CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-P9M5-3HJ7-CP5R
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2023-06-13 17:24Affected versions of the crate used a UnsafeCell in thread-local storage to return a noop waker reference, assuming that the reference would never be returned from another thread.
This resulted in a segmentation fault crash if Waker::wake_by_ref() was called on a waker returned from another thread due to it attempting to dereference a pointer that wasn't accessible from the main thread.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "futures-task"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35907"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-16T23:58:57Z",
"nvd_published_at": "2020-12-31T09:15:00Z",
"severity": "MODERATE"
},
"details": "Affected versions of the crate used a UnsafeCell in thread-local storage to return a noop waker reference, assuming that the reference would never be returned from another thread.\n\nThis resulted in a segmentation fault crash if Waker::wake_by_ref() was called on a waker returned from another thread due to it attempting to dereference a pointer that wasn\u0027t accessible from the main thread.",
"id": "GHSA-p9m5-3hj7-cp5r",
"modified": "2023-06-13T17:24:56Z",
"published": "2022-05-24T17:37:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35907"
},
{
"type": "WEB",
"url": "https://github.com/rust-lang/futures-rs/issues/2091"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-lang/futures-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0061.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer"
}
GHSA-P9MG-74MG-CWWR
Vulnerability from github – Published: 2026-05-08 23:01 – Updated: 2026-06-08 23:48Summary
free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware (same root cause as the broader UPI auth gap reported in free5gc/free5gc#887). On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry.
Details
Validated against the SMF container in the official Docker compose lab.
- Source repo tag: v4.2.1
- Running Docker image: free5gc/smf:v4.2.1
- Runtime SMF commit: 8385c00a
- Docker validation date: 2026-03-22 local (container log timestamp 2026-03-21T23:43:17Z)
- SMF endpoint: http://10.100.200.6:8000
Control comparison on the same SMF instance:
- GET /nsmf-oam/v1/ (no token) -> 401 Unauthorized
- DELETE /upi/v1/upNodesLinks/gNB1 (no token) -> 500 Internal Server Error (panic)
The sibling nsmf-oam returning 401 proves OAuth middleware IS wired in for other SMF route groups; the UPI group specifically is mounted without it.
Vulnerable handler logic (paths in free5gc/smf):
// NFs/smf/internal/sbi/api_upi.go:94..99
if upNode.Type == smf_context.UPNODE_UPF {
go s.Processor().ReleaseAllResourcesOfUPF(upNode.UPF)
}
upi.UpNodeDelete(upNodeRef)
upNode.UPF.CancelAssociation() // <-- panics for AN-typed nodes; nil UPF
The Type == UPNODE_UPF guard only protects the asynchronous ReleaseAllResourcesOfUPF call. After that, UpNodeDelete(upNodeRef) runs unconditionally (so the topology mutation lands first), and then upNode.UPF.CancelAssociation() is called unconditionally on a *UPF that is nil for AN nodes by construction.
Code evidence:
- UPI group mounted WITHOUT auth middleware:
- NFs/smf/internal/sbi/server.go:76
- NFs/smf/internal/sbi/server.go:78
- Protected control comparison (other SMF groups DO use auth):
- NFs/smf/internal/sbi/server.go:99
- NFs/smf/internal/sbi/server.go:105
- Delete handler (panic site):
- NFs/smf/internal/sbi/api_upi.go:94
- NFs/smf/internal/sbi/api_upi.go:99
- AN nodes are constructed without a UPF object (root cause of the nil deref):
- NFs/smf/internal/context/user_plane_information.go:95
- NFs/smf/internal/context/user_plane_information.go:97
PoC
Reproduced end-to-end against the running SMF at http://10.100.200.6:8000.
- Control: protected sibling OAM route returns
401:
curl -i http://10.100.200.6:8000/nsmf-oam/v1/
HTTP/1.1 401 Unauthorized
- Trigger: unauthenticated DELETE on the default AN node
gNB1:
curl -i -X DELETE http://10.100.200.6:8000/upi/v1/upNodesLinks/gNB1
HTTP/1.1 500 Internal Server Error
- SMF container logs (
docker logs --tail 120 smf) show topology mutation landing BEFORE the panic, and the panic stack pointing atapi_upi.go:99:
[INFO][SMF][Init] UPNode [gNB1] found. Deleting it.
[INFO][SMF][Init] Delete UPLink [UPF] <=> [gNB1].
[ERRO][SMF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/smf/internal/sbi.(*Server).DeleteUpNodeLink
/go/src/free5gc/NFs/smf/internal/sbi/api_upi.go:99 +0x298
[INFO][SMF][GIN] | 500 | DELETE | /upi/v1/upNodesLinks/gNB1
The lab state was manually restored after validation by re-creating the AN entry; that POST is restoration-only and is NOT a mitigation.
Impact
Three compounding defects on the same SMF SBI surface:
1. Missing inbound authentication (CWE-306) and authorization (CWE-862) on the UPI route group, so the trigger is reachable to any off-path network attacker who can reach SMF on the SBI -- no token, no session, no UE state needed. The same-instance nsmf-oam returning 401 proves the middleware is wired in elsewhere and only missing on UPI.
2. NULL pointer dereference (CWE-476) in DeleteUpNodeLink: the Type == UPNODE_UPF guard only covers the async release call, then upNode.UPF.CancelAssociation() runs unconditionally on AN-typed nodes that have a nil UPF field by construction.
3. Order of operations (CWE-755 / CWE-754): UpNodeDelete(upNodeRef) mutates the in-memory user-plane topology BEFORE the dereference panics, so the topology change lands even though the request returns 500. This makes the bug state-mutating, not just a plain panic.
Any party that can reach SMF on the SBI can:
- Delete arbitrary named entries (e.g. gNB1) from SMF's in-memory user-plane topology anonymously via a single DELETE /upi/v1/upNodesLinks/{ref} request, denying SMF's ability to consider that AN/UPF in subsequent UPF selection / PFCP path establishment for legitimate UE sessions.
- Trigger a panic on the SMF goroutine for the deleted-AN case, even though Gin recovers the goroutine, leaving the topology in the mutated state above.
- Repeat the trigger by name against any AN entry, sustaining the topology denial without ever authenticating.
This is a strict superset of the impact in free5gc/free5gc#887 for this specific code path: same auth bypass, plus a concrete request-triggerable nil deref, plus state mutation that survives the panic.
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/905 Upstream fix: https://github.com/free5gc/smf/pull/199
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/smf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44328"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-476",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T23:01:56Z",
"nvd_published_at": "2026-05-27T17:16:38Z",
"severity": "HIGH"
},
"details": "### Summary\nfree5GC\u0027s SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as the broader UPI auth gap reported in free5gc/free5gc#887). On top of that, the `DELETE /upi/v1/upNodesLinks/{upNodeRef}` handler unconditionally dereferences `upNode.UPF` after the type-guarded async release, even though `AN`-typed nodes are constructed without a `UPF` object. As a result, a single unauthenticated `DELETE /upi/v1/upNodesLinks/gNB1` request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the `UpNodeDelete(upNodeRef)` line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry.\n\n### Details\nValidated against the SMF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/smf:v4.2.1`\n- Runtime SMF commit: `8385c00a`\n- Docker validation date: 2026-03-22 local (container log timestamp `2026-03-21T23:43:17Z`)\n- SMF endpoint: `http://10.100.200.6:8000`\n\nControl comparison on the same SMF instance:\n- `GET /nsmf-oam/v1/` (no token) -\u003e `401 Unauthorized`\n- `DELETE /upi/v1/upNodesLinks/gNB1` (no token) -\u003e `500 Internal Server Error` (panic)\n\nThe sibling `nsmf-oam` returning `401` proves OAuth middleware IS wired in for other SMF route groups; the UPI group specifically is mounted without it.\n\nVulnerable handler logic (paths in `free5gc/smf`):\n```go\n// NFs/smf/internal/sbi/api_upi.go:94..99\nif upNode.Type == smf_context.UPNODE_UPF {\n go s.Processor().ReleaseAllResourcesOfUPF(upNode.UPF)\n}\nupi.UpNodeDelete(upNodeRef)\nupNode.UPF.CancelAssociation() // \u003c-- panics for AN-typed nodes; nil UPF\n```\n\nThe `Type == UPNODE_UPF` guard only protects the asynchronous `ReleaseAllResourcesOfUPF` call. After that, `UpNodeDelete(upNodeRef)` runs unconditionally (so the topology mutation lands first), and then `upNode.UPF.CancelAssociation()` is called unconditionally on a `*UPF` that is `nil` for `AN` nodes by construction.\n\nCode evidence:\n- UPI group mounted WITHOUT auth middleware:\n - `NFs/smf/internal/sbi/server.go:76`\n - `NFs/smf/internal/sbi/server.go:78`\n- Protected control comparison (other SMF groups DO use auth):\n - `NFs/smf/internal/sbi/server.go:99`\n - `NFs/smf/internal/sbi/server.go:105`\n- Delete handler (panic site):\n - `NFs/smf/internal/sbi/api_upi.go:94`\n - `NFs/smf/internal/sbi/api_upi.go:99`\n- AN nodes are constructed without a UPF object (root cause of the nil deref):\n - `NFs/smf/internal/context/user_plane_information.go:95`\n - `NFs/smf/internal/context/user_plane_information.go:97`\n\n### PoC\nReproduced end-to-end against the running SMF at `http://10.100.200.6:8000`.\n\n1. Control: protected sibling OAM route returns `401`:\n```\ncurl -i http://10.100.200.6:8000/nsmf-oam/v1/\n```\n```\nHTTP/1.1 401 Unauthorized\n```\n\n2. Trigger: unauthenticated DELETE on the default AN node `gNB1`:\n```\ncurl -i -X DELETE http://10.100.200.6:8000/upi/v1/upNodesLinks/gNB1\n```\n```\nHTTP/1.1 500 Internal Server Error\n```\n\n3. SMF container logs (`docker logs --tail 120 smf`) show topology mutation landing BEFORE the panic, and the panic stack pointing at `api_upi.go:99`:\n```\n[INFO][SMF][Init] UPNode [gNB1] found. Deleting it.\n[INFO][SMF][Init] Delete UPLink [UPF] \u003c=\u003e [gNB1].\n[ERRO][SMF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\ngithub.com/free5gc/smf/internal/sbi.(*Server).DeleteUpNodeLink\n /go/src/free5gc/NFs/smf/internal/sbi/api_upi.go:99 +0x298\n[INFO][SMF][GIN] | 500 | DELETE | /upi/v1/upNodesLinks/gNB1\n```\n\nThe lab state was manually restored after validation by re-creating the AN entry; that POST is restoration-only and is NOT a mitigation.\n\n### Impact\nThree compounding defects on the same SMF SBI surface:\n1. Missing inbound authentication (CWE-306) and authorization (CWE-862) on the `UPI` route group, so the trigger is reachable to any off-path network attacker who can reach SMF on the SBI -- no token, no session, no UE state needed. The same-instance `nsmf-oam` returning `401` proves the middleware is wired in elsewhere and only missing on UPI.\n2. NULL pointer dereference (CWE-476) in `DeleteUpNodeLink`: the `Type == UPNODE_UPF` guard only covers the async release call, then `upNode.UPF.CancelAssociation()` runs unconditionally on AN-typed nodes that have a nil `UPF` field by construction.\n3. Order of operations (CWE-755 / CWE-754): `UpNodeDelete(upNodeRef)` mutates the in-memory user-plane topology BEFORE the dereference panics, so the topology change lands even though the request returns 500. This makes the bug state-mutating, not just a plain panic.\n\nAny party that can reach SMF on the SBI can:\n- Delete arbitrary named entries (e.g. `gNB1`) from SMF\u0027s in-memory user-plane topology anonymously via a single `DELETE /upi/v1/upNodesLinks/{ref}` request, denying SMF\u0027s ability to consider that AN/UPF in subsequent UPF selection / PFCP path establishment for legitimate UE sessions.\n- Trigger a panic on the SMF goroutine for the deleted-AN case, even though Gin recovers the goroutine, leaving the topology in the mutated state above.\n- Repeat the trigger by name against any AN entry, sustaining the topology denial without ever authenticating.\n\nThis is a strict superset of the impact in free5gc/free5gc#887 for this specific code path: same auth bypass, plus a concrete request-triggerable nil deref, plus state mutation that survives the panic.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/905\nUpstream fix: https://github.com/free5gc/smf/pull/199",
"id": "GHSA-p9mg-74mg-cwwr",
"modified": "2026-06-08T23:48:26Z",
"published": "2026-05-08T23:01:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-p9mg-74mg-cwwr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44328"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/issues/905"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/smf/pull/199"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/smf/commit/b57bc48081c3d3a2f333d02eb78e4fd31a120deb"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "free5GC\u0027s SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating"
}
GHSA-P9MW-2282-623F
Vulnerability from github – Published: 2023-08-13 15:30 – Updated: 2024-04-04 06:54Input parameter verification vulnerability in the communication system. Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2023-39397"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-13T13:15:11Z",
"severity": "HIGH"
},
"details": "Input parameter verification vulnerability in the communication system. Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-p9mw-2282-623f",
"modified": "2024-04-04T06:54:03Z",
"published": "2023-08-13T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39397"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/8"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202308-0000001667644725"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9P6-VVR2-MF86
Vulnerability from github – Published: 2024-08-21 09:31 – Updated: 2024-08-29 03:30In the Linux kernel, the following vulnerability has been resolved:
efi: fix NULL-deref in init error path
In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated.
Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer.
{
"affected": [],
"aliases": [
"CVE-2022-48879"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T07:15:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix NULL-deref in init error path\n\nIn cases where runtime services are not supported or have been disabled,\nthe runtime services workqueue will never have been allocated.\n\nDo not try to destroy the workqueue unconditionally in the unlikely\nevent that EFI initialisation fails to avoid dereferencing a NULL\npointer.",
"id": "GHSA-p9p6-vvr2-mf86",
"modified": "2024-08-29T03:30:49Z",
"published": "2024-08-21T09:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48879"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ca71bc0e1995d15486cd7b60845602a28399cb5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/585a0b2b3ae7903c6abee3087d09c69e955a7794"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5fcf75a8a4c3e7ee9122d143684083c9faf20452"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/703c13fe3c9af557d312f5895ed6a5fda2711104"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/adc96d30f6503d30dc68670c013716f1d9fcc747"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2ea55564229e4bea1474af15b111b3a3043b76f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9RQ-Q46C-G4X6
Vulnerability from github – Published: 2026-06-26 17:51 – Updated: 2026-06-26 17:51When passing incorrect arguments in the distort operation a null pointer deference will occur.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53463"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T17:51:22Z",
"nvd_published_at": "2026-06-10T23:16:50Z",
"severity": "MODERATE"
},
"details": "When passing incorrect arguments in the distort operation a null pointer deference will occur.",
"id": "GHSA-p9rq-q46c-g4x6",
"modified": "2026-06-26T17:51:23Z",
"published": "2026-06-26T17:51:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p9rq-q46c-g4x6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53463"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.14.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has Null Pointer Dereference caused by the distort operation when passing incorrect arguments"
}
GHSA-P9XP-VCH3-FPJP
Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-12-23 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'
The 'stream' pointer is used in dcn10_set_output_transfer_func() before the check if 'stream' is NULL.
Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)
{
"affected": [],
"aliases": [
"CVE-2024-27044"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T13:15:49Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential NULL pointer dereferences in \u0027dcn10_set_output_transfer_func()\u0027\n\nThe \u0027stream\u0027 pointer is used in dcn10_set_output_transfer_func() before\nthe check if \u0027stream\u0027 is NULL.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check \u0027stream\u0027 (see line 1875)",
"id": "GHSA-p9xp-vch3-fpjp",
"modified": "2024-12-23T15:30:47Z",
"published": "2024-05-01T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27044"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14613d52bc7fc180df6d2c65ba65fc921fc1dda7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29fde8895b2fcc33f44aea28c644ce2d9b62f9e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d9fe7787af01188dc470a649bdbb842d6511fd7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/330caa061af53ea6d287d7c43d0703714e510e08"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6ac7c7a3a9ab57aba0fe78ecb922d2b20e16efeb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7874ab3105ca4657102fee1cc14b0af70883c484"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ccfe80d022df7c595f1925afb31de2232900656"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e019d87e02f1e539ae48b99187f253847744ca7a"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PC25-5426-Q5X9
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-14 15:31Illustrator versions 28.5, 27.9.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a denial of service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-34136"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T15:15:20Z",
"severity": "MODERATE"
},
"details": "Illustrator versions 28.5, 27.9.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a denial of service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-pc25-5426-q5x9",
"modified": "2024-08-14T15:31:17Z",
"published": "2024-08-14T15:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34136"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/illustrator/apsb24-45.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PC2H-32RH-XHFP
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-30321"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:21:21Z",
"severity": "MODERATE"
},
"details": "InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-pc2h-32rh-xhfp",
"modified": "2025-06-10T18:32:27Z",
"published": "2025-06-10T18:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30321"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/indesign/apsb25-53.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PC87-MH9V-2H38
Vulnerability from github – Published: 2022-05-14 01:18 – Updated: 2022-05-14 01:18An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LTYPE at dwg.spec (earlier than CVE-2019-9776).
{
"affected": [],
"aliases": [
"CVE-2019-9779"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-14T09:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a NULL pointer dereference in the function dwg_dxf_LTYPE at dwg.spec (earlier than CVE-2019-9776).",
"id": "GHSA-pc87-mh9v-2h38",
"modified": "2022-05-14T01:18:15Z",
"published": "2022-05-14T01:18:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9779"
},
{
"type": "WEB",
"url": "https://github.com/LibreDWG/libredwg/issues/99"
},
{
"type": "WEB",
"url": "https://savannah.gnu.org/bugs/index.php?55893"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00033.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00045.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107447"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCCV-XJC7-M5QV
Vulnerability from github – Published: 2022-11-07 12:00 – Updated: 2025-05-05 18:32handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2022-44792"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-07T03:15:00Z",
"severity": "MODERATE"
},
"details": "handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.",
"id": "GHSA-pccv-xjc7-m5qv",
"modified": "2025-05-05T18:32:28Z",
"published": "2022-11-07T12:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44792"
},
{
"type": "WEB",
"url": "https://github.com/net-snmp/net-snmp/issues/474"
},
{
"type": "WEB",
"url": "https://gist.github.com/menglong2234/b7bc13ae1a144f47cc3c95a7ea062428"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00010.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230223-0011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.