present page\n[  272.008485] PGD 0 P4D 0\n[  272.011022] Oops: Oops: 0000 [#1] SMP NOPTI\n[  272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S                  6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full)  3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5\n[  272.030312] Tainted: [S]=CPU_OUT_OF_SPEC\n[  272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021\n[  272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]\n[  272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 \u003c49\u003e 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9\n[  272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282\n[  272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000\n[  272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00\n[  272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000\n[  272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000\n[  272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10\n[  272.108198] FS:  00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000\n[  272.116282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0\n[  272.129155] Call Trace:\n[  272.131606]  \u003cTASK\u003e\n[  272.133709]  ? acpi_dev_pm_attach+0xdd/0x110\n[  272.137985]  platform_probe+0x69/0xa0\n[  272.141652]  really_probe+0x152/0x310\n[  272.145318]  __driver_probe_device+0x77/0x110\n[  272.149678]  driver_probe_device+0x1e/0x190\n[  272.153864]  __driver_attach+0x10b/0x1e0\n[  272.157790]  ? driver_attach+0x20/0x20\n[  272.161542]  bus_for_each_dev+0x107/0x150\n[  272.165553]  bus_add_driver+0x15d/0x270\n[  272.169392]  driver_register+0x65/0x110\n[  272.173232]  ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]\n[  272.182617]  do_one_initcall+0x110/0x350\n[  272.186543]  ? security_kernfs_init_security+0x49/0xd0\n[  272.191682]  ? __kernfs_new_node+0x1b9/0x240\n[  272.195954]  ? security_kernfs_init_security+0x49/0xd0\n[  272.201093]  ? __kernfs_new_node+0x1b9/0x240\n[  272.205365]  ? kernfs_link_sibling+0x105/0x130\n[  272.209810]  ? kernfs_next_descendant_post+0x1c/0xa0\n[  272.214773]  ? kernfs_activate+0x57/0x70\n[  272.218699]  ? kernfs_add_one+0x118/0x160\n[  272.222710]  ? __kernfs_create_file+0x71/0xa0\n[  272.227069]  ? sysfs_add_bin_file_mode_ns+0xd6/0x110\n[  272.232033]  ? internal_create_group+0x453/0x4a0\n[  272.236651]  ? __vunmap_range_noflush+0x214/0x2d0\n[  272.241355]  ? __free_frozen_pages+0x1dc/0x420\n[  272.245799]  ? free_vmap_area_noflush+0x10a/0x1c0\n[  272.250505]  ? load_module+0x1509/0x16f0\n[  272.254431]  do_init_module+0x60/0x230\n[  272.258181]  __se_sys_finit_module+0x27a/0x370\n[  272.262627]  do_syscall_64+0x6a/0xf0\n[  272.266206]  ? do_syscall_64+0x76/0xf0\n[  272.269956]  ? irqentry_exit_to_user_mode+0x79/0x90\n[  272.274836]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[  272.279887] RIP: 0033:0x7b9309168d39\n[  272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8\n[  272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000\n---truncated---",
  "id": "GHSA-mrq3-qx26-xjxj",
  "modified": "2025-11-06T18:32:43Z",
  "published": "2025-05-01T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37781"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/092de5ac8cb2eaa9593a765fa92ba39d8173f984"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1355b5ca4782be85a2ef7275e4c508f770d0fb27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3090cad5ccff8963b95160f4060068048a1e4c4c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/424eafe65647a8d6c690284536e711977153195a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b66d4910a608427367c4e21499e149f085782df7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd83035b6f2a102c2d5acd3bfb2a11ff967aaba6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da8edc9eb2516aface7f86be5fa6d09c0d07b9f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e89bf1311d4497c6743f3021e9c481b16c3a41c9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRVV-FWRW-5PGV

Vulnerability from github – Published: 2022-12-14 21:30 – Updated: 2022-12-16 21:30
VLAI
Details

An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-14T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the Linux kernel through 5.16-rc6. mtk_vcodec_fw_vpu_init in drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of the return value of devm_kzalloc() and will cause the null pointer dereference.",
  "id": "GHSA-mrvv-fwrw-5pgv",
  "modified": "2022-12-16T21:30:43Z",
  "published": "2022-12-14T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3113"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153053"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.19-rc2\u0026id=e25a89f743b18c029bfbe5e1663ae0c7190912b0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV2P-2VGW-5CPM

Vulnerability from github – Published: 2023-04-20 00:30 – Updated: 2024-04-04 03:36
VLAI
Details

A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T23:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.",
  "id": "GHSA-mv2p-2vgw-5cpm",
  "modified": "2024-04-04T03:36:31Z",
  "published": "2023-04-20T00:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28328"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177389"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV84-GGQF-6Q3W

Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr

Check return value and conduct null pointer handling to avoid null pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-26T11:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Fix the null pointer dereference for vega10_hwmgr\n\nCheck return value and conduct null pointer handling to avoid null pointer dereference.",
  "id": "GHSA-mv84-ggqf-6q3w",
  "modified": "2025-11-04T00:31:18Z",
  "published": "2024-08-26T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43905"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0fa11f9df96217c2785b040629ff1a16900fb51c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ac9deb7e087f0b461c3559d9eaa6b9cf19d3fa8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e538944996d0dd497faf8ee81f8bfcd3aca7d80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50151b7f1c79a09117837eb95b76c2de76841dab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69a441473fec2fc2aa2cf56122d6c42c4266a239"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2629daf218a325f4d69754452cd42fe8451c15b"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV8H-Q9CX-PF93

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-26T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.",
  "id": "GHSA-mv8h-q9cx-pf93",
  "modified": "2022-05-13T01:16:05Z",
  "published": "2022-05-13T01:16:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19870"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2135"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3390"
    },
    {
      "type": "WEB",
      "url": "https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://codereview.qt-project.org/#/c/235998"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4003-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4374"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00080.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVGV-7373-M999

Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-18 06:30
VLAI
Details

Denial of service in WLAN due to potential null pointer dereference while accessing the memory location in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-15T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "Denial of service in WLAN due to potential null pointer dereference while accessing the memory location in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables",
  "id": "GHSA-mvgv-7373-m999",
  "modified": "2022-11-18T06:30:31Z",
  "published": "2022-11-15T12:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25741"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/november-2022-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.