CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-XCFX-VQJ9-HFV6
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19An issue was discovered in Foxit PhantomPDF before 8.3.12. It has a NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2019-20816"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-04T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Foxit PhantomPDF before 8.3.12. It has a NULL pointer dereference.",
"id": "GHSA-xcfx-vqj9-hfv6",
"modified": "2022-05-24T17:19:14Z",
"published": "2022-05-24T17:19:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20816"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XCGF-679W-PGVP
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-11-24 21:30In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix null pointer dereference in tracing_err_log_open()
Fix an issue in function 'tracing_err_log_open'. The function doesn't call 'seq_open' if the file is opened only with write permissions, which results in 'file->private_data' being left as null. If we then use 'lseek' on that opened file, 'seq_lseek' dereferences 'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic. Writing to this node requires root privileges, therefore this bug has very little security impact.
Tracefs node: /sys/kernel/tracing/error_log
Example Kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 Call trace: mutex_lock+0x30/0x110 seq_lseek+0x34/0xb8 __arm64_sys_lseek+0x6c/0xb8 invoke_syscall+0x58/0x13c el0_svc_common+0xc4/0x10c do_el0_svc+0x24/0x98 el0_svc+0x24/0x88 el0t_64_sync_handler+0x84/0xe4 el0t_64_sync+0x1b4/0x1b8 Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02) ---[ end trace 561d1b49c12cf8a5 ]--- Kernel panic - not syncing: Oops: Fatal exception
{
"affected": [],
"aliases": [
"CVE-2023-53167"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix null pointer dereference in tracing_err_log_open()\n\nFix an issue in function \u0027tracing_err_log_open\u0027.\nThe function doesn\u0027t call \u0027seq_open\u0027 if the file is opened only with\nwrite permissions, which results in \u0027file-\u003eprivate_data\u0027 being left as null.\nIf we then use \u0027lseek\u0027 on that opened file, \u0027seq_lseek\u0027 dereferences\n\u0027file-\u003eprivate_data\u0027 in \u0027mutex_lock(\u0026m-\u003elock)\u0027, resulting in a kernel panic.\nWriting to this node requires root privileges, therefore this bug\nhas very little security impact.\n\nTracefs node: /sys/kernel/tracing/error_log\n\nExample Kernel panic:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000038\nCall trace:\n mutex_lock+0x30/0x110\n seq_lseek+0x34/0xb8\n __arm64_sys_lseek+0x6c/0xb8\n invoke_syscall+0x58/0x13c\n el0_svc_common+0xc4/0x10c\n do_el0_svc+0x24/0x98\n el0_svc+0x24/0x88\n el0t_64_sync_handler+0x84/0xe4\n el0t_64_sync+0x1b4/0x1b8\nCode: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02)\n---[ end trace 561d1b49c12cf8a5 ]---\nKernel panic - not syncing: Oops: Fatal exception",
"id": "GHSA-xcgf-679w-pgvp",
"modified": "2025-11-24T21:30:57Z",
"published": "2025-09-15T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53167"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/02b0095e2fbbc060560c1065f86a211d91e27b26"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e1c9aa9288a46c342f0f2c5c0b1c0876b9b0276"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b5d9b7b875968a8a8c99dac45cb85b705c44802"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7060e5aac6dc195124c106f49106d653a416323a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93114cbc7cb169f6f26eeaed5286b91bb86b463b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/938d5b7a75e18264887387ddf9169db6d8aeef98"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCGM-PVWF-MJQ7
Vulnerability from github – Published: 2022-02-15 00:03 – Updated: 2022-10-07 00:00In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document.
{
"affected": [],
"aliases": [
"CVE-2021-45343"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-25T13:15:00Z",
"severity": "MODERATE"
},
"details": "In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document.",
"id": "GHSA-xcgm-pvwf-mjq7",
"modified": "2022-10-07T00:00:57Z",
"published": "2022-02-15T00:03:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45343"
},
{
"type": "WEB",
"url": "https://github.com/LibreCAD/LibreCAD/issues/1468"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCC2FZ6HZOIK3775K4MTCOUHX6PLGPEL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUMH3CWGVSMR2UIZEA35Q5UB7PDVVVYS"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-26"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5077"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCH4-2QR5-J58J
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31NULL pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2025-24515"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T17:15:34Z",
"severity": "MODERATE"
},
"details": "NULL pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access.",
"id": "GHSA-xch4-2qr5-j58j",
"modified": "2025-08-12T18:31:29Z",
"published": "2025-08-12T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24515"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01299.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XCH5-PWH8-CF69
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-29 00:00A null pointer dereference was addressed with improved validation. This issue is fixed in iOS 15.6 and iPadOS 15.6, Security Update 2022-005 Catalina, macOS Big Sur 11.6.8, macOS Monterey 12.5. Processing an image may lead to a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2022-32785"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-23T19:15:00Z",
"severity": "MODERATE"
},
"details": "A null pointer dereference was addressed with improved validation. This issue is fixed in iOS 15.6 and iPadOS 15.6, Security Update 2022-005 Catalina, macOS Big Sur 11.6.8, macOS Monterey 12.5. Processing an image may lead to a denial-of-service.",
"id": "GHSA-xch5-pwh8-cf69",
"modified": "2022-09-29T00:00:27Z",
"published": "2022-09-25T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32785"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213343"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213344"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213345"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213346"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCQ5-JM7F-RP35
Vulnerability from github – Published: 2022-10-21 12:00 – Updated: 2022-10-26 12:00A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.
{
"affected": [],
"aliases": [
"CVE-2022-3621"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-20T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.",
"id": "GHSA-xcq5-jm7f-rp35",
"modified": "2022-10-26T12:00:39Z",
"published": "2022-10-21T12:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3621"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=21a87d88c2253350e115029f14fe2a10a7e6c856"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.211920"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCV8-6XFC-9686
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-20 03:39The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2017-10790"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-02T03:29:00Z",
"severity": "HIGH"
},
"details": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.",
"id": "GHSA-xcv8-6xfc-9686",
"modified": "2025-04-20T03:39:43Z",
"published": "2022-05-13T01:09:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10790"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1464141"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00026.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201710-11"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3547-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4106"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCWJ-WFCM-M23C
Vulnerability from github – Published: 2021-05-21 14:22 – Updated: 2024-10-30 23:19Impact
An attacker can trigger a null pointer dereference by providing an invalid permutation to tf.raw_ops.SparseMatrixSparseCholesky:
import tensorflow as tf
import numpy as np
from tensorflow.python.ops.linalg.sparse import sparse_csr_matrix_ops
indices_array = np.array([[0, 0]])
value_array = np.array([-10.0], dtype=np.float32)
dense_shape = [1, 1]
st = tf.SparseTensor(indices_array, value_array, dense_shape)
input = sparse_csr_matrix_ops.sparse_tensor_to_csr_sparse_matrix(
st.indices, st.values, st.dense_shape)
permutation = tf.constant([], shape=[1, 0], dtype=tf.int32)
tf.raw_ops.SparseMatrixSparseCholesky(input=input, permutation=permutation, type=tf.float32)
This is because the implementation fails to properly validate the input arguments:
void Compute(OpKernelContext* ctx) final {
...
const Tensor& input_permutation_indices = ctx->input(1);
...
ValidateInputs(ctx, *input_matrix, input_permutation_indices, &batch_size, &num_rows);
...
}
void ValidateInputs(OpKernelContext* ctx,
const CSRSparseMatrix& sparse_matrix,
const Tensor& permutation_indices, int* batch_size,
int64* num_rows) {
OP_REQUIRES(ctx, sparse_matrix.dtype() == DataTypeToEnum<T>::value, ...)
...
}
Although ValidateInputs is called and there are checks in the body of this function, the code proceeds to the next line in ValidateInputs since OP_REQUIRES is a macro that only exits the current function.
#define OP_REQUIRES(CTX, EXP, STATUS) \
do { \
if (!TF_PREDICT_TRUE(EXP)) { \
CheckNotInComputeAsync((CTX), "OP_REQUIRES_ASYNC"); \
(CTX)->CtxFailure(__FILE__, __LINE__, (STATUS)); \
return; \
} \
} while (0)
Thus, the first validation condition that fails in ValidateInputs will cause an early return from that function. However, the caller will continue execution from the next line. The fix is to either explicitly check context->status() or to convert ValidateInputs to return a Status.
Patches
We have patched the issue in GitHub commit e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29530"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T23:03:26Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can trigger a null pointer dereference by providing an invalid `permutation` to `tf.raw_ops.SparseMatrixSparseCholesky`:\n\n```python\nimport tensorflow as tf\nimport numpy as np\nfrom tensorflow.python.ops.linalg.sparse import sparse_csr_matrix_ops\n\nindices_array = np.array([[0, 0]])\nvalue_array = np.array([-10.0], dtype=np.float32)\ndense_shape = [1, 1]\nst = tf.SparseTensor(indices_array, value_array, dense_shape)\n\ninput = sparse_csr_matrix_ops.sparse_tensor_to_csr_sparse_matrix(\n st.indices, st.values, st.dense_shape)\n\npermutation = tf.constant([], shape=[1, 0], dtype=tf.int32)\n \ntf.raw_ops.SparseMatrixSparseCholesky(input=input, permutation=permutation, type=tf.float32)\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/kernels/sparse/sparse_cholesky_op.cc#L85-L86) fails to properly validate the input arguments: \n \n```cc \nvoid Compute(OpKernelContext* ctx) final {\n ...\n const Tensor\u0026 input_permutation_indices = ctx-\u003einput(1);\n ...\n ValidateInputs(ctx, *input_matrix, input_permutation_indices, \u0026batch_size, \u0026num_rows);\n ...\n}\n\nvoid ValidateInputs(OpKernelContext* ctx,\n const CSRSparseMatrix\u0026 sparse_matrix,\n const Tensor\u0026 permutation_indices, int* batch_size,\n int64* num_rows) {\n OP_REQUIRES(ctx, sparse_matrix.dtype() == DataTypeToEnum\u003cT\u003e::value, ...)\n ...\n}\n```\nAlthough `ValidateInputs` is called and there are checks in the body of this function, the code proceeds to the next line in `ValidateInputs` since [`OP_REQUIRES`](https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/framework/op_requires.h#L41-L48) is a macro that only exits the current function.\n\n```cc\n#define OP_REQUIRES(CTX, EXP, STATUS) \\\n do { \\\n if (!TF_PREDICT_TRUE(EXP)) { \\\n CheckNotInComputeAsync((CTX), \"OP_REQUIRES_ASYNC\"); \\\n (CTX)-\u003eCtxFailure(__FILE__, __LINE__, (STATUS)); \\\n return; \\\n } \\\n } while (0)\n```\n\nThus, the first validation condition that fails in `ValidateInputs` will cause an early return from that function. However, the caller will continue execution from the next line. The fix is to either explicitly check `context-\u003estatus()` or to convert `ValidateInputs` to return a `Status`.\n\n### Patches\nWe have patched the issue in GitHub commit [e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd](https://github.com/tensorflow/tensorflow/commit/e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
"id": "GHSA-xcwj-wfcm-m23c",
"modified": "2024-10-30T23:19:46Z",
"published": "2021-05-21T14:22:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xcwj-wfcm-m23c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29530"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-458.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-656.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-167.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Invalid validation in `SparseMatrixSparseCholesky`"
}
GHSA-XCX5-VQWH-3FW6
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31In the Linux kernel, the following vulnerability has been resolved:
ionic: catch failure from devlink_alloc
Add a check for NULL on the alloc return. If devlink_alloc() fails and we try to use devlink_priv() on the NULL return, the kernel gets very unhappy and panics. With this fix, the driver load will still fail, but at least it won't panic the kernel.
{
"affected": [],
"aliases": [
"CVE-2023-53470"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:49Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: catch failure from devlink_alloc\n\nAdd a check for NULL on the alloc return. If devlink_alloc() fails and\nwe try to use devlink_priv() on the NULL return, the kernel gets very\nunhappy and panics. With this fix, the driver load will still fail,\nbut at least it won\u0027t panic the kernel.",
"id": "GHSA-xcx5-vqwh-3fw6",
"modified": "2026-01-20T18:31:51Z",
"published": "2025-10-01T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53470"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0020c16c8af7f4bc9503a2088fb30793b6771fac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d02efe7f25158c93146e3bb827bc7bb3cd5e71a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4a54903ff68ddb33b6463c94b4eb37fc584ef760"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5325f50de5b1433b27dda7ccff5cb7283722a3f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c177dd465f5c1e5f242cdb9258826c591c257e9a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XF25-29FJ-Q584
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
{
"affected": [],
"aliases": [
"CVE-2018-17000"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-13T16:29:00Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.",
"id": "GHSA-xf25-29fj-q584",
"modified": "2022-05-14T01:11:48Z",
"published": "2022-05-14T01:11:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17000"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00026.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3906-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4670"
},
{
"type": "WEB",
"url": "http://bugzilla.maptools.org/show_bug.cgi?id=2811"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00041.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105342"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.