Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-P5WW-F5X2-P7FC

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-03 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwl3945: Add missing check for create_singlethread_workqueue

Add the check for the return value of the create_singlethread_workqueue in order to avoid NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T08:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwl3945: Add missing check for create_singlethread_workqueue\n\nAdd the check for the return value of the create_singlethread_workqueue\nin order to avoid NULL pointer dereference.",
  "id": "GHSA-p5ww-f5x2-p7fc",
  "modified": "2025-12-03T18:30:20Z",
  "published": "2025-09-16T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53277"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17e07d6587c55015956862ef3b101fd45fa49fbc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1fdeb8b9f29dfd64805bb49475ac7566a3cb06cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f80b3ff92514ebd227e5c55d3d1e480401b02b7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34f611204ae589bd5c494b10b41fb13436bd3c3f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ae2fc4de12686f3fe695824169c1272c9f798f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/505c74c4c0b1c5bcaa98a93b3087c268156070f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e594abc0424e4f8c2385f11aefeaadcfc507aa5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5X4-PP3W-P9WJ

Vulnerability from github – Published: 2022-05-14 03:58 – Updated: 2022-05-14 03:58
VLAI
Details

bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-20T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file.",
  "id": "GHSA-p5x4-pp3w-p9wj",
  "modified": "2022-05-14T03:58:20Z",
  "published": "2022-05-14T03:58:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8917"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libarchive/libarchive/issues/505"
    },
    {
      "type": "WEB",
      "url": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2015-8917"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-03"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1844.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3657"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/17/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/17/5"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91303"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3033-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P66W-QXRC-77M9

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31
VLAI
Details

Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:18:20Z",
    "severity": "HIGH"
  },
  "details": "Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-p66w-qxrc-77m9",
  "modified": "2026-03-10T18:31:20Z",
  "published": "2026-03-10T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24293"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P66X-8PX8-V377

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

An unhandled memory allocation failure in Core/Ap48bdlAtom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-19717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-13T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An unhandled memory allocation failure in Core/Ap48bdlAtom.cpp of Bento 1.5.1-628 causes a NULL pointer dereference, leading to a denial of service (DOS).",
  "id": "GHSA-p66x-8px8-v377",
  "modified": "2022-05-24T19:08:05Z",
  "published": "2022-05-24T19:08:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19717"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/416"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P67Q-M837-7R9H

Vulnerability from github – Published: 2025-03-14 00:30 – Updated: 2025-03-14 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

staging: vchiq_core: handle NULL result of find_service_by_handle

In case of an invalid handle the function find_servive_by_handle returns NULL. So take care of this and avoid a NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_core: handle NULL result of find_service_by_handle\n\nIn case of an invalid handle the function find_servive_by_handle\nreturns NULL. So take care of this and avoid a NULL pointer dereference.",
  "id": "GHSA-p67q-m837-7r9h",
  "modified": "2025-03-14T00:30:49Z",
  "published": "2025-03-14T00:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49104"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04202f54dd8899e10f56a89c4c1ede0043fa22af"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b424f6586a870b8d657c5e5419465bbe0e7b61f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42f2142a337ee372455574809fc924580a7e51b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa0b7296785312a4bfa8fac0ba8ad78698fd9fcf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca225857faf237234d2fffe5d1919467dfadd822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P69Q-M87V-6Q9X

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-10-31 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()

devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component_probe() does not check for this case, which results in a NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T14:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\navs_component_probe() does not check for this case, which results in a\nNULL pointer dereference.",
  "id": "GHSA-p69q-m87v-6q9x",
  "modified": "2025-10-31T21:30:56Z",
  "published": "2025-05-01T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37793"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23fde311ea1d0a6c36bf92ce48b90b77d0ece1a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95f723cf141b95e3b3a5b92cf2ea98a863fe7275"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aaa93b8846101461de815759d39979661b82d5a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2825073271b6f15e669a424b363612082494863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6F8-9M89-HWVW

Vulnerability from github – Published: 2025-01-31 12:33 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]

Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't.

Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning.

This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T12:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: prevent null-ptr-deref in vsock_*[has_data|has_space]\n\nRecent reports have shown how we sometimes call vsock_*_has_data()\nwhen a vsock socket has been de-assigned from a transport (see attached\nlinks), but we shouldn\u0027t.\n\nPrevious commits should have solved the real problems, but we may have\nmore in the future, so to avoid null-ptr-deref, we can return 0\n(no space, no data available) but with a warning.\n\nThis way the code should continue to run in a nearly consistent state\nand have a warning that allows us to debug future problems.",
  "id": "GHSA-p6f8-9m89-hwvw",
  "modified": "2026-05-12T15:30:44Z",
  "published": "2025-01-31T12:33:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21666"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91751e248256efc111e52e15115840c35d85abaf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e5fed46ccd2c34c5fa5a9c8825ce4823fdc853e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b52e50dd4fabd12944172bd486a4f4853b7f74dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc9c49341f9728c31fe248c5fbba32d2e81a092b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c23d1d4f8efefb72258e9cedce29de10d057f8ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/daeac89cdb03d30028186f5ff7dc26ec8fa843e7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6J3-P28J-4X3H

Vulnerability from github – Published: 2024-08-17 12:30 – Updated: 2024-09-03 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

kvm: s390: Reject memory region operations for ucontrol VMs

This change rejects the KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM. This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and would thus result in a null pointer dereference further in. Memory management needs to be performed in userspace and using the ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.

Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2.

[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: s390: Reject memory region operations for ucontrol VMs\n\nThis change rejects the KVM_SET_USER_MEMORY_REGION and\nKVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM.\nThis is necessary since ucontrol VMs have kvm-\u003earch.gmap set to 0 and\nwould thus result in a null pointer dereference further in.\nMemory management needs to be performed in userspace and using the\nioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP.\n\nAlso improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION\nand KVM_SET_USER_MEMORY_REGION2.\n\n[frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]",
  "id": "GHSA-p6j3-p28j-4x3h",
  "modified": "2024-09-03T18:31:31Z",
  "published": "2024-08-17T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43819"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49c9945c054df4c22008e2bf87ca74d3e2507aa6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7816e58967d0e6cadce05c8540b47ed027dc2499"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6JG-GM5J-8F2R

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-05-05 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/sysfs: check contexts->nr in repeat_call_fn

damon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(), damon_sysfs_upd_schemes_stats(), and damon_sysfs_upd_schemes_effective_quotas() without checking contexts->nr. If nr_contexts is set to 0 via sysfs while DAMON is running, these functions dereference contexts_arr[0] and cause a NULL pointer dereference. Add the missing check.

For example, the issue can be reproduced using DAMON sysfs interface and DAMON user-space tool (damo) [1] like below.

$ sudo damo start --refresh_interval 1s
$ echo 0 | sudo tee \
        /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:41Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: check contexts-\u003enr in repeat_call_fn\n\ndamon_sysfs_repeat_call_fn() calls damon_sysfs_upd_tuned_intervals(),\ndamon_sysfs_upd_schemes_stats(), and\ndamon_sysfs_upd_schemes_effective_quotas() without checking contexts-\u003enr. \nIf nr_contexts is set to 0 via sysfs while DAMON is running, these\nfunctions dereference contexts_arr[0] and cause a NULL pointer\ndereference.  Add the missing check.\n\nFor example, the issue can be reproduced using DAMON sysfs interface and\nDAMON user-space tool (damo) [1] like below.\n\n    $ sudo damo start --refresh_interval 1s\n    $ echo 0 | sudo tee \\\n            /sys/kernel/mm/damon/admin/kdamonds/0/contexts/nr_contexts",
  "id": "GHSA-p6jg-gm5j-8f2r",
  "modified": "2026-05-05T21:31:16Z",
  "published": "2026-04-22T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31457"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3527e9fdc38570cea0f6ddb7a2c9303d4044b217"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/652cd0641a763dd0e846b0d12814977fadb2b7d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6557004a8b59c7701e695f02be03c7e20ed1cc15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6JX-F9X6-6955

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack_sip: don't use simple_strtoul

Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request() with a new sip_parse_port() helper that validates each digit against the buffer limit, eliminating the use of simple_strtoul() which assumes NUL-terminated strings.

The previous code dereferenced pointers without bounds checks after sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated skb data. A port that reaches the buffer limit without a trailing character is also rejected as malformed.

Also get rid of all simple_strtoul() usage in conntrack, prefer a stricter version instead. There are intentional changes:

  • Bail out if number is > UINT_MAX and indicate a failure, same for too long sequences. While we do accept 05535 as port 5535, we will not accept e.g. 'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261, we should restrict this to not waste cycles when presented with malformed packets with 64k '0' characters.

  • Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch 'expire=' and 'rports='; both are expected to use base-10.

  • In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k range.

  • epaddr_len now returns 0 if the port is invalid, as it already does for invalid ip addresses. This is intentional. nf_conntrack_sip performs lots of guesswork to find the right parts of the message to parse. Being stricter could break existing setups. Connection tracking helpers are designed to allow traffic to pass, not to block it.

Based on an earlier patch from Jenny Guanni Qu qguanni@gmail.com.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:09Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: don\u0027t use simple_strtoul\n\nReplace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(),\nand ct_sip_parse_request() with a new sip_parse_port() helper that\nvalidates each digit against the buffer limit, eliminating the use of\nsimple_strtoul() which assumes NUL-terminated strings.\n\nThe previous code dereferenced pointers without bounds checks after\nsip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated\nskb data. A port that reaches the buffer limit without a trailing\ncharacter is also rejected as malformed.\n\nAlso get rid of all simple_strtoul() usage in conntrack, prefer a\nstricter version instead.  There are intentional changes:\n\n- Bail out if number is \u003e UINT_MAX and indicate a failure, same for\n  too long sequences.\n  While we do accept 05535 as port 5535, we will not accept e.g.\n  \u0027sip:10.0.0.1:005060\u0027.  While its syntactically valid under RFC 3261,\n  we should restrict this to not waste cycles when presented with\n  malformed packets with 64k \u00270\u0027 characters.\n\n- Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch\n  \u0027expire=\u0027 and \u0027rports=\u0027; both are expected to use base-10.\n\n- In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k\n  range.\n\n- epaddr_len now returns 0 if the port is invalid, as it already does\n  for invalid ip addresses.  This is intentional. nf_conntrack_sip\n  performs lots of guesswork to find the right parts of the message\n  to parse.  Being stricter could break existing setups.\n  Connection tracking helpers are designed to allow traffic to\n  pass, not to block it.\n\nBased on an earlier patch from Jenny Guanni Qu \u003cqguanni@gmail.com\u003e.",
  "id": "GHSA-p6jx-f9x6-6955",
  "modified": "2026-06-28T09:31:37Z",
  "published": "2026-06-24T18:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52986"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/523762e3b6933fff81f01dfa3c60c0774044cdab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7df9863bf538a626e8a684e59cb2c43eac0ef3c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cd0358379570003659186706e077929d6930c40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cf6809cddcbe301aedfc6b51bcd4944d45795f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c6afcb1c3cbb2c0da65b8515ac14d7273872f84"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f69c323ae0ab517e595c2cc74e0ae0d9d085611"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3264c977e79d8a25778d4fd11520f00fea1329c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea2ecd29b8f4433e52607192ca91084f95787ca0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.