CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-PF6P-PJXV-JWQH
Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-03-13 15:32In the Linux kernel, the following vulnerability has been resolved:
vsock: Orphan socket after transport release
During socket release, sock_orphan() is called without considering that it sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a null pointer dereferenced in virtio_transport_wait_close().
Orphan the socket only after transport release.
Partially reverts the 'Fixes:' commit.
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] lock_acquire+0x19e/0x500 _raw_spin_lock_irqsave+0x47/0x70 add_wait_queue+0x46/0x230 virtio_transport_release+0x4e7/0x7f0 __vsock_release+0xfd/0x490 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x35e/0xa90 __x64_sys_close+0x78/0xd0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
{
"affected": [],
"aliases": [
"CVE-2025-21755"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T03:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Orphan socket after transport release\n\nDuring socket release, sock_orphan() is called without considering that it\nsets sk-\u003esk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a\nnull pointer dereferenced in virtio_transport_wait_close().\n\nOrphan the socket only after transport release.\n\nPartially reverts the \u0027Fixes:\u0027 commit.\n\nKASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n lock_acquire+0x19e/0x500\n _raw_spin_lock_irqsave+0x47/0x70\n add_wait_queue+0x46/0x230\n virtio_transport_release+0x4e7/0x7f0\n __vsock_release+0xfd/0x490\n vsock_release+0x90/0x120\n __sock_release+0xa3/0x250\n sock_close+0x14/0x20\n __fput+0x35e/0xa90\n __x64_sys_close+0x78/0xd0\n do_syscall_64+0x93/0x1b0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e",
"id": "GHSA-pf6p-pjxv-jwqh",
"modified": "2025-03-13T15:32:50Z",
"published": "2025-02-27T03:34:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21755"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a866f8376f0a5c848dcb59cd26df845fffbe6d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/631e00fdac7acca676103d6cbc96eb152625f449"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78dafe1cf3afa02ed71084b350713b07e72a18fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94d81870eec7ad2dd7af80bffd314ded26caea1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bab61f41c942a20ef7b4feea50e9d36d19ad1a26"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6acb650a73d5705a93b9c5a2cd5e9c8161f0be3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3b8e9d3414b2eb083d8293be25a949fe480897b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFH8-68JF-8GQ2
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-25 15:31In the Linux kernel, the following vulnerability has been resolved:
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
Wei Chen reported a NULL deref in sk_user_ns() 0, and Paolo diagnosed the root cause: in unix_diag_get_exact(), the newly allocated skb does not have sk. 2
We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to sk_diag_fill().
[0]: BUG: kernel NULL pointer dereference, address: 0000000000000270
PF: supervisor read access in kernel mode
PF: error_code(0x0000) - not-present page
PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:sk_user_ns include/net/sock.h:920 [inline] RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline] RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170 Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b 9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: unix_diag_get_exact net/unix/diag.c:285 [inline] unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317 __sock_diag_cmd net/core/sock_diag.c:235 [inline] sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266 netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] _syssendmsg+0x38f/0x500 net/socket.c:2476 _sys_sendmsg net/socket.c:2530 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2559 __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x4697f9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 Modules linked in: CR2: 0000000000000270
{
"affected": [],
"aliases": [
"CVE-2022-48970"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Get user_ns from in_skb in unix_diag_get_exact().\n\nWei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed\nthe root cause: in unix_diag_get_exact(), the newly allocated skb does not\nhave sk. [2]\n\nWe must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to\nsk_diag_fill().\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000270\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:sk_user_ns include/net/sock.h:920 [inline]\nRIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]\nRIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170\nCode: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8\n54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd \u003c48\u003e 8b\n9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d\nRSP: 0018:ffffc90000d67968 EFLAGS: 00010246\nRAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d\nRDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270\nRBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000\nR10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800\nR13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940\nFS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n unix_diag_get_exact net/unix/diag.c:285 [inline]\n unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317\n __sock_diag_cmd net/core/sock_diag.c:235 [inline]\n sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266\n netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2476\n ___sys_sendmsg net/socket.c:2530 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2559\n __do_sys_sendmsg net/socket.c:2568 [inline]\n __se_sys_sendmsg net/socket.c:2566 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x4697f9\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d\n01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9\nRDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003\nRBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80\nR13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0\n \u003c/TASK\u003e\nModules linked in:\nCR2: 0000000000000270\n\n[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/\n[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/",
"id": "GHSA-pfh8-68jf-8gq2",
"modified": "2024-10-25T15:31:26Z",
"published": "2024-10-21T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48970"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/575a6266f63dbb3b8eb1da03671451f0d81b8034"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c014eb0ed6c8c57f483e94cc6e90f34ce426d91"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c1d6f79a2c7b8221dcec27defc6dc461052ead4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3abe42e94900bdd045c472f9c9be620ba5ce553"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c66d78aee55dab72c92020ebfbebc464d4f5dd2a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFJJ-M3JJ-9JC9
Vulnerability from github – Published: 2022-02-09 23:43 – Updated: 2024-11-13 22:32Impact
The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value:
import tensorflow as tf
import numpy as np
tf.raw_ops.SparseTensorSliceDataset(
indices=[[]],
values=[],
dense_shape=[1,1])
The 3 input arguments represent a sparse tensor. However, there are some preconditions that these arguments must satisfy but these are not validated in the implementation.
Patches
We have patched the issue in GitHub commit 965b97e4a9650495cda5a8c210ef6684b4b9eceb.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-21736"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-03T19:56:37Z",
"nvd_published_at": "2022-02-03T12:15:00Z",
"severity": "HIGH"
},
"details": "### Impact \nThe [implementation of `SparseTensorSliceDataset`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L227-L292) has an undefined behavior: under certain condition it can be made to dereference a `nullptr` value:\n\n```python\nimport tensorflow as tf\nimport numpy as np\n\ntf.raw_ops.SparseTensorSliceDataset(\n indices=[[]],\n values=[],\n dense_shape=[1,1])\n```\n\nThe 3 input arguments represent a sparse tensor. However, there are some preconditions that these arguments must satisfy but these are not validated in the implementation.\n\n### Patches\nWe have patched the issue in GitHub commit [965b97e4a9650495cda5a8c210ef6684b4b9eceb](https://github.com/tensorflow/tensorflow/commit/965b97e4a9650495cda5a8c210ef6684b4b9eceb).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.",
"id": "GHSA-pfjj-m3jj-9jc9",
"modified": "2024-11-13T22:32:09Z",
"published": "2022-02-09T23:43:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pfjj-m3jj-9jc9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21736"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/965b97e4a9650495cda5a8c210ef6684b4b9eceb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-60.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-115.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L227-L292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Undefined behavior in `SparseTensorSliceDataset`"
}
GHSA-PFMC-FX47-CPG8
Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-13 00:30In the Linux kernel, the following vulnerability has been resolved:
usb: typec: class: Fix NULL pointer access
Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer dereference. This patch adds a mutex to protect USB device pointers and prevent this issue. The same mutex protects both the device pointers and the partner device registration.
{
"affected": [],
"aliases": [
"CVE-2025-37809"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-08T07:15:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: class: Fix NULL pointer access\n\nConcurrent calls to typec_partner_unlink_device can lead to a NULL pointer\ndereference. This patch adds a mutex to protect USB device pointers and\nprevent this issue. The same mutex protects both the device pointers and\nthe partner device registration.",
"id": "GHSA-pfmc-fx47-cpg8",
"modified": "2025-11-13T00:30:16Z",
"published": "2025-05-08T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37809"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fdde62411fe65640e69bc55ea027d5b7b2f0093"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de7c24febd21413ea8f49f61b36338b676c02852"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec27386de23a511008c53aa2f3434ad180a3ca9a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFP4-C2JF-CXCX
Vulnerability from github – Published: 2026-01-02 15:30 – Updated: 2026-01-05 21:30A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later
{
"affected": [],
"aliases": [
"CVE-2025-52430"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-02T15:16:00Z",
"severity": "LOW"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3256 build 20250913 and later\nQuTS hero h5.2.7.3256 build 20250913 and later\nQuTS hero h5.3.1.3250 build 20250912 and later",
"id": "GHSA-pfp4-c2jf-cxcx",
"modified": "2026-01-05T21:30:29Z",
"published": "2026-01-02T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52430"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-50"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PFPP-Q6GH-6XMM
Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2024-08-21 18:31In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()
bdev->bd_super has been removed and commit 8887b94d9322 change the usage from bdev->bd_super to b_assoc_map->host->i_sb. This introduces the following NULL pointer dereference in ocfs2_journal_dirty() since b_assoc_map is still not initialized. This can be easily reproduced by running xfstests generic/186, which simulate no more credits.
[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2] ... [ 134.365071] Call Trace: [ 134.365312] [ 134.365524] ? __die_body+0x1e/0x60 [ 134.365868] ? page_fault_oops+0x13d/0x4f0 [ 134.366265] ? __pfx_bit_wait_io+0x10/0x10 [ 134.366659] ? schedule+0x27/0xb0 [ 134.366981] ? exc_page_fault+0x6a/0x140 [ 134.367356] ? asm_exc_page_fault+0x26/0x30 [ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2] [ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2] [ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2] [ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2] [ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2] [ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2] [ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2] [ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2] [ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2] [ 134.372994] ? inode_update_timestamps+0x4a/0x120 [ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] [ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] [ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2] [ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2] [ 134.376971] ? security_file_permission+0x29/0x50 [ 134.377644] vfs_clone_file_range+0xfe/0x320 [ 134.378268] ioctl_file_clone+0x45/0xa0 [ 134.378853] do_vfs_ioctl+0x457/0x990 [ 134.379422] __x64_sys_ioctl+0x6e/0xd0 [ 134.379987] do_syscall_64+0x5d/0x170 [ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 134.381231] RIP: 0033:0x7fa4926397cb [ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48 [ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb [ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003 [ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000 [ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000 [ 134.389207]
Fix it by only aborting transaction and journal in ocfs2_journal_dirty() now, and leave ocfs2_abort() later when detecting an aborted handle, e.g. start next transaction. Also log the handle details in this case.
{
"affected": [],
"aliases": [
"CVE-2024-40952"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-12T13:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()\n\nbdev-\u003ebd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev-\u003ebd_super to b_assoc_map-\u003ehost-\u003ei_sb. This introduces the\nfollowing NULL pointer dereference in ocfs2_journal_dirty() since\nb_assoc_map is still not initialized. This can be easily reproduced by\nrunning xfstests generic/186, which simulate no more credits.\n\n[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000\n...\n[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n...\n[ 134.365071] Call Trace:\n[ 134.365312] \u003cTASK\u003e\n[ 134.365524] ? __die_body+0x1e/0x60\n[ 134.365868] ? page_fault_oops+0x13d/0x4f0\n[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10\n[ 134.366659] ? schedule+0x27/0xb0\n[ 134.366981] ? exc_page_fault+0x6a/0x140\n[ 134.367356] ? asm_exc_page_fault+0x26/0x30\n[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]\n[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]\n[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]\n[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]\n[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]\n[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]\n[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]\n[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]\n[ 134.372994] ? inode_update_timestamps+0x4a/0x120\n[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]\n[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]\n[ 134.376971] ? security_file_permission+0x29/0x50\n[ 134.377644] vfs_clone_file_range+0xfe/0x320\n[ 134.378268] ioctl_file_clone+0x45/0xa0\n[ 134.378853] do_vfs_ioctl+0x457/0x990\n[ 134.379422] __x64_sys_ioctl+0x6e/0xd0\n[ 134.379987] do_syscall_64+0x5d/0x170\n[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 134.381231] RIP: 0033:0x7fa4926397cb\n[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48\n[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb\n[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003\n[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000\n[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000\n[ 134.389207] \u003c/TASK\u003e\n\nFix it by only aborting transaction and journal in ocfs2_journal_dirty()\nnow, and leave ocfs2_abort() later when detecting an aborted handle,\ne.g. start next transaction. Also log the handle details in this case.",
"id": "GHSA-pfpp-q6gh-6xmm",
"modified": "2024-08-21T18:31:26Z",
"published": "2024-07-12T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40952"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0550ad87711f815b3d73e487ec58ca7d8f56edbc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58f7e1e2c9e72c7974054c64c3abeac81c11f822"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72663d3e09091f431a0774227ca207c0358362dd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQ9-GMXF-FP7R
Vulnerability from github – Published: 2022-12-20 18:30 – Updated: 2022-12-20 18:30In sdpu_find_most_specific_service_uuid of sdp_utils.cc, there is a possible way to crash Bluetooth due to a missing null check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227203684
{
"affected": [],
"aliases": [
"CVE-2022-20521"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In sdpu_find_most_specific_service_uuid of sdp_utils.cc, there is a possible way to crash Bluetooth due to a missing null check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227203684",
"id": "GHSA-pfq9-gmxf-fp7r",
"modified": "2022-12-20T18:30:20Z",
"published": "2022-12-20T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20521"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQP-2WHQ-57G2
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-11 09:30In the Linux kernel, the following vulnerability has been resolved:
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags().
BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr().
{
"affected": [],
"aliases": [
"CVE-2026-43441"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:56Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If bonding ARP/NS validation is enabled, an IPv6\nNS/NA packet received on a slave can reach bond_validate_na(), which\ncalls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can\ncrash in __ipv6_chk_addr_and_flags().\n\n BUG: kernel NULL pointer dereference, address: 00000000000005d8\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170\n Call Trace:\n \u003cIRQ\u003e\n ipv6_chk_addr+0x1f/0x30\n bond_validate_na+0x12e/0x1d0 [bonding]\n ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\n bond_rcv_validate+0x1a0/0x450 [bonding]\n bond_handle_frame+0x5e/0x290 [bonding]\n ? srso_alias_return_thunk+0x5/0xfbef5\n __netif_receive_skb_core.constprop.0+0x3e8/0xe50\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? update_cfs_rq_load_avg+0x1a/0x240\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __enqueue_entity+0x5e/0x240\n __netif_receive_skb_one_core+0x39/0xa0\n process_backlog+0x9c/0x150\n __napi_poll+0x30/0x200\n ? srso_alias_return_thunk+0x5/0xfbef5\n net_rx_action+0x338/0x3b0\n handle_softirqs+0xc9/0x2a0\n do_softirq+0x42/0x60\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0x62/0x70\n __dev_queue_xmit+0x2d3/0x1000\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? packet_parse_headers+0x10a/0x1a0\n packet_sendmsg+0x10da/0x1700\n ? kick_pool+0x5f/0x140\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __queue_work+0x12d/0x4f0\n __sys_sendto+0x1f3/0x220\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x101/0xf80\n ? exc_page_fault+0x6e/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nFix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to\nbond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()\nand avoid the path to ipv6_chk_addr().",
"id": "GHSA-pfqp-2whq-57g2",
"modified": "2026-05-11T09:30:31Z",
"published": "2026-05-08T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43441"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30021e969d48e5819d5ae56936c2f34c0f7ce997"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49dbfcb70eca5f6f9043594e1e323c74c39e3863"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95faa1459b83fa544191e82ccc73856f03b7741f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c78f01abe535853f13f0b26cd5b1d2f19bf52e2f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c9c238066fb254dabf65e27379f93c56112c5b96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf6099ef493b94e140b0fad52482a78853115318"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQW-H6QM-MP6M
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2011-4594"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-05-17T11:00:00Z",
"severity": "MODERATE"
},
"details": "The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.",
"id": "GHSA-pfqw-h6qm-mp6m",
"modified": "2022-05-13T01:24:58Z",
"published": "2022-05-13T01:24:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4594"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/bc909d9ddbf7778371e36a651d6e4194b1cc7d4c"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=761646"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=bc909d9ddbf7778371e36a651d6e4194b1cc7d4c"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bc909d9ddbf7778371e36a651d6e4194b1cc7d4c"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/12/08/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFV6-3F5P-J5C6
Vulnerability from github – Published: 2024-02-17 00:31 – Updated: 2024-10-31 21:31ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.
{
"affected": [],
"aliases": [
"CVE-2023-45918"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T22:15:07Z",
"severity": "MODERATE"
},
"details": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.",
"id": "GHSA-pfv6-3f5p-j5c6",
"modified": "2024-10-31T21:31:44Z",
"published": "2024-02-17T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300290#c1"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240315-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.