Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6298 vulnerabilities reference this CWE, most recent first.

GHSA-XWWX-GG4V-8GP7

Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()

The validity of sock should be checked before assignment to avoid incorrect values. Commit 57569c37f0ad ("scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()") introduced this change which may lead to inconsistent values of tcp_sw_conn->sendpage and conn->datadgst_en.

Fix the issue by moving the position of the assignment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Check that sock is valid before iscsi_set_param()\n\nThe validity of sock should be checked before assignment to avoid incorrect\nvalues. Commit 57569c37f0ad (\"scsi: iscsi: iscsi_tcp: Fix null-ptr-deref\nwhile calling getpeername()\") introduced this change which may lead to\ninconsistent values of tcp_sw_conn-\u003esendpage and conn-\u003edatadgst_en.\n\nFix the issue by moving the position of the assignment.",
  "id": "GHSA-xwwx-gg4v-8gp7",
  "modified": "2026-01-20T18:31:51Z",
  "published": "2025-10-01T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53464"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48b19b79cfa37b1e50da3b5a8af529f994c08901"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/499757ad3332e2527254f9ab68dec1da087b1d96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e5c5f472972c4bc9430adc08b36763a0fa5b9f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e06a68fbbfcd8576eee8f7139fa2b13c9b72e91"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b287e21e73ec23f3788fbe40037c42dbe6e9a9a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX3Q-MVC5-C52F

Vulnerability from github – Published: 2022-05-17 02:24 – Updated: 2022-05-17 02:24
VLAI
Details

There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-24T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack.",
  "id": "GHSA-xx3q-mvc5-c52f",
  "modified": "2022-05-17T02:24:08Z",
  "published": "2022-05-17T02:24:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11590"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473167"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX4X-7C38-RPQ3

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: amd: acp-mach-common: Add missing error check for clock acquisition

The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions.

Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:56Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp-mach-common: Add missing error check for clock acquisition\n\nThe acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not\ncheck the return values of clk_get(). This could lead to a kernel crash\nwhen the invalid pointers are later dereferenced by clock core\nfunctions.\n\nFix this by:\n1. Changing clk_get() to the device-managed devm_clk_get().\n2. Adding IS_ERR() checks immediately after each clock acquisition.",
  "id": "GHSA-xx4x-7c38-rpq3",
  "modified": "2026-05-21T18:33:06Z",
  "published": "2026-05-08T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43443"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX6W-WXQJ-HCRW

Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2025-04-20 03:45
VLAI
Details

DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 mishandles certain NULL arrays, which allows attackers to perform Denial of Service (NULL pointer dereference and application crash in AcquireQuantumMemory within MagickCore/memory.c) by providing a crafted Image File as input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-17T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 mishandles certain NULL arrays, which allows attackers to perform Denial of Service (NULL pointer dereference and application crash in AcquireQuantumMemory within MagickCore/memory.c) by providing a crafted Image File as input.",
  "id": "GHSA-xx6w-wxqj-hcrw",
  "modified": "2025-04-20T03:45:24Z",
  "published": "2022-05-13T01:17:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/716"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100882"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX7J-2FQW-VV47

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a btf decl_tag bug when tagging a function

syzbot reported a btf decl_tag bug with stack trace below:

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline] RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Call Trace: btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198 btf_check_all_types kernel/bpf/btf.c:4239 [inline] btf_parse_type_sec kernel/bpf/btf.c:4280 [inline] btf_parse kernel/bpf/btf.c:4513 [inline] btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpf_btf_load kernel/bpf/syscall.c:4039 [inline] __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 __do_sys_bpf kernel/bpf/syscall.c:4738 [inline] __se_sys_bpf kernel/bpf/syscall.c:4736 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae

The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decl_tag to func type 3 type 3: func to func_proto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range.

Currently, the target type of decl_tag can be struct/union, var or func. Both struct/union and var implemented their own 'resolve' callback functions and hence handled properly in kernel. But func type doesn't have 'resolve' callback function. When btf_decl_tag_resolve() tries to check func type, it tries to get vlen of its func_proto type, which triggered the above kasan error.

To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check() before trying to accessing func_proto type. In the current implementation, func type is checked with btf_func_check() in the main checking function btf_check_all_types(). To fix the above kasan issue, let us implement 'resolve' callback func type properly. The 'resolve' callback will be also called in btf_check_all_types() for func types.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:59Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a btf decl_tag bug when tagging a function\n\nsyzbot reported a btf decl_tag bug with stack trace below:\n\n  general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n  CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline]\n  RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910\n  ...\n  Call Trace:\n   \u003cTASK\u003e\n   btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198\n   btf_check_all_types kernel/bpf/btf.c:4239 [inline]\n   btf_parse_type_sec kernel/bpf/btf.c:4280 [inline]\n   btf_parse kernel/bpf/btf.c:4513 [inline]\n   btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047\n   bpf_btf_load kernel/bpf/syscall.c:4039 [inline]\n   __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679\n   __do_sys_bpf kernel/bpf/syscall.c:4738 [inline]\n   __se_sys_bpf kernel/bpf/syscall.c:4736 [inline]\n   __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736\n   do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe kasan error is triggered with an illegal BTF like below:\n   type 0: void\n   type 1: int\n   type 2: decl_tag to func type 3\n   type 3: func to func_proto type 8\nThe total number of types is 4 and the type 3 is illegal\nsince its func_proto type is out of range.\n\nCurrently, the target type of decl_tag can be struct/union, var or func.\nBoth struct/union and var implemented their own \u0027resolve\u0027 callback functions\nand hence handled properly in kernel.\nBut func type doesn\u0027t have \u0027resolve\u0027 callback function. When\nbtf_decl_tag_resolve() tries to check func type, it tries to get\nvlen of its func_proto type, which triggered the above kasan error.\n\nTo fix the issue, btf_decl_tag_resolve() needs to do btf_func_check()\nbefore trying to accessing func_proto type.\nIn the current implementation, func type is checked with\nbtf_func_check() in the main checking function btf_check_all_types().\nTo fix the above kasan issue, let us implement \u0027resolve\u0027 callback\nfunc type properly. The \u0027resolve\u0027 callback will be also called\nin btf_check_all_types() for func types.",
  "id": "GHSA-xx7j-2fqw-vv47",
  "modified": "2025-09-22T21:30:15Z",
  "published": "2025-09-22T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49228"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/796d5666f6422ddadc938fb888044fcc16f2dbe3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3bcd2110c087bc62e90fddd4a93237b049d6e68"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7e7b42f4f956f2c68ad8cda87d750093dbba737"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX7M-69FF-9CRP

Vulnerability from github – Published: 2026-02-12 22:11 – Updated: 2026-02-12 22:11
VLAI
Summary
SurrealDB vulnerable to Denial of Service through scripting function memory edge case
Details

In SurrealDB instances with the scripting capability enabled (--allow-scripting), users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.

The query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.

Whilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (--allow-guests), is enabled, then guests can perform this attack.

Impact

Any user able to execute queries on a SurrealDB instance with scripting enabled (--allow-scripting) can cause complete denial of service. The server process terminates immediately without graceful shutdown.

The underlying cause of the vulnerability is a null pointer dereference in the QuickJS-NG v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data.

Patches

Versions prior to SurrealDB v2.6.1 and v3.0.0-beta.3 are vulnerable.

The patches for SurrealDB v2.6.1 and v3.0.0-beta.3 update the rquickjs dependency from v0.9.0 to v0.11.0, which in turn uses an updated version of QuickJS-NG.

Workarounds

Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

Administrators can also use --deny-arbitrary-query to deny arbitrary querying by either guest, record or system users, or a combination of those, with impacts to functionality for those users.

Links

SurrealDB Documentation - Capabilities SurrealDB Documentation - Guest Access SurrealQL Documentation - Scripting Functions quickjs-ng v0.9 Release Notes https://github.com/surrealdb/surrealdb/pull/6833 https://github.com/surrealdb/surrealdb/pull/6774

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-alpha.8"
            },
            {
              "fixed": "3.0.0-beta.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T22:11:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "In SurrealDB instances with the scripting capability enabled (`--allow-scripting`),  users with the ability to run arbitrary queries can trigger a server crash due to a memory-safety bug in the underlying JS engine. The SurrealDB instance terminates instantly, requiring a manual restart.\n\nThe query consists of using built-in string functions to construct a large string and passing it to the JavaScript runtime for compilation. The exact string size required to trigger the crash varies between SurrealDB versions.\n\nWhilst exploiting the vulnerability requires users to be able to run arbitrary queries, if guest access (`--allow-guests`), is enabled, then guests can perform this attack.\n\n### Impact\n\nAny user able to execute queries on a SurrealDB instance with scripting enabled (`--allow-scripting`) can cause complete denial of service. The server process terminates immediately without graceful shutdown.\n\nThe underlying cause of the vulnerability is a null pointer dereference in the `QuickJS-NG` v0.8 JavaScript engine, this vulnerability cannot be exploited to execute arbitrary code, or compromise the integrity or confidentiality of data. \n\n### Patches\n\nVersions prior to SurrealDB `v2.6.1` and `v3.0.0-beta.3` are vulnerable.\n\nThe patches for SurrealDB `v2.6.1` and `v3.0.0-beta.3` update the `rquickjs` dependency from `v0.9.0` to `v0.11.0`, which in turn uses an updated version of `QuickJS-NG`.\n\n### Workarounds\nDeny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default.\n\nAdministrators can also use `--deny-arbitrary-query`  to deny arbitrary querying by either `guest`, `record` or `system` users, or a combination of those, with impacts to functionality for those users. \n\n### Links ###\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n[SurrealDB Documentation - Guest Access](https://surrealdb.com/docs/surrealdb/security/capabilities#guest-access)\n[SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)\n[quickjs-ng v0.9 Release Notes](https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0)\nhttps://github.com/surrealdb/surrealdb/pull/6833\nhttps://github.com/surrealdb/surrealdb/pull/6774",
  "id": "GHSA-xx7m-69ff-9crp",
  "modified": "2026-02-12T22:11:48Z",
  "published": "2026-02-12T22:11:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-xx7m-69ff-9crp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/6774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/6833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/2b0389b92398d9ecff4632cd51bbf8303832a988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/bcd2ece9ef0d721215f06a47280698669f332285"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SurrealDB vulnerable to Denial of Service through scripting function memory edge case"
}

GHSA-XX8Q-M9QM-7FM9

Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2025-12-01 18:30
VLAI
Details

NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T17:15:50Z",
    "severity": "HIGH"
  },
  "details": "NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3.",
  "id": "GHSA-xx8q-m9qm-7fm9",
  "modified": "2025-12-01T18:30:38Z",
  "published": "2025-12-01T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7007"
    },
    {
      "type": "WEB",
      "url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXCJ-RHQG-M46G

Vulnerability from github – Published: 2022-11-21 20:42 – Updated: 2025-01-15 16:58
VLAI
Summary
Segfault via invalid attributes in `pywrap_tfe_src.cc`
Details

Impact

If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches by passing in quantized tensors as input ksizes.

import numpy as np
import tensorflow as tf

a_input = np.array([1, -1], dtype= np.int32)
a_ksizes =  a_strides = tf.constant(dtype=tf.dtypes.qint16, value=[[1, 4], [5, 2]])


tf.compat.v1.extract_volume_patches(input=a_input,ksizes=a_ksizes,strides=a_strides,padding='VALID')

Patches

We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T20:42:00Z",
    "nvd_published_at": "2022-11-18T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIf a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a `nullptr`, which is not caught. An example can be seen in [`tf.compat.v1.extract_volume_patches`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc) by passing in quantized tensors as input `ksizes`.\n```python\nimport numpy as np\nimport tensorflow as tf\n\na_input = np.array([1, -1], dtype= np.int32)\na_ksizes =  a_strides = tf.constant(dtype=tf.dtypes.qint16, value=[[1, 4], [5, 2]])\n\n\ntf.compat.v1.extract_volume_patches(input=a_input,ksizes=a_ksizes,strides=a_strides,padding=\u0027VALID\u0027)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [e9e95553e5411834d215e6770c81a83a3d0866ce](https://github.com/tensorflow/tensorflow/commit/e9e95553e5411834d215e6770c81a83a3d0866ce).\n\nThe fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Pattarakrit Rattankul.\n",
  "id": "GHSA-xxcj-rhqg-m46g",
  "modified": "2025-01-15T16:58:58Z",
  "published": "2022-11-21T20:42:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xxcj-rhqg-m46g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/e9e95553e5411834d215e6770c81a83a3d0866ce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/kernels/image/generate_box_proposals_op.cu.cc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Segfault via invalid attributes in `pywrap_tfe_src.cc`"
}

GHSA-XXF4-CQMV-X4MH

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2021-12-28 00:01
VLAI
Details

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.",
  "id": "GHSA-xxf4-cqmv-x4mh",
  "modified": "2021-12-28T00:01:06Z",
  "published": "2021-12-22T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1964"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XXF6-HQ9Q-9R8Q

Vulnerability from github – Published: 2022-02-23 00:00 – Updated: 2022-03-17 00:05
VLAI
Details

NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-22T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4.",
  "id": "GHSA-xxf6-hq9q-9r8q",
  "modified": "2022-03-17T00:05:22Z",
  "published": "2022-02-23T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radareorg/radare2/commit/515e592b9bea0612bc63d8e93239ff35bcf645c7"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1e572820-e502-49d1-af0e-81833e2eb466"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZTIMAS53YT66FUS4QHQAFRJOBMUFG6D"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.