Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-Q6CW-2HR2-G93J

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled

When the Remote System Update (RSU) isn't enabled in the First Stage Boot Loader (FSBL), the driver encounters a NULL pointer dereference when excute svc_normal_to_secure_thread() thread, resulting in a kernel panic:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ... Data abort info: ... [0000000000000008] user address but active_mm is swapper Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT Hardware name: SoCFPGA Stratix 10 SoCDK (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : svc_normal_to_secure_thread+0x38c/0x990 lr : svc_normal_to_secure_thread+0x144/0x990 ... Call trace: svc_normal_to_secure_thread+0x38c/0x990 (P) kthread+0x150/0x210 ret_from_fork+0x10/0x20 Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402) ---[ end trace 0000000000000000 ]---

The issue occurs because rsu_send_async_msg() fails when RSU is not enabled in firmware, causing the channel to be freed via stratix10_svc_free_channel(). However, the probe function continues execution and registers svc_normal_to_secure_thread(), which subsequently attempts to access the already-freed channel, triggering the NULL pointer dereference.

Fix this by properly cleaning up the async client and returning early on failure, preventing the thread from being used with an invalid channel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:52Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled\n\nWhen the Remote System Update (RSU) isn\u0027t enabled in the First Stage\nBoot Loader (FSBL), the driver encounters a NULL pointer dereference when\nexcute svc_normal_to_secure_thread() thread, resulting in a kernel panic:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\nMem abort info:\n...\nData abort info:\n...\n[0000000000000008] user address but active_mm is swapper\nInternal error: Oops: 0000000096000004 [#1]  SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT\nHardware name: SoCFPGA Stratix 10 SoCDK (DT)\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : svc_normal_to_secure_thread+0x38c/0x990\nlr : svc_normal_to_secure_thread+0x144/0x990\n...\nCall trace:\n svc_normal_to_secure_thread+0x38c/0x990 (P)\n kthread+0x150/0x210\n ret_from_fork+0x10/0x20\nCode: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402)\n---[ end trace 0000000000000000 ]---\n\nThe issue occurs because rsu_send_async_msg() fails when RSU is not enabled\nin firmware, causing the channel to be freed via stratix10_svc_free_channel().\nHowever, the probe function continues execution and registers\nsvc_normal_to_secure_thread(), which subsequently attempts to access the\nalready-freed channel, triggering the NULL pointer dereference.\n\nFix this by properly cleaning up the async client and returning early on\nfailure, preventing the thread from being used with an invalid channel.",
  "id": "GHSA-q6cw-2hr2-g93j",
  "modified": "2026-05-21T18:33:06Z",
  "published": "2026-05-08T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43410"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa5739e0c51ad01c6e763ca89c1bfb58fc6ea71a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c45f7263100cece247dd3fa5fe277bd97fdb5687"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6FC-WP2R-HVQ3

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2025-06-09 18:31
VLAI
Details

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-08T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "nghttp2 version \u003e= 1.10.0 and nghttp2 \u003c= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in \u003e= 1.31.1.",
  "id": "GHSA-q6fc-wp2r-hvq3",
  "modified": "2025-06-09T18:31:56Z",
  "published": "2022-05-13T01:02:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000168"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0366"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0367"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/june-2018-security-releases"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103952"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6M5-RPFJ-C92F

Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-11-12 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

of: module: prevent NULL pointer dereference in vsnprintf()

In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t...

Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.",
  "id": "GHSA-q6m5-rpfj-c92f",
  "modified": "2024-11-12T18:30:50Z",
  "published": "2024-05-19T09:34:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35878"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6PX-8PWJ-PPVH

Vulnerability from github – Published: 2024-03-26 18:32 – Updated: 2025-01-27 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix the null pointer when load rlc firmware

If the RLC firmware is invalid because of wrong header size, the pointer to the rlc firmware is released in function amdgpu_ucode_request. There will be a null pointer error in subsequent use. So skip validation to fix it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-26T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix the null pointer when load rlc firmware\n\nIf the RLC firmware is invalid because of wrong header size,\nthe pointer to the rlc firmware is released in function\namdgpu_ucode_request. There will be a null pointer error\nin subsequent use. So skip validation to fix it.",
  "id": "GHSA-q6px-8pwj-ppvh",
  "modified": "2025-01-27T15:30:55Z",
  "published": "2024-03-26T18:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26649"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b5bacce2d13dbe648f0bfd3f738ecce8db4978c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc03c02cc1991a066b23e69bbcc0f66e8f1f7453"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3887448486caeef9687fb5dfebd4ff91e0f25aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6X9-7RWW-JJGG

Vulnerability from github – Published: 2025-09-09 15:31 – Updated: 2025-10-20 21:30
VLAI
Details

A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T13:15:33Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller.",
  "id": "GHSA-q6x9-7rww-jjgg",
  "modified": "2025-10-20T21:30:27Z",
  "published": "2025-09-09T15:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9166"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1747.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q725-VFRQ-PW65

Vulnerability from github – Published: 2022-05-14 01:00 – Updated: 2022-05-14 01:00
VLAI
Details

LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-22T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointer dereference.",
  "id": "GHSA-q725-vfrq-pw65",
  "modified": "2022-05-14T01:00:53Z",
  "published": "2022-05-14T01:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibRaw/LibRaw/issues/194"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3989-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106299"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q72C-6P77-WJ85

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

An issue was discovered in LibSass <3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-04T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in LibSass \u003c3.5.3. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.",
  "id": "GHSA-q72c-6p77-wj85",
  "modified": "2022-05-13T01:25:03Z",
  "published": "2022-05-13T01:25:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/issues/2664"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/pull/2631"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q72R-F435-84X2

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

An issue was discovered in Realtek rtl8723de BLE Stack <= 4.1 that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-08T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Realtek rtl8723de BLE Stack \u003c= 4.1 that allows remote attackers to cause a Denial of Service via the interval field to the CONNECT_REQ message.",
  "id": "GHSA-q72r-f435-84x2",
  "modified": "2022-05-24T17:46:49Z",
  "published": "2022-05-24T17:46:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pokerfacett/MY_REQUEST/blob/df73fe140655ea44542b03ac186e6c2b47e97540/Realtek%208723ds%20BLE%20SDK%20denial%20of%20service%20attack.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q73R-HX82-C268

Vulnerability from github – Published: 2022-11-28 12:30 – Updated: 2022-12-01 21:30
VLAI
Details

A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-28T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability exists in the handle_ioctl_83150 functionality of Callback technologies CBFS Filter 20.0.8317. A specially-crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability.",
  "id": "GHSA-q73r-hx82-c268",
  "modified": "2022-12-01T21:30:20Z",
  "published": "2022-11-28T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43588"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q73V-PP5W-Q5MQ

Vulnerability from github – Published: 2024-12-16 18:31 – Updated: 2024-12-16 18:31
VLAI
Details

A vulnerability was found in IObit Advanced SystemCare Utimate up to 17.0.0 and classified as problematic. This issue affects the function 0x8001E01C in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-16T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in IObit Advanced SystemCare Utimate up to 17.0.0 and classified as problematic. This issue affects the function 0x8001E01C in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-q73v-pp5w-q5mq",
  "modified": "2024-12-16T18:31:09Z",
  "published": "2024-12-16T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12658"
    },
    {
      "type": "WEB",
      "url": "https://shareforall.notion.site/IOBit-Advanced-SystemCare-Utimate-AscRegistryFilter-0x8001E01C-NPD-DOS-15160437bb1e800eb1cadd53b224d088"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.288527"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.288527"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.456036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.