Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-P776-RXGV-H888

Vulnerability from github – Published: 2024-07-29 18:30 – Updated: 2024-08-22 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cxl/region: Avoid null pointer dereference in region lookup

cxl_dpa_to_region() looks up a region based on a memdev and DPA. It wrongly assumes an endpoint found mapping the DPA is also of a fully assembled region. When not true it leads to a null pointer dereference looking up the region name.

This appears during testing of region lookup after a failure to assemble a BIOS defined region or if the lookup raced with the assembly of the BIOS defined region.

Failure to clean up BIOS defined regions that fail assembly is an issue in itself and a fix to that problem will alleviate some of the impact. It will not alleviate the race condition so let's harden this path.

The behavior change is that the kernel oops due to a null pointer dereference is replaced with a dev_dbg() message noting that an endpoint was mapped.

Additional comments are added so that future users of this function can more clearly understand what it provides.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T16:15:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Avoid null pointer dereference in region lookup\n\ncxl_dpa_to_region() looks up a region based on a memdev and DPA.\nIt wrongly assumes an endpoint found mapping the DPA is also of\na fully assembled region. When not true it leads to a null pointer\ndereference looking up the region name.\n\nThis appears during testing of region lookup after a failure to\nassemble a BIOS defined region or if the lookup raced with the\nassembly of the BIOS defined region.\n\nFailure to clean up BIOS defined regions that fail assembly is an\nissue in itself and a fix to that problem will alleviate some of\nthe impact. It will not alleviate the race condition so let\u0027s harden\nthis path.\n\nThe behavior change is that the kernel oops due to a null pointer\ndereference is replaced with a dev_dbg() message noting that an\nendpoint was mapped.\n\nAdditional comments are added so that future users of this function\ncan more clearly understand what it provides.",
  "id": "GHSA-p776-rxgv-h888",
  "modified": "2024-08-22T15:31:18Z",
  "published": "2024-07-29T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41084"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/285f2a08841432fc3e498b1cd00cce5216cdf189"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9e099e29e925f8b31cfe53e8a786b9796f8e453"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8a40a6dbfb0150c1081384caa9bbe28ce5d5060"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P788-V6C7-5VQG

Vulnerability from github – Published: 2023-08-21 21:31 – Updated: 2024-04-25 15:30
VLAI
Details

A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-21T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.",
  "id": "GHSA-p788-v6c7-5vqg",
  "modified": "2024-04-25T15:30:36Z",
  "published": "2023-08-21T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4459"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0412"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1250"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1306"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1367"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1382"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2006"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2008"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4459"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7G8-G57P-R8QX

Vulnerability from github – Published: 2025-11-07 21:31 – Updated: 2026-05-06 18:30
VLAI
Details

A flaw was found in FFmpeg’s ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control, it can be used to disrupt services and cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-07T19:16:27Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in FFmpeg\u2019s ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control, it can be used to disrupt services and cause a denial of service.",
  "id": "GHSA-p7g8-g57p-r8qx",
  "modified": "2026-05-06T18:30:24Z",
  "published": "2025-11-07T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-7700"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380420"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7GC-VHMF-5WJC

Vulnerability from github – Published: 2025-02-01 00:31 – Updated: 2025-02-03 21:31
VLAI
Details

In macrozheng mall-tiny 1.0.1, an attacker can send null data through the resource creation interface resulting in a null pointer dereference occurring in all subsequent operations that require authentication, which triggers a denial-of-service attack and service restart failure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T22:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In macrozheng mall-tiny 1.0.1, an attacker can send null data through the resource creation interface resulting in a null pointer dereference occurring in all subsequent operations that require authentication, which triggers a denial-of-service attack and service restart failure.",
  "id": "GHSA-p7gc-vhmf-5wjc",
  "modified": "2025-02-03T21:31:49Z",
  "published": "2025-02-01T00:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peccc/restful_vul/blob/main/mall_tiny_dos/mall_tiny_dos.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7JF-WQ44-HQQ3

Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2025-11-19 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

block: reject bs > ps block devices when THP is disabled

If THP is disabled and when a block device with logical block size > page size is present, the following null ptr deref panic happens during boot:

[ [13.2 mK AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07] [ 13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380 [ 13.025448] Call Trace: [ 13.025692] [ 13.025895] block_read_full_folio+0x610/0x780 [ 13.026379] ? __pfx_blkdev_get_block+0x10/0x10 [ 13.027008] ? __folio_batch_add_and_move+0x1fa/0x2b0 [ 13.027548] ? __pfx_blkdev_read_folio+0x10/0x10 [ 13.028080] filemap_read_folio+0x9b/0x200 [ 13.028526] ? __pfx_filemap_read_folio+0x10/0x10 [ 13.029030] ? __filemap_get_folio+0x43/0x620 [ 13.029497] do_read_cache_folio+0x155/0x3b0 [ 13.029962] ? __pfx_blkdev_read_folio+0x10/0x10 [ 13.030381] read_part_sector+0xb7/0x2a0 [ 13.030805] read_lba+0x174/0x2c0 [ 13.045348] nvme_scan_ns+0x684/0x850 [nvme_core] [ 13.045858] ? __pfx_nvme_scan_ns+0x10/0x10 [nvme_core] [ 13.046414] ? _raw_spin_unlock+0x15/0x40 [ 13.046843] ? __switch_to+0x523/0x10a0 [ 13.047253] ? kvm_clock_get_cycles+0x14/0x30 [ 13.047742] ? __pfx_nvme_scan_ns_async+0x10/0x10 [nvme_core] [ 13.048353] async_run_entry_fn+0x96/0x4f0 [ 13.048787] process_one_work+0x667/0x10a0 [ 13.049219] worker_thread+0x63c/0xf60

As large folio support depends on THP, only allow bs > ps block devices if THP is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T16:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: reject bs \u003e ps block devices when THP is disabled\n\nIf THP is disabled and when a block device with logical block size \u003e\npage size is present, the following null ptr deref panic happens during\nboot:\n\n[   [13.2 mK  AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07]\n[   13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380\n\u003csnip\u003e\n[   13.025448] Call Trace:\n[   13.025692]  \u003cTASK\u003e\n[   13.025895]  block_read_full_folio+0x610/0x780\n[   13.026379]  ? __pfx_blkdev_get_block+0x10/0x10\n[   13.027008]  ? __folio_batch_add_and_move+0x1fa/0x2b0\n[   13.027548]  ? __pfx_blkdev_read_folio+0x10/0x10\n[   13.028080]  filemap_read_folio+0x9b/0x200\n[   13.028526]  ? __pfx_filemap_read_folio+0x10/0x10\n[   13.029030]  ? __filemap_get_folio+0x43/0x620\n[   13.029497]  do_read_cache_folio+0x155/0x3b0\n[   13.029962]  ? __pfx_blkdev_read_folio+0x10/0x10\n[   13.030381]  read_part_sector+0xb7/0x2a0\n[   13.030805]  read_lba+0x174/0x2c0\n\u003csnip\u003e\n[   13.045348]  nvme_scan_ns+0x684/0x850 [nvme_core]\n[   13.045858]  ? __pfx_nvme_scan_ns+0x10/0x10 [nvme_core]\n[   13.046414]  ? _raw_spin_unlock+0x15/0x40\n[   13.046843]  ? __switch_to+0x523/0x10a0\n[   13.047253]  ? kvm_clock_get_cycles+0x14/0x30\n[   13.047742]  ? __pfx_nvme_scan_ns_async+0x10/0x10 [nvme_core]\n[   13.048353]  async_run_entry_fn+0x96/0x4f0\n[   13.048787]  process_one_work+0x667/0x10a0\n[   13.049219]  worker_thread+0x63c/0xf60\n\nAs large folio support depends on THP, only allow bs \u003e ps block devices\nif THP is enabled.",
  "id": "GHSA-p7jf-wq44-hqq3",
  "modified": "2025-11-19T18:31:16Z",
  "published": "2025-07-25T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38442"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cdf1bdd45ac78a088773722f009883af30ad318"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b025d81b96bfe8a62b6e3e6ac776608206ccbf6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7M9-59WP-JX9R

Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-07 00:01
VLAI
Details

chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file. in GitHub repository hpjansson/chafa prior to 1.10.2. chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-27T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file. in GitHub repository hpjansson/chafa prior to 1.10.2. chafa: NULL Pointer Dereference in function gif_internal_decode_frame at libnsgif.c:599 allows attackers to cause a denial of service (crash) via a crafted input file.",
  "id": "GHSA-p7m9-59wp-jx9r",
  "modified": "2022-05-07T00:01:00Z",
  "published": "2022-04-28T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1507"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hpjansson/chafa/commit/e4b777c7b7c144cd16a0ea96108267b1004fe6c9"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/104d8c5d-cac5-4baa-9ac9-291ea0bcab95"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3PLHKTQYK6AO3M5NAVM3CDVQTZZS6MCO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIOAZPITFL2Y7Y6KHCZ4OIK7P7KWFN22"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L54UEP5S254VP5FZWGFPHLTPMFJVOGYT"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7R4-G84V-785W

Vulnerability from github – Published: 2024-11-04 03:30 – Updated: 2024-11-04 03:30
VLAI
Details

A vulnerability has been found in Tenda i22 1.0.0.3(4687) and classified as problematic. Affected by this vulnerability is the function websReadEvent of the file /goform/GetIPTV?fgHPOST/goform/SysToo. The manipulation of the argument Content-Length leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T02:15:14Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been found in Tenda i22 1.0.0.3(4687) and classified as problematic. Affected by this vulnerability is the function websReadEvent of the file /goform/GetIPTV?fgHPOST/goform/SysToo. The manipulation of the argument Content-Length leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-p7r4-g84v-785w",
  "modified": "2024-11-04T03:30:39Z",
  "published": "2024-11-04T03:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiaobor123/tenda-vul-i22"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.282919"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.282919"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.435407"
    },
    {
      "type": "WEB",
      "url": "https://www.tenda.com.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P7WM-885P-3RMG

Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-10-28 03:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()

There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage:

// All members of @iter are wild pointers. struct class_dev_iter iter;

// class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...);

// Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... };

// Also dereference these wild pointers here. class_dev_iter_exit(&iter);

Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T20:16:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: class: Fix wild pointer dereferences in API class_dev_iter_next()\n\nThere are a potential wild pointer dereferences issue regarding APIs\nclass_dev_iter_(init|next|exit)(), as explained by below typical usage:\n\n// All members of @iter are wild pointers.\nstruct class_dev_iter iter;\n\n// class_dev_iter_init(@iter, @class, ...) checks parameter @class for\n// potential class_to_subsys() error, and it returns void type and does\n// not initialize its output parameter @iter, so caller can not detect\n// the error and continues to invoke class_dev_iter_next(@iter) even if\n// @iter still contains wild pointers.\nclass_dev_iter_init(\u0026iter, ...);\n\n// Dereference these wild pointers in @iter here once suffer the error.\nwhile (dev = class_dev_iter_next(\u0026iter)) { ... };\n\n// Also dereference these wild pointers here.\nclass_dev_iter_exit(\u0026iter);\n\nActually, all callers of these APIs have such usage pattern in kernel tree.\nFix by:\n- Initialize output parameter @iter by memset() in class_dev_iter_init()\n  and give callers prompt by pr_crit() for the error.\n- Check if @iter is valid in class_dev_iter_next().",
  "id": "GHSA-p7wm-885p-3rmg",
  "modified": "2025-10-28T03:30:13Z",
  "published": "2025-02-27T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21810"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7X5-WX33-W7GV

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-17 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix dummy res NULL ptr deref bug

Check the bo->resource value before accessing the resource mem_type.

v2: Fix commit description unwrapped warning

[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI [ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] [ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1 [ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014 [ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm] [ 40.200754][ T184] Code: e8 72 c5 ff ff 83 f8 b8 74 d4 85 c0 75 54 49 8b 9e 58 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 3c 03 7e 44 8b 53 10 31 c0 85 d2 0f 85 58 [ 40.203685][ T184] RSP: 0018:ffffc900006df0c8 EFLAGS: 00010202 [ 40.204630][ T184] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1102f4bb71b [ 40.205864][ T184] RDX: 0000000000000002 RSI: ffffc900006df208 RDI: 0000000000000010 [ 40.207102][ T184] RBP: 1ffff920000dbe1a R08: ffffc900006df208 R09: 0000000000000000 [ 40.208394][ T184] R10: ffff88817a5f0000 R11: 0000000000000001 R12: ffffc900006df110 [ 40.209692][ T184] R13: ffffc900006df0f0 R14: ffff88817a5db800 R15: ffffc900006df208 [ 40.210862][ T184] FS: 00007f6b1d16e8c0(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000 [ 40.212250][ T184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 40.213275][ T184] CR2: 000055a1001d4ff0 CR3: 00000001700f4000 CR4: 00000000000006e0 [ 40.214469][ T184] Call Trace: [ 40.214974][ T184] [ 40.215438][ T184] ? ttm_bo_bounce_temp_buffer+0x140/0x140 [ttm] [ 40.216572][ T184] ? mutex_spin_on_owner+0x240/0x240 [ 40.217456][ T184] ? drm_vma_offset_add+0xaa/0x100 [drm] [ 40.218457][ T184] ttm_bo_init_reserved+0x3d6/0x540 [ttm] [ 40.219410][ T184] ? shmem_get_inode+0x744/0x980 [ 40.220231][ T184] ttm_bo_init_validate+0xb1/0x200 [ttm] [ 40.221172][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper] [ 40.222530][ T184] ? ttm_bo_init_reserved+0x540/0x540 [ttm] [ 40.223643][ T184] ? __do_sys_finit_module+0x11a/0x1c0 [ 40.224654][ T184] ? __shmem_file_setup+0x102/0x280 [ 40.234764][ T184] drm_gem_vram_create+0x305/0x480 [drm_vram_helper] [ 40.235766][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper] [ 40.236846][ T184] ? __kasan_slab_free+0x108/0x180 [ 40.237650][ T184] drm_gem_vram_fill_create_dumb+0x134/0x340 [drm_vram_helper] [ 40.238864][ T184] ? local_pci_probe+0xdf/0x180 [ 40.239674][ T184] ? drmm_vram_helper_init+0x400/0x400 [drm_vram_helper] [ 40.240826][ T184] drm_client_framebuffer_create+0x19c/0x400 [drm] [ 40.241955][ T184] ? drm_client_buffer_delete+0x200/0x200 [drm] [ 40.243001][ T184] ? drm_client_pick_crtcs+0x554/0xb80 [drm] [ 40.244030][ T184] drm_fb_helper_generic_probe+0x23f/0x940 [drm_kms_helper] [ 40.245226][ T184] ? __cond_resched+0x1c/0xc0 [ 40.245987][ T184] ? drm_fb_helper_memory_range_to_clip+0x180/0x180 [drm_kms_helper] [ 40.247316][ T184] ? mutex_unlock+0x80/0x100 [ 40.248005][ T184] ? __mutex_unlock_slowpath+0x2c0/0x2c0 [ 40.249083][ T184] drm_fb_helper_single_fb_probe+0x907/0xf00 [drm_kms_helper] [ 40.250314][ T184] ? drm_fb_helper_check_var+0x1180/0x1180 [drm_kms_helper] [ 40.251540][ T184] ? __cond_resched+0x1c/0xc0 [ 40.252321][ T184] ? mutex_lock+0x9f/0x100 [ 40.253062][ T184] __drm_fb_helper_initial_config_and_unlock+0xb9/0x2c0 [drm_kms_helper] [ 40.254394][ T184] drm_fbdev_client_hotplug+0x56f/0x840 [drm_kms_helper] [ 40.255477][ T184] drm_fbdev_generic_setup+0x165/0x3c0 [drm_kms_helper] [ 40.256607][ T184] bochs_pci_probe+0x6b7/0x900 [bochs] [
---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:35Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix dummy res NULL ptr deref bug\n\nCheck the bo-\u003eresource value before accessing the resource\nmem_type.\n\nv2: Fix commit description unwrapped warning\n\n\u003clog snip\u003e\n[   40.191227][  T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI\n[   40.192995][  T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n[   40.194411][  T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1\n[   40.196063][  T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014\n[   40.199605][  T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]\n[   40.200754][  T184] Code: e8 72 c5 ff ff 83 f8 b8 74 d4 85 c0 75 54 49 8b 9e 58 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 04 02 84 c0 74 04 3c 03 7e 44 8b 53 10 31 c0 85 d2 0f 85 58\n[   40.203685][  T184] RSP: 0018:ffffc900006df0c8 EFLAGS: 00010202\n[   40.204630][  T184] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1102f4bb71b\n[   40.205864][  T184] RDX: 0000000000000002 RSI: ffffc900006df208 RDI: 0000000000000010\n[   40.207102][  T184] RBP: 1ffff920000dbe1a R08: ffffc900006df208 R09: 0000000000000000\n[   40.208394][  T184] R10: ffff88817a5f0000 R11: 0000000000000001 R12: ffffc900006df110\n[   40.209692][  T184] R13: ffffc900006df0f0 R14: ffff88817a5db800 R15: ffffc900006df208\n[   40.210862][  T184] FS:  00007f6b1d16e8c0(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000\n[   40.212250][  T184] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   40.213275][  T184] CR2: 000055a1001d4ff0 CR3: 00000001700f4000 CR4: 00000000000006e0\n[   40.214469][  T184] Call Trace:\n[   40.214974][  T184]  \u003cTASK\u003e\n[   40.215438][  T184]  ? ttm_bo_bounce_temp_buffer+0x140/0x140 [ttm]\n[   40.216572][  T184]  ? mutex_spin_on_owner+0x240/0x240\n[   40.217456][  T184]  ? drm_vma_offset_add+0xaa/0x100 [drm]\n[   40.218457][  T184]  ttm_bo_init_reserved+0x3d6/0x540 [ttm]\n[   40.219410][  T184]  ? shmem_get_inode+0x744/0x980\n[   40.220231][  T184]  ttm_bo_init_validate+0xb1/0x200 [ttm]\n[   40.221172][  T184]  ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]\n[   40.222530][  T184]  ? ttm_bo_init_reserved+0x540/0x540 [ttm]\n[   40.223643][  T184]  ? __do_sys_finit_module+0x11a/0x1c0\n[   40.224654][  T184]  ? __shmem_file_setup+0x102/0x280\n[   40.234764][  T184]  drm_gem_vram_create+0x305/0x480 [drm_vram_helper]\n[   40.235766][  T184]  ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]\n[   40.236846][  T184]  ? __kasan_slab_free+0x108/0x180\n[   40.237650][  T184]  drm_gem_vram_fill_create_dumb+0x134/0x340 [drm_vram_helper]\n[   40.238864][  T184]  ? local_pci_probe+0xdf/0x180\n[   40.239674][  T184]  ? drmm_vram_helper_init+0x400/0x400 [drm_vram_helper]\n[   40.240826][  T184]  drm_client_framebuffer_create+0x19c/0x400 [drm]\n[   40.241955][  T184]  ? drm_client_buffer_delete+0x200/0x200 [drm]\n[   40.243001][  T184]  ? drm_client_pick_crtcs+0x554/0xb80 [drm]\n[   40.244030][  T184]  drm_fb_helper_generic_probe+0x23f/0x940 [drm_kms_helper]\n[   40.245226][  T184]  ? __cond_resched+0x1c/0xc0\n[   40.245987][  T184]  ? drm_fb_helper_memory_range_to_clip+0x180/0x180 [drm_kms_helper]\n[   40.247316][  T184]  ? mutex_unlock+0x80/0x100\n[   40.248005][  T184]  ? __mutex_unlock_slowpath+0x2c0/0x2c0\n[   40.249083][  T184]  drm_fb_helper_single_fb_probe+0x907/0xf00 [drm_kms_helper]\n[   40.250314][  T184]  ? drm_fb_helper_check_var+0x1180/0x1180 [drm_kms_helper]\n[   40.251540][  T184]  ? __cond_resched+0x1c/0xc0\n[   40.252321][  T184]  ? mutex_lock+0x9f/0x100\n[   40.253062][  T184]  __drm_fb_helper_initial_config_and_unlock+0xb9/0x2c0 [drm_kms_helper]\n[   40.254394][  T184]  drm_fbdev_client_hotplug+0x56f/0x840 [drm_kms_helper]\n[   40.255477][  T184]  drm_fbdev_generic_setup+0x165/0x3c0 [drm_kms_helper]\n[   40.256607][  T184]  bochs_pci_probe+0x6b7/0x900 [bochs]\n[   \n---truncated---",
  "id": "GHSA-p7x5-wx33-w7gv",
  "modified": "2025-11-17T18:30:23Z",
  "published": "2025-06-18T12:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50068"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76672cd326c146ded2c2712ff257b8908dcf23d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9bd970d4097287778a4449452e70b35d0bfaa3aa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf4b7387c0a842d64bdd7c353e6d3298174a7740"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7X7-VRH2-WVVC

Vulnerability from github – Published: 2024-11-21 21:33 – Updated: 2024-12-24 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

virtio_pci: Fix admin vq cleanup by using correct info pointer

vp_modern_avq_cleanup() and vp_del_vqs() clean up admin vq resources by virtio_pci_vq_info pointer. The info pointer of admin vq is stored in vp_dev->admin_vq.info instead of vp_dev->vqs[]. Using the info pointer from vp_dev->vqs[] for admin vq causes a kernel NULL pointer dereference bug. In vp_modern_avq_cleanup() and vp_del_vqs(), get the info pointer from vp_dev->admin_vq.info for admin vq to clean up the resources. Also make info ptr as argument of vp_del_vq() to be symmetric with vp_setup_vq().

vp_reset calls vp_modern_avq_cleanup, and causes the Call Trace:

BUG: kernel NULL pointer dereference, address:0000000000000000 ... CPU: 49 UID: 0 PID: 4439 Comm: modprobe Not tainted 6.11.0-rc5 #1 RIP: 0010:vp_reset+0x57/0x90 [virtio_pci] Call Trace: ... ? vp_reset+0x57/0x90 [virtio_pci] ? vp_reset+0x38/0x90 [virtio_pci] virtio_reset_device+0x1d/0x30 remove_vq_common+0x1c/0x1a0 [virtio_net] virtnet_remove+0xa1/0xc0 [virtio_net] virtio_dev_remove+0x46/0xa0 ... virtio_pci_driver_exit+0x14/0x810 [virtio_pci] ==================================================================

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T19:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pci: Fix admin vq cleanup by using correct info pointer\n\nvp_modern_avq_cleanup() and vp_del_vqs() clean up admin vq\nresources by virtio_pci_vq_info pointer. The info pointer of admin\nvq is stored in vp_dev-\u003eadmin_vq.info instead of vp_dev-\u003evqs[].\nUsing the info pointer from vp_dev-\u003evqs[] for admin vq causes a\nkernel NULL pointer dereference bug.\nIn vp_modern_avq_cleanup() and vp_del_vqs(), get the info pointer\nfrom vp_dev-\u003eadmin_vq.info for admin vq to clean up the resources.\nAlso make info ptr as argument of vp_del_vq() to be symmetric with\nvp_setup_vq().\n\nvp_reset calls vp_modern_avq_cleanup, and causes the Call Trace:\n==================================================================\nBUG: kernel NULL pointer dereference, address:0000000000000000\n...\nCPU: 49 UID: 0 PID: 4439 Comm: modprobe Not tainted 6.11.0-rc5 #1\nRIP: 0010:vp_reset+0x57/0x90 [virtio_pci]\nCall Trace:\n \u003cTASK\u003e\n...\n ? vp_reset+0x57/0x90 [virtio_pci]\n ? vp_reset+0x38/0x90 [virtio_pci]\n virtio_reset_device+0x1d/0x30\n remove_vq_common+0x1c/0x1a0 [virtio_net]\n virtnet_remove+0xa1/0xc0 [virtio_net]\n virtio_dev_remove+0x46/0xa0\n...\n virtio_pci_driver_exit+0x14/0x810 [virtio_pci]\n==================================================================",
  "id": "GHSA-p7x7-vrh2-wvvc",
  "modified": "2024-12-24T15:30:31Z",
  "published": "2024-11-21T21:33:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53092"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/018d3d4ad4be7fbc95d8a2367642a32d21df55c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/97ee04feb682c906a1fa973ebe586fe91567d165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.