Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-PP27-442H-QHX9

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13
VLAI
Details

QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-29T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, \u0027current_cpu\u0027 remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.",
  "id": "GHSA-pp27-442h-qhx9",
  "modified": "2022-05-13T01:13:40Z",
  "published": "2022-05-13T01:13:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1922"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283934"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg02812.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201604-01"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3469"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3470"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3471"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/16/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/16/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/81058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP5X-P6Q3-M325

Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2022-05-14 01:33
VLAI
Details

On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-17T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer dereference in the ioctl interface of the device file /dev/elliptic1 or /dev/elliptic0 causes a system crash via IOCTL 0x4008c575 (aka decimal 1074316661).",
  "id": "GHSA-pp5x-p6q3-m325",
  "modified": "2022-05-14T01:33:26Z",
  "published": "2022-05-14T01:33:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8413"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datadancer/HIAFuzz/blob/master/MIX2_elliptic.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP62-PWJ6-PPP4

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled

If the gmac0 is disabled, the precheck for a valid ingress device will cause a NULL pointer deref and crash the system. This happens because eth->netdev[0] will be NULL but the code will directly try to access netdev_ops.

Instead of just checking for the first net_device, it must be checked if any of the mtk_eth net_devices is matching the netdev_ops of the ingress device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled\n\nIf the gmac0 is disabled, the precheck for a valid ingress device will\ncause a NULL pointer deref and crash the system. This happens because\neth-\u003enetdev[0] will be NULL but the code will directly try to access\nnetdev_ops.\n\nInstead of just checking for the first net_device, it must be checked if\nany of the mtk_eth net_devices is matching the netdev_ops of the ingress\ndevice.",
  "id": "GHSA-pp62-pwj6-ppp4",
  "modified": "2026-05-07T18:30:34Z",
  "published": "2026-05-01T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31736"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b832aad33e6f160fda310f0306a6483d85e9d6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5dff799c677152dde963c3917bacd9127b03e145"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b2380f0a0e374010c1a4a13203511b9dee5b166"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/976ff48c2ac6e6b25b01428c9d7997bcd0fb2949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP7M-7XWH-J3H9

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-10 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: cx88: Fix a null-ptr-deref bug in buffer_prepare()

When the driver calls cx88_risc_buffer() to prepare the buffer, the function call may fail, resulting in a empty buffer and null-ptr-deref later in buffer_queue().

The following log can reveal it:

[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI [ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 [ 41.836311] Call Trace: [ 41.836945] __enqueue_in_driver+0x141/0x360 [ 41.837262] vb2_start_streaming+0x62/0x4a0 [ 41.838216] vb2_core_streamon+0x1da/0x2c0 [ 41.838516] __vb2_init_fileio+0x981/0xbc0 [ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 [ 41.840072] vb2_fop_read+0x20e/0x400 [ 41.840346] v4l2_read+0x215/0x290 [ 41.840603] vfs_read+0x162/0x4c0

Fix this by checking the return value of cx88_risc_buffer()

[hverkuil: fix coding style issues]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:34Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx88: Fix a null-ptr-deref bug in buffer_prepare()\n\nWhen the driver calls cx88_risc_buffer() to prepare the buffer, the\nfunction call may fail, resulting in a empty buffer and null-ptr-deref\nlater in buffer_queue().\n\nThe following log can reveal it:\n\n[   41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\n[   41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[   41.828027] RIP: 0010:buffer_queue+0xc2/0x500\n[   41.836311] Call Trace:\n[   41.836945]  __enqueue_in_driver+0x141/0x360\n[   41.837262]  vb2_start_streaming+0x62/0x4a0\n[   41.838216]  vb2_core_streamon+0x1da/0x2c0\n[   41.838516]  __vb2_init_fileio+0x981/0xbc0\n[   41.839141]  __vb2_perform_fileio+0xbf9/0x1120\n[   41.840072]  vb2_fop_read+0x20e/0x400\n[   41.840346]  v4l2_read+0x215/0x290\n[   41.840603]  vfs_read+0x162/0x4c0\n\nFix this by checking the return value of cx88_risc_buffer()\n\n[hverkuil: fix coding style issues]",
  "id": "GHSA-pp7m-7xwh-j3h9",
  "modified": "2025-12-10T00:30:21Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50359"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10c99d1c46ea9cd940029e17bab11d021f315c21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b064d91440b33fba5b452f2d1b31f13ae911d71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4befc7ffa18ef9a4b70d854465313a345a06862f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/644d5a87ab1863eb606526ea743021752a17e9cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f21976095c1e92454ab030976f95f40d652351b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/704838040f3bdb4aa07ff4f26505a666a3defcfe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9181af2dbf06e7f432e5dbe88d10b22343e851b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2257c8a501537afab276c306cb717b7260276e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c76d04d2079a4b7369ce9a0e859c0f3f2250bcc1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP8C-QFHV-484P

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix panic in failed foilio allocation

commit 7e119cff9d0a ("ocfs2: convert w_pages to w_folios") and commit 9a5e08652dc4b ("ocfs2: use an array of folios instead of an array of pages") save -ENOMEM in the folio array upon allocation failure and call the folio array free code.

The folio array free code expects either valid folio pointers or NULL. Finding the -ENOMEM will result in a panic. Fix by NULLing the error folio entry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix panic in failed foilio allocation\n\ncommit 7e119cff9d0a (\"ocfs2: convert w_pages to w_folios\") and commit\n9a5e08652dc4b (\"ocfs2: use an array of folios instead of an array of\npages\") save -ENOMEM in the folio array upon allocation failure and call\nthe folio array free code.\n\nThe folio array free code expects either valid folio pointers or NULL. \nFinding the -ENOMEM will result in a panic.  Fix by NULLing the error\nfolio entry.",
  "id": "GHSA-pp8c-qfhv-484p",
  "modified": "2025-11-17T15:30:32Z",
  "published": "2025-05-20T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37950"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31d4cd4eb2f8d9b87ebfa6a5e443a59e3b3d7b8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80d18f060d5bdf2c5eb3d1d00dcb744d6a879222"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPHC-92V7-V4W2

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check

The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid.

Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching.

Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix potential NULL dereference in ttl check\n\nThe nf_osf_ttl() function accessed skb-\u003edev to perform a local interface\naddress lookup without verifying that the device pointer was valid.\n\nAdditionally, the implementation utilized an in_dev_for_each_ifa_rcu\nloop to match the packet source address against local interface\naddresses. It assumed that packets from the same subnet should not see a\ndecrement on the initial TTL. A packet might appear it is from the same\nsubnet but it actually isn\u0027t especially in modern environments with\ncontainers and virtual switching.\n\nRemove the device dereference and interface loop. Replace the logic with\na switch statement that evaluates the TTL according to the ttl_check.",
  "id": "GHSA-pphc-92v7-v4w2",
  "modified": "2026-06-28T09:31:37Z",
  "published": "2026-06-24T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52998"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d05de2f0928d81309a815ecc76d1a3ad72cbc16"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/711987ba281fd806322a7cd244e98e2a81903114"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79b90a96688e521771fa6ed3dc7864b76b8df293"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83fc5dd63455a779ea2dd0f7ffee3c920919d80b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95be653a76793856ff8b2d8bd82c2943c23f5ca8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c996a90f3071cf43683e5423da31aadbe002b8b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/edc806f9122961f0d3819f7c69c14cccde31f277"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4de0777e4554a7de19c920accde6319dd530782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPJR-267J-5P9X

Vulnerability from github – Published: 2023-03-20 21:11 – Updated: 2023-07-19 19:19
VLAI
Summary
NULL pointer derefernce in `stb_image`
Details

A bug in error handling in the stb_image C library could cause a NULL pointer dereference when attempting to load an invalid or unsupported image file. This is fixed in version 0.2.5 and later of the stb_image Rust crate, by patching the C code to correctly handle NULL pointers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "stb_image"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-20T21:11:58Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A bug in error handling in the `stb_image` C library could cause a NULL pointer dereference when attempting to load an invalid or unsupported image file.  This is fixed in version 0.2.5 and later of the `stb_image` Rust crate, by patching the C code to correctly handle NULL pointers.\n",
  "id": "GHSA-ppjr-267j-5p9x",
  "modified": "2023-07-19T19:19:42Z",
  "published": "2023-03-20T21:11:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/servo/rust-stb-image/pull/102"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/servo/rust-stb-imag"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "NULL pointer derefernce in `stb_image`"
}

GHSA-PPWX-W5V2-MFJ6

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

An issue was discovered in swftools through 20200710. A NULL pointer dereference exists in the function dump_method() located in abc.c. It allows an attacker to cause Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in swftools through 20200710. A NULL pointer dereference exists in the function dump_method() located in abc.c. It allows an attacker to cause Denial of Service.",
  "id": "GHSA-ppwx-w5v2-mfj6",
  "modified": "2022-05-24T19:15:06Z",
  "published": "2022-05-24T19:15:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39575"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matthiaskramm/swftools/issues/128"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PQ25-X76J-WRFP

Vulnerability from github – Published: 2022-11-10 19:01 – Updated: 2022-11-10 19:01
VLAI
Details

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-10T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.",
  "id": "GHSA-pq25-x76j-wrfp",
  "modified": "2022-11-10T19:01:07Z",
  "published": "2022-11-10T19:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34666"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5383"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ4C-FM9X-V9HJ

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: handle empty bo and UAF races

There look to be some nasty races here when triggering the invalidate_mappings hook:

1) We do xe_bo_alloc() followed by the attach, before the actual full bo init step in xe_dma_buf_init_obj(). However the bo is visible on the attachments list after the attach. This is bad since exporter driver, say amdgpu, can at any time call back into our invalidate_mappings hook, with an empty/bogus bo, leading to potential bugs/crashes.

2) Similar to 1) but here we get a UAF, when the invalidate_mappings hook is triggered. For example, we get as far as xe_bo_init_locked() but this fails in some way. But here the bo will be freed on error, but we still have it attached from dma-buf pov, so if the invalidate_mappings is now triggered then the bo we access is gone and we trigger UAF and more bugs/crashes.

To fix this, move the attach step until after we actually have a fully set up buffer object. Note that the bo is not published to userspace until later, so not sure what the comment "Don't publish the bo until we have a valid attachment", is referring to.

We have at least two different customers reporting hitting a NULL ptr deref in evict_flags when importing something from amdgpu, followed by triggering the evict flow. Hit rate is also pretty low, which would hint at some kind of race, so something like 1) or 2) might explain this.

v2: - Shuffle the order of the ops slightly (no functional change) - Improve the comment to better explain the ordering (Matt B)

(cherry picked from commit af1f2ad0c59fe4e2f924c526f66e968289d77971)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/dma-buf: handle empty bo and UAF races\n\nThere look to be some nasty races here when triggering the\ninvalidate_mappings hook:\n\n1) We do xe_bo_alloc() followed by the attach, before the actual full bo\n   init step in xe_dma_buf_init_obj(). However the bo is visible on the\n   attachments list after the attach.  This is bad since exporter driver,\n   say amdgpu, can at any time call back into our invalidate_mappings hook,\n   with an empty/bogus bo, leading to potential bugs/crashes.\n\n2) Similar to 1) but here we get a UAF, when the invalidate_mappings\n   hook is triggered. For example, we get as far as xe_bo_init_locked()\n   but this fails in some way. But here the bo will be freed on error, but\n   we still have it attached from dma-buf pov, so if the\n   invalidate_mappings is now triggered then the bo we access is gone and\n   we trigger UAF and more bugs/crashes.\n\nTo fix this, move the attach step until after we actually have a fully\nset up buffer object. Note that the bo is not published to userspace\nuntil later, so not sure what the comment \"Don\u0027t publish the bo\nuntil we have a valid attachment\", is referring to.\n\nWe have at least two different customers reporting hitting a NULL ptr\nderef in evict_flags when importing something from amdgpu, followed by\ntriggering the evict flow. Hit rate is also pretty low, which would\nhint at some kind of race, so something like 1) or 2) might explain\nthis.\n\nv2:\n  - Shuffle the order of the ops slightly (no functional change)\n  - Improve the comment to better explain the ordering (Matt B)\n\n(cherry picked from commit af1f2ad0c59fe4e2f924c526f66e968289d77971)",
  "id": "GHSA-pq4c-fm9x-v9hj",
  "modified": "2026-06-30T03:37:11Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52951"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52951"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492353"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20a99ea1e2fd720856d6ba497ff26b82c604751f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/981bedbbe61364fcc3a3b87ebaf648a66cd07108"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9894731e513019df22a29e5c52f1c98890355ff1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c473ae25421fddc3dde247ba7b85225b10641d09"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52951.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.