Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6305 vulnerabilities reference this CWE, most recent first.

GHSA-PMP5-RW9V-RGV5

Vulnerability from github – Published: 2022-05-14 03:52 – Updated: 2025-04-20 03:47
VLAI
Details

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-27T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.",
  "id": "GHSA-pmp5-rw9v-rgv5",
  "modified": "2025-04-20T03:47:48Z",
  "published": "2022-05-14T03:52:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15939"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201801-01"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22205"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=a54018b72d75abf2e74bf36016702da06399c1d9"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101613"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMQ2-6662-X875

Vulnerability from github – Published: 2024-04-17 12:32 – Updated: 2024-04-29 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/xen: Add some null pointer checking to smp.c

kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/xen: Add some null pointer checking to smp.c\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.",
  "id": "GHSA-pmq2-6662-x875",
  "modified": "2024-04-29T21:30:33Z",
  "published": "2024-04-17T12:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26908"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/025a8a96c7ef3ff24a9b4753a7e851ba16f11bfc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70a33a629090130d731fc1e1ad498bb672eea165"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8082bccb7ac480ceab89b09c53d20c78ae54f9fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9bbb05c0c04b49a1f7f05fd03826321dca2b8d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d211e8128c0e2122512fa5e859316540349b54af"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb279074badac0bbe28749906562d648ca4bc750"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f49c513f46dc19bf01ffad2aaaf234d7f37f6799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMQM-G7JM-76HF

Vulnerability from github – Published: 2026-04-13 15:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls_fw: fix NULL pointer dereference on shared blocks

The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified.

Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks.

The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-13T14:16:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q-\u003ehandle.  Shared blocks leave block-\u003eq NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()\u0027s\nold-method path needs block-\u003eq which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n  tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n  tc_run (net/core/dev.c:4401)\n  __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)",
  "id": "GHSA-pmqm-g7jm-76hf",
  "modified": "2026-07-14T15:31:51Z",
  "published": "2026-04-13T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31421"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6d5bd62a09650856e1e2010eb09853eba0d64e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/febf64ca79a2d6540ab6e5e197fa0f4f7e84473e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMRX-2GV3-HV52

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-24 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usx2y: Don't call free_pages_exact() with NULL address

Unlike some other functions, we can't pass NULL pointer to free_pages_exact(). Add a proper NULL check for avoiding possible Oops.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:20Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usx2y: Don\u0027t call free_pages_exact() with NULL address\n\nUnlike some other functions, we can\u0027t pass NULL pointer to\nfree_pages_exact().  Add a proper NULL check for avoiding possible\nOops.",
  "id": "GHSA-pmrx-2gv3-hv52",
  "modified": "2024-12-24T18:30:48Z",
  "published": "2024-05-21T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47332"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d7f30cf182e55023fa8fde4c084b2d37c6be69d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/82e5ee742fdd8874fe996181b87fafe1eb5f1196"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/88262229b778f4f7a896da828d966f94dcb35d19"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bee295f5e03510252d18b25cc1d26230256eb87a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cae0cf651adccee2c3f376e78f30fbd788d0829f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMX4-MGJ6-5FC6

Vulnerability from github – Published: 2022-05-14 03:37 – Updated: 2025-04-20 03:46
VLAI
Details

security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-12T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.",
  "id": "GHSA-pmx4-mgj6-5fc6",
  "modified": "2025-04-20T03:46:38Z",
  "published": "2022-05-14T03:37:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/5649645d725c73df4302428ee4e02c869248b4c5"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1946"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1045327"
    },
    {
      "type": "WEB",
      "url": "https://patchwork.kernel.org/patch/9781573"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3583-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3583-2"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5649645d725c73df4302428ee4e02c869248b4c5"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.5"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101292"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP27-442H-QHX9

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13
VLAI
Details

QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-29T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, \u0027current_cpu\u0027 remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.",
  "id": "GHSA-pp27-442h-qhx9",
  "modified": "2022-05-13T01:13:40Z",
  "published": "2022-05-13T01:13:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1922"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283934"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg02812.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201604-01"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3469"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3470"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3471"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/16/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/16/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/81058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP5X-P6Q3-M325

Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2022-05-14 01:33
VLAI
Details

On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-17T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661).",
  "id": "GHSA-pp5x-p6q3-m325",
  "modified": "2022-05-14T01:33:26Z",
  "published": "2022-05-14T01:33:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8413"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datadancer/HIAFuzz/blob/master/MIX2_elliptic.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP62-PWJ6-PPP4

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled

If the gmac0 is disabled, the precheck for a valid ingress device will cause a NULL pointer deref and crash the system. This happens because eth->netdev[0] will be NULL but the code will directly try to access netdev_ops.

Instead of just checking for the first net_device, it must be checked if any of the mtk_eth net_devices is matching the netdev_ops of the ingress device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled\n\nIf the gmac0 is disabled, the precheck for a valid ingress device will\ncause a NULL pointer deref and crash the system. This happens because\neth-\u003enetdev[0] will be NULL but the code will directly try to access\nnetdev_ops.\n\nInstead of just checking for the first net_device, it must be checked if\nany of the mtk_eth net_devices is matching the netdev_ops of the ingress\ndevice.",
  "id": "GHSA-pp62-pwj6-ppp4",
  "modified": "2026-05-07T18:30:34Z",
  "published": "2026-05-01T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31736"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b832aad33e6f160fda310f0306a6483d85e9d6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5dff799c677152dde963c3917bacd9127b03e145"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b2380f0a0e374010c1a4a13203511b9dee5b166"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/976ff48c2ac6e6b25b01428c9d7997bcd0fb2949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP7M-7XWH-J3H9

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-10 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: cx88: Fix a null-ptr-deref bug in buffer_prepare()

When the driver calls cx88_risc_buffer() to prepare the buffer, the function call may fail, resulting in a empty buffer and null-ptr-deref later in buffer_queue().

The following log can reveal it:

[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI [ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 [ 41.836311] Call Trace: [ 41.836945] __enqueue_in_driver+0x141/0x360 [ 41.837262] vb2_start_streaming+0x62/0x4a0 [ 41.838216] vb2_core_streamon+0x1da/0x2c0 [ 41.838516] __vb2_init_fileio+0x981/0xbc0 [ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 [ 41.840072] vb2_fop_read+0x20e/0x400 [ 41.840346] v4l2_read+0x215/0x290 [ 41.840603] vfs_read+0x162/0x4c0

Fix this by checking the return value of cx88_risc_buffer()

[hverkuil: fix coding style issues]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:34Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx88: Fix a null-ptr-deref bug in buffer_prepare()\n\nWhen the driver calls cx88_risc_buffer() to prepare the buffer, the\nfunction call may fail, resulting in a empty buffer and null-ptr-deref\nlater in buffer_queue().\n\nThe following log can reveal it:\n\n[   41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\n[   41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[   41.828027] RIP: 0010:buffer_queue+0xc2/0x500\n[   41.836311] Call Trace:\n[   41.836945]  __enqueue_in_driver+0x141/0x360\n[   41.837262]  vb2_start_streaming+0x62/0x4a0\n[   41.838216]  vb2_core_streamon+0x1da/0x2c0\n[   41.838516]  __vb2_init_fileio+0x981/0xbc0\n[   41.839141]  __vb2_perform_fileio+0xbf9/0x1120\n[   41.840072]  vb2_fop_read+0x20e/0x400\n[   41.840346]  v4l2_read+0x215/0x290\n[   41.840603]  vfs_read+0x162/0x4c0\n\nFix this by checking the return value of cx88_risc_buffer()\n\n[hverkuil: fix coding style issues]",
  "id": "GHSA-pp7m-7xwh-j3h9",
  "modified": "2025-12-10T00:30:21Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50359"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10c99d1c46ea9cd940029e17bab11d021f315c21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b064d91440b33fba5b452f2d1b31f13ae911d71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4befc7ffa18ef9a4b70d854465313a345a06862f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/644d5a87ab1863eb606526ea743021752a17e9cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f21976095c1e92454ab030976f95f40d652351b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/704838040f3bdb4aa07ff4f26505a666a3defcfe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9181af2dbf06e7f432e5dbe88d10b22343e851b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2257c8a501537afab276c306cb717b7260276e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c76d04d2079a4b7369ce9a0e859c0f3f2250bcc1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP8C-QFHV-484P

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix panic in failed foilio allocation

commit 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") and commit 9a5e08652dc4b ("ocfs2: use an array of folios instead of an array of pages") save -ENOMEM in the folio array upon allocation failure and call the folio array free code.

The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix panic in failed foilio allocation\n\ncommit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit\n9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of\npages\") save -ENOMEM in the folio array upon allocation failure and call\nthe folio array free code.\n\nThe folio array free code expects either valid folio pointers or NULL. \nFinding the -ENOMEM will result in a panic.  Fix by NULLing the error\nfolio entry.",
  "id": "GHSA-pp8c-qfhv-484p",
  "modified": "2025-11-17T15:30:32Z",
  "published": "2025-05-20T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37950"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31d4cd4eb2f8d9b87ebfa6a5e443a59e3b3d7b8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80d18f060d5bdf2c5eb3d1d00dcb744d6a879222"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.