CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-X6JH-JRG5-6V49
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
syzbot reported a general protection fault in vidtv_psi_desc_assign [1].
vidtv_psi_pmt_stream_init() can return NULL on memory allocation failure, but vidtv_channel_pmt_match_sections() does not check for this. When tail is NULL, the subsequent call to vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL pointer offset, causing a general protection fault.
Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean up the already-allocated stream chain and return.
[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629 Call Trace: vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline] vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479 vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
{
"affected": [],
"aliases": [
"CVE-2026-31599"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections\n\nsyzbot reported a general protection fault in vidtv_psi_desc_assign [1].\n\nvidtv_psi_pmt_stream_init() can return NULL on memory allocation\nfailure, but vidtv_channel_pmt_match_sections() does not check for\nthis. When tail is NULL, the subsequent call to\nvidtv_psi_desc_assign(\u0026tail-\u003edescriptor, desc) dereferences a NULL\npointer offset, causing a general protection fault.\n\nAdd a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean\nup the already-allocated stream chain and return.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629\nCall Trace:\n \u003cTASK\u003e\n vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]\n vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479\n vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239",
"id": "GHSA-x6jh-jrg5-6v49",
"modified": "2026-06-01T18:31:27Z",
"published": "2026-04-24T15:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31599"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07c1e474cf9acf777f09d14a8f8dfcef5b84e46f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2dff11fb5098ae453651f8f77e94ad499c078022"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54e18a23e62e81b8335cec3e8e9c5cb33fd88665"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c986b77200b5ea754ba6636deacc7e0942fec9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93d9e747a9e8a5ca9e3c5e37dcff76b40399139f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7efb4c94797c504a1c678edb48c2aa311d3309f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b832cfd516b8504e95884622cee60bf9a39b7945"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e589de36da106ef739ba98f66f5a5c2023370706"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8e1fc918a9fe67103bcda01d20d745f264d00a7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X6M4-8Q2V-7X97
Vulnerability from github – Published: 2023-02-18 00:31 – Updated: 2023-02-28 21:30HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, virtio.c has is a call to vc_cfgread that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit df0e46c7dbfd81a957d85e449ba41b52f6f7beb4.
{
"affected": [],
"aliases": [
"CVE-2021-32843"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-17T23:15:00Z",
"severity": "MODERATE"
},
"details": "HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, `virtio.c` has is a call to `vc_cfgread` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit df0e46c7dbfd81a957d85e449ba41b52f6f7beb4.",
"id": "GHSA-x6m4-8q2v-7x97",
"modified": "2023-02-28T21:30:16Z",
"published": "2023-02-18T00:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32843"
},
{
"type": "WEB",
"url": "https://github.com/moby/hyperkit/pull/313"
},
{
"type": "WEB",
"url": "https://github.com/moby/hyperkit/commit/df0e46c7dbfd81a957d85e449ba41b52f6f7beb4"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X6M9-RGR7-FM6P
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition. This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a NULL pointer dereference, resulting in a crash of the dhcpd process. While the dhcpd process is restarting, which may take up to approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period. Note: Only the dhcpd process crashes and eventually restarts automatically. The router does not reload.
{
"affected": [],
"aliases": [
"CVE-2021-34737"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-09T05:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition. This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a NULL pointer dereference, resulting in a crash of the dhcpd process. While the dhcpd process is restarting, which may take up to approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period. Note: Only the dhcpd process crashes and eventually restarts automatically. The router does not reload.",
"id": "GHSA-x6m9-rgr7-fm6p",
"modified": "2022-05-24T19:14:06Z",
"published": "2022-05-24T19:14:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34737"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-pjPVReLU"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X6P8-9R6F-F728
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.
{
"affected": [],
"aliases": [
"CVE-2014-5353"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-12-16T23:59:00Z",
"severity": "LOW"
},
"details": "The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.",
"id": "GHSA-x6p8-9r6f-f728",
"modified": "2022-05-13T01:11:50Z",
"published": "2022-05-13T01:11:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5353"
},
{
"type": "WEB",
"url": "https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0536.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155828.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00061.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0439.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0794.html"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:009"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/71679"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1031376"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2498-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X6V8-WGGP-5C32
Vulnerability from github – Published: 2026-01-29 09:31 – Updated: 2026-01-29 09:31A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service.
{
"affected": [],
"aliases": [
"CVE-2026-23565"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-29T09:16:04Z",
"severity": "MODERATE"
},
"details": "A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service.",
"id": "GHSA-x6v8-wggp-5c32",
"modified": "2026-01-29T09:31:50Z",
"published": "2026-01-29T09:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23565"
},
{
"type": "WEB",
"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X6WM-3H8R-FCF5
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-08 00:00SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.
{
"affected": [],
"aliases": [
"CVE-2021-27632"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T14:15:00Z",
"severity": "HIGH"
},
"details": "SAP NetWeaver ABAP Server and ABAP Platform (Enqueue Server), versions - KRNL32NUC - 7.22,7.22EXT, KRNL64NUC - 7.22,7.22EXT,7.49, KRNL64UC - 8.04,7.22,7.22EXT,7.49,7.53,7.73, KERNEL - 7.22,8.04,7.49,7.53,7.73, allows an unauthenticated attacker without specific knowledge of the system to send a specially crafted packet over a network which will trigger an internal error in the system due to improper input validation in method EnqConvUniToSrvReq() causing the system to crash and rendering it unavailable. In this attack, no data in the system can be viewed or modified.",
"id": "GHSA-x6wm-3h8r-fcf5",
"modified": "2022-10-08T00:00:33Z",
"published": "2022-05-24T19:04:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27632"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3020104"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164595/SAP-NetWeaver-ABAP-Enqueue-Memory-Corruption.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Oct/29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X732-54Q6-PV67
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring
Replace NULL check with IS_ERR() check after calling page_pool_create() since this function returns error pointers (ERR_PTR). Using NULL check could lead to invalid pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2025-39858"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T16:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring\n\nReplace NULL check with IS_ERR() check after calling page_pool_create()\nsince this function returns error pointers (ERR_PTR).\nUsing NULL check could lead to invalid pointer dereference.",
"id": "GHSA-x732-54q6-pv67",
"modified": "2025-12-12T21:31:32Z",
"published": "2025-09-22T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39858"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b77d8841a98a9f45c8a615222c698df8dec581c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e580beaf43d563aaf457f1c7f934002355ebfe7b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X738-FP96-2H57
Vulnerability from github – Published: 2025-07-04 15:31 – Updated: 2025-11-18 18:32In the Linux kernel, the following vulnerability has been resolved:
configfs-tsm-report: Fix NULL dereference of tsm_ops
Unlike sysfs, the lifetime of configfs objects is controlled by userspace. There is no mechanism for the kernel to find and delete all created config-items. Instead, the configfs-tsm-report mechanism has an expectation that tsm_unregister() can happen at any time and cause established config-item access to start failing.
That expectation is not fully satisfied. While tsm_report_read(), tsm_report_{is,is_bin}_visible(), and tsm_report_make_item() safely fail if tsm_ops have been unregistered, tsm_report_privlevel_store() tsm_report_provider_show() fail to check for ops registration. Add the missing checks for tsm_ops having been removed.
Now, in supporting the ability for tsm_unregister() to always succeed, it leaves the problem of what to do with lingering config-items. The expectation is that the admin that arranges for the ->remove() (unbind) of the ${tsm_arch}-guest driver is also responsible for deletion of all open config-items. Until that deletion happens, ->probe() (reload / bind) of the ${tsm_arch}-guest driver fails.
This allows for emergency shutdown / revocation of attestation interfaces, and requires coordinated restart.
{
"affected": [],
"aliases": [
"CVE-2025-38210"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T14:15:29Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nconfigfs-tsm-report: Fix NULL dereference of tsm_ops\n\nUnlike sysfs, the lifetime of configfs objects is controlled by\nuserspace. There is no mechanism for the kernel to find and delete all\ncreated config-items. Instead, the configfs-tsm-report mechanism has an\nexpectation that tsm_unregister() can happen at any time and cause\nestablished config-item access to start failing.\n\nThat expectation is not fully satisfied. While tsm_report_read(),\ntsm_report_{is,is_bin}_visible(), and tsm_report_make_item() safely fail\nif tsm_ops have been unregistered, tsm_report_privlevel_store()\ntsm_report_provider_show() fail to check for ops registration. Add the\nmissing checks for tsm_ops having been removed.\n\nNow, in supporting the ability for tsm_unregister() to always succeed,\nit leaves the problem of what to do with lingering config-items. The\nexpectation is that the admin that arranges for the -\u003eremove() (unbind)\nof the ${tsm_arch}-guest driver is also responsible for deletion of all\nopen config-items. Until that deletion happens, -\u003eprobe() (reload /\nbind) of the ${tsm_arch}-guest driver fails.\n\nThis allows for emergency shutdown / revocation of attestation\ninterfaces, and requires coordinated restart.",
"id": "GHSA-x738-fp96-2h57",
"modified": "2025-11-18T18:32:47Z",
"published": "2025-07-04T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38210"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/015f04ac884a454d4d8aaa7b67758f047742b1cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cefbafcbdef011d6ef9414902311afdfba3c33eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fba4ceaa242d2bdf4c04b77bda41d32d02d3925d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X767-VGJW-4WWH
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-16 21:30In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
When attempting to connect multiple ISO sockets without using DEFER_SETUP may result in the following crash:
BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0 Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted 6.0.0-rc7-02243-gb84a13ff4eda #4373 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x19/0x27 kasan_report+0xbc/0xf0 ? hci_create_cis_sync+0x18b/0x2b0 hci_create_cis_sync+0x18b/0x2b0 ? get_link_mode+0xd0/0xd0 ? __ww_mutex_lock_slowpath+0x10/0x10 ? mutex_lock+0xe0/0xe0 ? get_link_mode+0xd0/0xd0 hci_cmd_sync_work+0x111/0x190 process_one_work+0x427/0x650 worker_thread+0x87/0x750 ? process_one_work+0x650/0x650 kthread+0x14e/0x180 ? kthread_exit+0x50/0x50 ret_from_fork+0x22/0x30
{
"affected": [],
"aliases": [
"CVE-2022-50447"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix crash on hci_create_cis_sync\n\nWhen attempting to connect multiple ISO sockets without using\nDEFER_SETUP may result in the following crash:\n\nBUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0\nRead of size 2 at addr 0000000000000036 by task kworker/u3:1/50\n\nCPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted\n6.0.0-rc7-02243-gb84a13ff4eda #4373\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009),\nBIOS 1.16.0-1.fc36 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x19/0x27\n kasan_report+0xbc/0xf0\n ? hci_create_cis_sync+0x18b/0x2b0\n hci_create_cis_sync+0x18b/0x2b0\n ? get_link_mode+0xd0/0xd0\n ? __ww_mutex_lock_slowpath+0x10/0x10\n ? mutex_lock+0xe0/0xe0\n ? get_link_mode+0xd0/0xd0\n hci_cmd_sync_work+0x111/0x190\n process_one_work+0x427/0x650\n worker_thread+0x87/0x750\n ? process_one_work+0x650/0x650\n kthread+0x14e/0x180\n ? kthread_exit+0x50/0x50\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e",
"id": "GHSA-x767-vgjw-4wwh",
"modified": "2026-01-16T21:30:28Z",
"published": "2025-10-01T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50447"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09a3b0c9c7c6b10587fbb610b718014703cff341"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50757a259ba78c4e938b5735e76ffec6cd0c942e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a190cd9dc62d6ebeb679c1abe9dda4162dfefc84"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X78H-GF69-P5J6
Vulnerability from github – Published: 2026-05-27 12:31 – Updated: 2026-06-26 21:32In the Linux kernel, the following vulnerability has been resolved:
bpf: fix end-of-list detection in cgroup_storage_get_next_key()
list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.
Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.
{
"affected": [],
"aliases": [
"CVE-2026-45838"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T11:16:23Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix end-of-list detection in cgroup_storage_get_next_key()\n\nlist_next_entry() never returns NULL -- when the current element is the\nlast entry it wraps to the list head via container_of(). The subsequent\nNULL check is therefore dead code and get_next_key() never returns\n-ENOENT for the last element, instead reading storage-\u003ekey from a bogus\npointer that aliases internal map fields and copying the result to\nuserspace.\n\nReplace it with list_entry_is_head() so the function correctly returns\n-ENOENT when there are no more entries.",
"id": "GHSA-x78h-gf69-p5j6",
"modified": "2026-06-26T21:32:04Z",
"published": "2026-05-27T12:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45838"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f3d9dd5e1fd52b39e25328307c6a694e994ffe3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26d3339e465e54107bd85884341d1609c5300d6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2c88b2d96e1d4d0c7c4589a4593d4cdee6d332d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.