CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6309 vulnerabilities reference this CWE, most recent first.
GHSA-PQ66-H8QJ-7XG9
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-16 18:30In the Linux kernel, the following vulnerability has been resolved:
cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU
Commit
5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU")
adds functionality that architectures can use to optionally allocate and build cacheinfo early during boot. Commit
6539cffa9495 ("cacheinfo: Add arch specific early level initializer")
lets secondary CPUs correct (and reallocate memory) cacheinfo data if needed.
If the early build functionality is not used and cacheinfo does not need correction, memory for cacheinfo is never allocated. x86 does not use the early build functionality. Consequently, during the cacheinfo CPU hotplug callback, last_level_cache_is_valid() attempts to dereference a NULL pointer:
BUG: kernel NULL pointer dereference, address: 0000000000000100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not present page PGD 0 P4D 0 Oops: 0000 [#1] PREEPMT SMP NOPTI CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1 RIP: 0010: last_level_cache_is_valid+0x95/0xe0a
Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback if not done earlier.
Moreover, before determining the validity of the last-level cache info, ensure that it has been allocated. Simply checking for non-zero cache_leaves() is not sufficient, as some architectures (e.g., Intel processors) have non-zero cache_leaves() before allocation.
Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size(). This function iterates over all online CPUs. However, a CPU may have come online recently, but its cacheinfo may not have been allocated yet.
While here, remove an unnecessary indentation in allocate_cache_info().
[ bp: Massage. ]
{
"affected": [],
"aliases": [
"CVE-2024-56617"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:21Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU\n\nCommit\n\n 5944ce092b97 (\"arch_topology: Build cacheinfo from primary CPU\")\n\nadds functionality that architectures can use to optionally allocate and\nbuild cacheinfo early during boot. Commit\n\n 6539cffa9495 (\"cacheinfo: Add arch specific early level initializer\")\n\nlets secondary CPUs correct (and reallocate memory) cacheinfo data if\nneeded.\n\nIf the early build functionality is not used and cacheinfo does not need\ncorrection, memory for cacheinfo is never allocated. x86 does not use\nthe early build functionality. Consequently, during the cacheinfo CPU\nhotplug callback, last_level_cache_is_valid() attempts to dereference\na NULL pointer:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEPMT SMP NOPTI\n CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1\n RIP: 0010: last_level_cache_is_valid+0x95/0xe0a\n\nAllocate memory for cacheinfo during the cacheinfo CPU hotplug callback\nif not done earlier.\n\nMoreover, before determining the validity of the last-level cache info,\nensure that it has been allocated. Simply checking for non-zero\ncache_leaves() is not sufficient, as some architectures (e.g., Intel\nprocessors) have non-zero cache_leaves() before allocation.\n\nDereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size().\nThis function iterates over all online CPUs. However, a CPU may have come\nonline recently, but its cacheinfo may not have been allocated yet.\n\nWhile here, remove an unnecessary indentation in allocate_cache_info().\n\n [ bp: Massage. ]",
"id": "GHSA-pq66-h8qj-7xg9",
"modified": "2025-01-16T18:30:59Z",
"published": "2024-12-27T15:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56617"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95e197354e0de07e9a20819bdae6562e4dda0f20"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3fce429a1e030b50c1c91351d69b8667eef627b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQ7F-896M-7JG7
Vulnerability from github – Published: 2024-02-13 09:30 – Updated: 2024-02-13 09:30A vulnerability has been identified in Tecnomatix Plant Simulation V2201 (All versions), Tecnomatix Plant Simulation V2302 (All versions < V2302.0007). The affected applications contain a null pointer dereference vulnerability while parsing specially crafted SPP files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.
{
"affected": [],
"aliases": [
"CVE-2024-23800"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-13T09:15:48Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in Tecnomatix Plant Simulation V2201 (All versions), Tecnomatix Plant Simulation V2302 (All versions \u003c V2302.0007). The affected applications contain a null pointer dereference vulnerability while parsing specially crafted SPP files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.",
"id": "GHSA-pq7f-896m-7jg7",
"modified": "2024-02-13T09:30:33Z",
"published": "2024-02-13T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23800"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-017796.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PQC2-JW96-C94G
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00A NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c may lead to program crash when parsing corrupt DWARF data.
{
"affected": [],
"aliases": [
"CVE-2022-38127"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c may lead to program crash when parsing corrupt DWARF data.",
"id": "GHSA-pqc2-jw96-c94g",
"modified": "2022-09-08T00:00:32Z",
"published": "2022-09-02T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38127"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29290"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQC6-P826-C5QW
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service
{
"affected": [],
"aliases": [
"CVE-2020-13950"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T07:15:00Z",
"severity": "HIGH"
},
"details": "Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service",
"id": "GHSA-pqc6-p826-c5qw",
"modified": "2022-05-24T19:04:56Z",
"published": "2022-05-24T19:04:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13950"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd@%3Cdev.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rbe197409ae4a58b629fb792d1aed541ccbbf865121a80e1c5938d223@%3Cannounce.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-38"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210702-0001"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/06/10/4"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PQF9-M843-PPVG
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-11-19 18:31In the Linux kernel, the following vulnerability has been resolved:
spi: spi-qpic-snand: reallocate BAM transactions
Using the mtd_nandbiterrs module for testing the driver occasionally results in weird things like below.
- swiotlb mapping fails with the following message:
[ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots) [ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc [ 87.999314] qcom_snand 79b0000.spi: failure to write raw page [ 87.999352] mtd_nandbiterrs: error: write_oob failed (-110)
Rebooting the board after this causes a panic due to a NULL pointer dereference.
- If the swiotlb mapping does not fail, rebooting the board may result in a different panic due to a bad spinlock magic:
[ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241 [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b ...
Investigating the issue revealed that these symptoms are results of memory corruption which is caused by out of bounds access within the driver.
The driver uses a dynamically allocated structure for BAM transactions, which structure must have enough space for all possible variations of different flash operations initiated by the driver. The required space heavily depends on the actual number of 'codewords' which is calculated from the pagesize of the actual NAND chip.
Although the qcom_nandc_alloc() function allocates memory for the BAM transactions during probe, but since the actual number of 'codewords' is not yet know the allocation is done for one 'codeword' only.
Because of this, whenever the driver does a flash operation, and the number of the required transactions exceeds the size of the allocated arrays the driver accesses memory out of the allocated range.
To avoid this, change the code to free the initially allocated BAM transactions memory, and allocate a new one once the actual number of 'codewords' required for a given NAND chip is known.
{
"affected": [],
"aliases": [
"CVE-2025-38398"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T13:15:29Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: reallocate BAM transactions\n\nUsing the mtd_nandbiterrs module for testing the driver occasionally\nresults in weird things like below.\n\n1. swiotlb mapping fails with the following message:\n\n [ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)\n [ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc\n [ 87.999314] qcom_snand 79b0000.spi: failure to write raw page\n [ 87.999352] mtd_nandbiterrs: error: write_oob failed (-110)\n\n Rebooting the board after this causes a panic due to a NULL pointer\n dereference.\n\n2. If the swiotlb mapping does not fail, rebooting the board may result\n in a different panic due to a bad spinlock magic:\n\n [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241\n [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b\n ...\n\nInvestigating the issue revealed that these symptoms are results of\nmemory corruption which is caused by out of bounds access within the\ndriver.\n\nThe driver uses a dynamically allocated structure for BAM transactions,\nwhich structure must have enough space for all possible variations of\ndifferent flash operations initiated by the driver. The required space\nheavily depends on the actual number of \u0027codewords\u0027 which is calculated\nfrom the pagesize of the actual NAND chip.\n\nAlthough the qcom_nandc_alloc() function allocates memory for the BAM\ntransactions during probe, but since the actual number of \u0027codewords\u0027\nis not yet know the allocation is done for one \u0027codeword\u0027 only.\n\nBecause of this, whenever the driver does a flash operation, and the\nnumber of the required transactions exceeds the size of the allocated\narrays the driver accesses memory out of the allocated range.\n\nTo avoid this, change the code to free the initially allocated BAM\ntransactions memory, and allocate a new one once the actual number of\n\u0027codewords\u0027 required for a given NAND chip is known.",
"id": "GHSA-pqf9-m843-ppvg",
"modified": "2025-11-19T18:31:15Z",
"published": "2025-07-25T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38398"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86fb36de1132b560f9305f0c78fa69f459fa0980"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d85d0380292a7e618915069c3579ae23c7c80339"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQFP-6QG3-J74H
Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-20 21:30In the Linux kernel, the following vulnerability has been resolved:
drm/connector: only call HDMI audio helper plugged cb if non-null
On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb with NULL as the callback function and codec_dev, as seen in its hdmi_remove function.
The HDMI audio helper then happily tries calling said null function pointer, and produces an Oops as a result.
Fix this by only executing the callback if fn is non-null. This means the .plugged_cb and .plugged_cb_dev members still get appropriately cleared.
{
"affected": [],
"aliases": [
"CVE-2025-38130"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/connector: only call HDMI audio helper plugged cb if non-null\n\nOn driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb\nwith NULL as the callback function and codec_dev, as seen in its\nhdmi_remove function.\n\nThe HDMI audio helper then happily tries calling said null function\npointer, and produces an Oops as a result.\n\nFix this by only executing the callback if fn is non-null. This means\nthe .plugged_cb and .plugged_cb_dev members still get appropriately\ncleared.",
"id": "GHSA-pqfp-6qg3-j74h",
"modified": "2025-11-20T21:30:29Z",
"published": "2025-07-03T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38130"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/933f3eab1d489af8d734bff855b10d29dd5968a4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be9b3f9a54101c19226c25ba7163d291183777a0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQHM-4WVF-2JG8
Vulnerability from github – Published: 2022-05-24 22:10 – Updated: 2022-05-24 22:10Impact
The implementation of tf.raw_ops.QuantizedConv2D does not fully validate the input arguments:
import tensorflow as tf
input = tf.constant(1, shape=[1, 2, 3, 3], dtype=tf.quint8)
filter = tf.constant(1, shape=[1, 2, 3, 3], dtype=tf.quint8)
# bad args
min_input = tf.constant([], shape=[0], dtype=tf.float32)
max_input = tf.constant(0, shape=[], dtype=tf.float32)
min_filter = tf.constant(0, shape=[], dtype=tf.float32)
max_filter = tf.constant(0, shape=[], dtype=tf.float32)
tf.raw_ops.QuantizedConv2D(
input=input,
filter=filter,
min_input=min_input,
max_input=max_input,
min_filter=min_filter,
max_filter=max_filter,
strides=[1, 1, 1, 1],
padding="SAME")
In this case, references get bound to nullptr for each argument that is empty (in the example, all arguments in the bad args section).
Patches
We have patched the issue in GitHub commit 0f0b080ecde4d3dfec158d6f60da34d5e31693c4.
The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29201"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T22:10:20Z",
"nvd_published_at": "2022-05-20T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe implementation of [`tf.raw_ops.QuantizedConv2D`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/quantized_conv_ops.cc) does not fully validate the input arguments:\n\n```python\nimport tensorflow as tf\n\ninput = tf.constant(1, shape=[1, 2, 3, 3], dtype=tf.quint8)\nfilter = tf.constant(1, shape=[1, 2, 3, 3], dtype=tf.quint8)\n\n# bad args\nmin_input = tf.constant([], shape=[0], dtype=tf.float32)\nmax_input = tf.constant(0, shape=[], dtype=tf.float32)\nmin_filter = tf.constant(0, shape=[], dtype=tf.float32)\nmax_filter = tf.constant(0, shape=[], dtype=tf.float32)\n\ntf.raw_ops.QuantizedConv2D(\n input=input,\n filter=filter,\n min_input=min_input,\n max_input=max_input,\n min_filter=min_filter,\n max_filter=max_filter, \n strides=[1, 1, 1, 1],\n padding=\"SAME\")\n```\n\nIn this case, references get bound to `nullptr` for each argument that is empty (in the example, all arguments in the `bad args` section).\n\n### Patches\nWe have patched the issue in GitHub commit [0f0b080ecde4d3dfec158d6f60da34d5e31693c4](https://github.com/tensorflow/tensorflow/commit/0f0b080ecde4d3dfec158d6f60da34d5e31693c4).\n\nThe fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Neophytos Christou from Secure Systems Lab at Brown University.\n",
"id": "GHSA-pqhm-4wvf-2jg8",
"modified": "2022-05-24T22:10:20Z",
"published": "2022-05-24T22:10:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-pqhm-4wvf-2jg8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29201"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/0f0b080ecde4d3dfec158d6f60da34d5e31693c4"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/quantized_conv_ops.cc"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Missing validation results in undefined behavior in `QuantizedConv2D`"
}
GHSA-PQJX-HGWW-FPJ7
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-26 00:30In the Linux kernel, the following vulnerability has been resolved:
hfs: fix general protection fault in hfs_find_init()
The hfs_find_init() method can trigger the crash if tree pointer is NULL:
[ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI [ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] [ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full) [ 45.750250][ T9787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 45.751983][ T9787] RIP: 0010:hfs_find_init+0x86/0x230 [ 45.752834][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc [ 45.755574][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202 [ 45.756432][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09 [ 45.757457][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8 [ 45.758282][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000 [ 45.758943][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004 [ 45.759619][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000 [ 45.760293][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000 [ 45.761050][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 45.761606][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0 [ 45.762286][ T9787] Call Trace: [ 45.762570][ T9787] [ 45.762824][ T9787] hfs_ext_read_extent+0x190/0x9d0 [ 45.763269][ T9787] ? submit_bio_noacct_nocheck+0x2dd/0xce0 [ 45.763766][ T9787] ? __pfx_hfs_ext_read_extent+0x10/0x10 [ 45.764250][ T9787] hfs_get_block+0x55f/0x830 [ 45.764646][ T9787] block_read_full_folio+0x36d/0x850 [ 45.765105][ T9787] ? __pfx_hfs_get_block+0x10/0x10 [ 45.765541][ T9787] ? const_folio_flags+0x5b/0x100 [ 45.765972][ T9787] ? __pfx_hfs_read_folio+0x10/0x10 [ 45.766415][ T9787] filemap_read_folio+0xbe/0x290 [ 45.766840][ T9787] ? __pfx_filemap_read_folio+0x10/0x10 [ 45.767325][ T9787] ? __filemap_get_folio+0x32b/0xbf0 [ 45.767780][ T9787] do_read_cache_folio+0x263/0x5c0 [ 45.768223][ T9787] ? __pfx_hfs_read_folio+0x10/0x10 [ 45.768666][ T9787] read_cache_page+0x5b/0x160 [ 45.769070][ T9787] hfs_btree_open+0x491/0x1740 [ 45.769481][ T9787] hfs_mdb_get+0x15e2/0x1fb0 [ 45.769877][ T9787] ? __pfx_hfs_mdb_get+0x10/0x10 [ 45.770316][ T9787] ? find_held_lock+0x2b/0x80 [ 45.770731][ T9787] ? lockdep_init_map_type+0x5c/0x280 [ 45.771200][ T9787] ? lockdep_init_map_type+0x5c/0x280 [ 45.771674][ T9787] hfs_fill_super+0x38e/0x720 [ 45.772092][ T9787] ? __pfx_hfs_fill_super+0x10/0x10 [ 45.772549][ T9787] ? snprintf+0xbe/0x100 [ 45.772931][ T9787] ? __pfx_snprintf+0x10/0x10 [ 45.773350][ T9787] ? do_raw_spin_lock+0x129/0x2b0 [ 45.773796][ T9787] ? find_held_lock+0x2b/0x80 [ 45.774215][ T9787] ? set_blocksize+0x40a/0x510 [ 45.774636][ T9787] ? sb_set_blocksize+0x176/0x1d0 [ 45.775087][ T9787] ? setup_bdev_super+0x369/0x730 [ 45.775533][ T9787] get_tree_bdev_flags+0x384/0x620 [ 45.775985][ T9787] ? __pfx_hfs_fill_super+0x10/0x10 [ 45.776453][ T9787] ? __pfx_get_tree_bdev_flags+0x10/0x10 [ 45.776950][ T9787] ? bpf_lsm_capable+0x9/0x10 [ 45.777365][ T9787] ? security_capable+0x80/0x260 [ 45.777803][ T9787] vfs_get_tree+0x8e/0x340 [ 45.778203][ T9787] path_mount+0x13de/0x2010 [ 45.778604][ T9787] ? kmem_cache_free+0x2b0/0x4c0 [ 45.779052][ T9787] ? __pfx_path_mount+0x10/0x10 [ 45.779480][ T9787] ? getname_flags.part.0+0x1c5/0x550 [ 45.779954][ T9787] ? putname+0x154/0x1a0 [ 45.780335][ T9787] __x64_sys_mount+0x27b/0x300 [ 45.780758][ T9787] ? __pfx___x64_sys_mount+0x10/0x10 [ 45.781232][ T9787] ---truncated---
{
"affected": [],
"aliases": [
"CVE-2025-38716"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:41Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix general protection fault in hfs_find_init()\n\nThe hfs_find_init() method can trigger the crash\nif tree pointer is NULL:\n\n[ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI\n[ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]\n[ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full)\n[ 45.750250][ T9787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 45.751983][ T9787] RIP: 0010:hfs_find_init+0x86/0x230\n[ 45.752834][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc\n[ 45.755574][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202\n[ 45.756432][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09\n[ 45.757457][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8\n[ 45.758282][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000\n[ 45.758943][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004\n[ 45.759619][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000\n[ 45.760293][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000\n[ 45.761050][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 45.761606][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0\n[ 45.762286][ T9787] Call Trace:\n[ 45.762570][ T9787] \u003cTASK\u003e\n[ 45.762824][ T9787] hfs_ext_read_extent+0x190/0x9d0\n[ 45.763269][ T9787] ? submit_bio_noacct_nocheck+0x2dd/0xce0\n[ 45.763766][ T9787] ? __pfx_hfs_ext_read_extent+0x10/0x10\n[ 45.764250][ T9787] hfs_get_block+0x55f/0x830\n[ 45.764646][ T9787] block_read_full_folio+0x36d/0x850\n[ 45.765105][ T9787] ? __pfx_hfs_get_block+0x10/0x10\n[ 45.765541][ T9787] ? const_folio_flags+0x5b/0x100\n[ 45.765972][ T9787] ? __pfx_hfs_read_folio+0x10/0x10\n[ 45.766415][ T9787] filemap_read_folio+0xbe/0x290\n[ 45.766840][ T9787] ? __pfx_filemap_read_folio+0x10/0x10\n[ 45.767325][ T9787] ? __filemap_get_folio+0x32b/0xbf0\n[ 45.767780][ T9787] do_read_cache_folio+0x263/0x5c0\n[ 45.768223][ T9787] ? __pfx_hfs_read_folio+0x10/0x10\n[ 45.768666][ T9787] read_cache_page+0x5b/0x160\n[ 45.769070][ T9787] hfs_btree_open+0x491/0x1740\n[ 45.769481][ T9787] hfs_mdb_get+0x15e2/0x1fb0\n[ 45.769877][ T9787] ? __pfx_hfs_mdb_get+0x10/0x10\n[ 45.770316][ T9787] ? find_held_lock+0x2b/0x80\n[ 45.770731][ T9787] ? lockdep_init_map_type+0x5c/0x280\n[ 45.771200][ T9787] ? lockdep_init_map_type+0x5c/0x280\n[ 45.771674][ T9787] hfs_fill_super+0x38e/0x720\n[ 45.772092][ T9787] ? __pfx_hfs_fill_super+0x10/0x10\n[ 45.772549][ T9787] ? snprintf+0xbe/0x100\n[ 45.772931][ T9787] ? __pfx_snprintf+0x10/0x10\n[ 45.773350][ T9787] ? do_raw_spin_lock+0x129/0x2b0\n[ 45.773796][ T9787] ? find_held_lock+0x2b/0x80\n[ 45.774215][ T9787] ? set_blocksize+0x40a/0x510\n[ 45.774636][ T9787] ? sb_set_blocksize+0x176/0x1d0\n[ 45.775087][ T9787] ? setup_bdev_super+0x369/0x730\n[ 45.775533][ T9787] get_tree_bdev_flags+0x384/0x620\n[ 45.775985][ T9787] ? __pfx_hfs_fill_super+0x10/0x10\n[ 45.776453][ T9787] ? __pfx_get_tree_bdev_flags+0x10/0x10\n[ 45.776950][ T9787] ? bpf_lsm_capable+0x9/0x10\n[ 45.777365][ T9787] ? security_capable+0x80/0x260\n[ 45.777803][ T9787] vfs_get_tree+0x8e/0x340\n[ 45.778203][ T9787] path_mount+0x13de/0x2010\n[ 45.778604][ T9787] ? kmem_cache_free+0x2b0/0x4c0\n[ 45.779052][ T9787] ? __pfx_path_mount+0x10/0x10\n[ 45.779480][ T9787] ? getname_flags.part.0+0x1c5/0x550\n[ 45.779954][ T9787] ? putname+0x154/0x1a0\n[ 45.780335][ T9787] __x64_sys_mount+0x27b/0x300\n[ 45.780758][ T9787] ? __pfx___x64_sys_mount+0x10/0x10\n[ 45.781232][ T9787] \n---truncated---",
"id": "GHSA-pqjx-hgww-fpj7",
"modified": "2025-11-26T00:30:16Z",
"published": "2025-09-05T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38716"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4f032979b63ad52e08aadf0faeac34ed35133ec0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d8b249527362e0ccafcaf76b3bec2a0d2aa1498"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e20e10064fdc43231636fca519c15c013a8e3d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/736a0516a16268995f4898eded49bfef077af709"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b918c17a1934ac6309b0083f41d4e9d8fb3bb46c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQMH-QR2R-5WWJ
Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-01-07 21:30In the Linux kernel, the following vulnerability has been resolved:
ipmi: ssif: initialize ssif_info->client early
During probe ssif_info->client is dereferenced in error path. However, it is set when some of the error checking has already been done. This causes following kernel crash if an error path is taken:
[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present [ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088 ... [ 30.657723][ T674] pc : __dev_printk+0x28/0xa0 [ 30.657732][ T674] lr : _dev_err+0x7c/0xa0 ... [ 30.657772][ T674] Call trace: [ 30.657775][ T674] __dev_printk+0x28/0xa0 [ 30.657778][ T674] _dev_err+0x7c/0xa0 [ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e] [ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0 ...
Initialize ssif_info->client before any error path can be taken. Clear i2c_client data in the error path to prevent the dangling pointer from leaking.
{
"affected": [],
"aliases": [
"CVE-2021-47095"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T18:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: ssif: initialize ssif_info-\u003eclient early\n\nDuring probe ssif_info-\u003eclient is dereferenced in error path. However,\nit is set when some of the error checking has already been done. This\ncauses following kernel crash if an error path is taken:\n\n[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present\n[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088\n...\n[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0\n[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0\n...\n[ 30.657772][ T674] Call trace:\n[ 30.657775][ T674] __dev_printk+0x28/0xa0\n[ 30.657778][ T674] _dev_err+0x7c/0xa0\n[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]\n[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0\n...\n\nInitialize ssif_info-\u003eclient before any error path can be taken. Clear\ni2c_client data in the error path to prevent the dangling pointer from\nleaking.",
"id": "GHSA-pqmh-qr2r-5wwj",
"modified": "2025-01-07T21:30:54Z",
"published": "2024-03-04T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47095"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f6ab847461ce7dd89ae9db2dd4658c993355d7c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34f35f8f14bc406efc06ee4ff73202c6fd245d15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/77a7311ca167aa5b7055c549a940a56e73ee5f29"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8efd6a3391f7b0b19fb0c38e50add06ca30c94af"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQW3-898V-HG67
Vulnerability from github – Published: 2024-12-29 12:30 – Updated: 2025-01-07 21:30In the Linux kernel, the following vulnerability has been resolved:
net/9p/usbg: fix handling of the failed kzalloc() memory allocation
On the linux-next, next-20241108 vanilla kernel, the coccinelle tool gave the following error report:
./net/9p/trans_usbg.c:912:5-11: ERROR: allocation function on line 911 returns NULL not ERR_PTR on failure
kzalloc() failure is fixed to handle the NULL return case on the memory exhaustion.
{
"affected": [],
"aliases": [
"CVE-2024-56730"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-29T12:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p/usbg: fix handling of the failed kzalloc() memory allocation\n\nOn the linux-next, next-20241108 vanilla kernel, the coccinelle tool gave the\nfollowing error report:\n\n./net/9p/trans_usbg.c:912:5-11: ERROR: allocation function on line 911 returns\nNULL not ERR_PTR on failure\n\nkzalloc() failure is fixed to handle the NULL return case on the memory exhaustion.",
"id": "GHSA-pqw3-898v-hg67",
"modified": "2025-01-07T21:30:55Z",
"published": "2024-12-29T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56730"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cdb416de8b5795fd25fadcb69e1198b6df6d8cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff1060813d9347e8c45c8b8cff93a4dfdb6726ad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.