CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6305 vulnerabilities reference this CWE, most recent first.
GHSA-XFWW-6HGP-M5C5
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2021-27953"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-03T15:15:00Z",
"severity": "HIGH"
},
"details": "A NULL pointer dereference vulnerability exists on the ecobee3 lite 4.5.81.200 device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.",
"id": "GHSA-xfww-6hgp-m5c5",
"modified": "2022-05-24T19:09:52Z",
"published": "2022-05-24T19:09:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27953"
},
{
"type": "WEB",
"url": "https://www.l9group.com/advisories/remote-denial-of-service-of-ecobee3-lite"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XG4H-Q3QM-PP3C
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:52thttpd has a local DoS vulnerability via specially-crafted .htpasswd files
{
"affected": [],
"aliases": [
"CVE-2012-5640"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-25T15:15:00Z",
"severity": "MODERATE"
},
"details": "thttpd has a local DoS vulnerability via specially-crafted .htpasswd files",
"id": "GHSA-xg4h-q3qm-pp3c",
"modified": "2024-04-03T23:52:28Z",
"published": "2022-04-23T00:40:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5640"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2012-5640"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5640"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-5640"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/12/15/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG56-W2GW-94VG
Vulnerability from github – Published: 2023-02-01 18:30 – Updated: 2023-02-09 18:30On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate: * An OAuth Server that references an OAuth Provider * An OAuth profile with the Authorization Endpoint set to '/' * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2023-22341"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T18:15:00Z",
"severity": "HIGH"
},
"details": "On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate: * An OAuth Server that references an OAuth Provider * An OAuth profile with the Authorization Endpoint set to \u0027/\u0027 * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-xg56-w2gw-94vg",
"modified": "2023-02-09T18:30:28Z",
"published": "2023-02-01T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22341"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K20717585"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG6J-WC94-HHXG
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09The gf_dash_segmenter_probe_input function in GPAC v0.8 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
{
"affected": [],
"aliases": [
"CVE-2020-22352"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-04T21:15:00Z",
"severity": "MODERATE"
},
"details": "The gf_dash_segmenter_probe_input function in GPAC v0.8 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.",
"id": "GHSA-xg6j-wc94-hhxg",
"modified": "2022-05-24T19:09:54Z",
"published": "2022-05-24T19:09:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22352"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1423"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XG76-3PJJ-PF64
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table.
{
"affected": [],
"aliases": [
"CVE-2011-0709"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-02-18T20:00:00Z",
"severity": "HIGH"
},
"details": "The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table.",
"id": "GHSA-xg76-3pjj-pf64",
"modified": "2022-05-13T01:23:31Z",
"published": "2022-05-13T01:23:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0709"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7f285fa78d4b81b8458f05e77fb6b46245121b4e"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f285fa78d4b81b8458f05e77fb6b46245121b4e"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/16/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/16/14"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/02/16/8"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.35/ChangeLog-2.6.35-rc5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/41432"
},
{
"type": "WEB",
"url": "http://www.spinics.net/lists/netdev/msg134414.html"
},
{
"type": "WEB",
"url": "http://www.spinics.net/lists/netdev/msg134444.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG7G-JMMF-PMRH
Vulnerability from github – Published: 2026-06-09 18:31 – Updated: 2026-06-09 18:31InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2026-34703"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T18:16:42Z",
"severity": "MODERATE"
},
"details": "InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-xg7g-jmmf-pmrh",
"modified": "2026-06-09T18:31:03Z",
"published": "2026-06-09T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34703"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/indesign/apsb26-58.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG7J-MPG2-2HVW
Vulnerability from github – Published: 2022-10-27 12:00 – Updated: 2022-10-28 19:00A vulnerability was found in Axiomatic Bento4. It has been rated as problematic. This issue affects the function AP4_StsdAtom of the file Ap4StsdAtom.cpp of the component MP4fragment. The manipulation leads to null pointer dereference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212003.
{
"affected": [],
"aliases": [
"CVE-2022-3663"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-26T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Axiomatic Bento4. It has been rated as problematic. This issue affects the function AP4_StsdAtom of the file Ap4StsdAtom.cpp of the component MP4fragment. The manipulation leads to null pointer dereference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212003.",
"id": "GHSA-xg7j-mpg2-2hvw",
"modified": "2022-10-28T19:00:34Z",
"published": "2022-10-27T12:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3663"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/issues/800"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/files/9817303/mp4fragment_npd_Ap4StsdAtom.cpp75.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.212003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG84-C3X5-VJR9
Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via vectors involving the keyfile variable.
{
"affected": [],
"aliases": [
"CVE-2017-12464"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-07T17:29:00Z",
"severity": "HIGH"
},
"details": "ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via vectors involving the keyfile variable.",
"id": "GHSA-xg84-c3x5-vjr9",
"modified": "2022-05-14T03:43:37Z",
"published": "2022-05-14T03:43:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12464"
},
{
"type": "WEB",
"url": "https://github.com/cn-uofbasel/ccn-lite/issues/130"
},
{
"type": "WEB",
"url": "https://github.com/cn-uofbasel/ccn-lite/releases/tag/2.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG99-57HH-RFJV
Vulnerability from github – Published: 2022-02-10 00:01 – Updated: 2025-11-04 21:30A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table variable EFI_BOOT_SERVICES. This can be used by an attacker to overwrite address location of any of the functions (FreePool,LocateHandleBuffer,HandleProtocol) to the address location of arbitrary code controlled by the attacker. On system call to SWSMI handler, the arbitrary code can be triggered to execute.
{
"affected": [],
"aliases": [
"CVE-2021-41839"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-03T02:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table variable EFI_BOOT_SERVICES. This can be used by an attacker to overwrite address location of any of the functions (FreePool,LocateHandleBuffer,HandleProtocol) to the address location of arbitrary code controlled by the attacker. On system call to SWSMI handler, the arbitrary code can be triggered to execute.",
"id": "GHSA-xg99-57hh-rfjv",
"modified": "2025-11-04T21:30:26Z",
"published": "2022-02-10T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41839"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220217-0016"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2022020"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/796611"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGC4-4VWX-6V94
Vulnerability from github – Published: 2023-12-14 21:31 – Updated: 2025-11-05 00:31cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.
{
"affected": [],
"aliases": [
"CVE-2023-50471"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T20:15:53Z",
"severity": "HIGH"
},
"details": "cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.",
"id": "GHSA-xgc4-4vwx-6v94",
"modified": "2025-11-05T00:31:15Z",
"published": "2023-12-14T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50471"
},
{
"type": "WEB",
"url": "https://github.com/DaveGamble/cJSON/issues/802"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSI3LL6ZNKYNM5JKPA5FKZTATL4MPF7V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQOQ7CAOYBNHGAMNOR7ELGLC22HV3ZQV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EO4XCUTY3ZMVW4YBG6DBYVS5NSMNP6JY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSI3LL6ZNKYNM5JKPA5FKZTATL4MPF7V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YQOQ7CAOYBNHGAMNOR7ELGLC22HV3ZQV"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.