CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-22M9-9VQX-V8WW
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-04-24 21:31In the Linux kernel, the following vulnerability has been resolved:
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can happen even for a HID device that has not been "claimed" causing a crash if a broken device were attempted to be connected to the system.
Fix up the remaining in-tree HID drivers that forgot to add this same check to resolve the same issue.
{
"affected": [],
"aliases": [
"CVE-2026-23382"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them\n\nIn commit 2ff5baa9b527 (\"HID: appleir: Fix potential NULL dereference at\nraw event handle\"), we handle the fact that raw event callbacks\ncan happen even for a HID device that has not been \"claimed\" causing a\ncrash if a broken device were attempted to be connected to the system.\n\nFix up the remaining in-tree HID drivers that forgot to add this same\ncheck to resolve the same issue.",
"id": "GHSA-22m9-9vqx-v8ww",
"modified": "2026-04-24T21:31:57Z",
"published": "2026-03-25T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23382"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20864e3e41c74cda253a9fa6b6fe093c1461a6a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/575122cd6569c4c4aa13c4c9958fea506724c788"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e330889e6c8db99f04d4feb861d23de4e8fbb13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/892dbaf46bb738dacf1fa663eadb3712c85868f0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac83b0d91a3f4f0c012ba9c85fb99436cddb1208"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b48284d7f0f76023b215a3409cdc989b5081eadf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de316c1edf15bc30ff5e0d4c7b37c70fd41cf319"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecfa6f34492c493a9a1dc2900f3edeb01c79946b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-22QR-HR3V-PMR2
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-02-28 15:31A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.
{
"affected": [],
"aliases": [
"CVE-2024-41338"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T21:15:36Z",
"severity": "HIGH"
},
"details": "A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 allows attackers to cause a Denial of Service (DoS) via a crafted DHCP request.",
"id": "GHSA-22qr-hr3v-pmr2",
"modified": "2025-02-28T15:31:02Z",
"published": "2025-02-27T21:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41338"
},
{
"type": "WEB",
"url": "https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946"
},
{
"type": "WEB",
"url": "http://draytek.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-22RP-WQV6-33J7
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24The WebSockets implementation in Google Chrome before 6.0.472.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2010-3251"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-07T18:00:00Z",
"severity": "MODERATE"
},
"details": "The WebSockets implementation in Google Chrome before 6.0.472.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.",
"id": "GHSA-22rp-wqv6-33j7",
"modified": "2022-05-13T01:24:54Z",
"published": "2022-05-13T01:24:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3251"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11553"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=46750"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=51846"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-22RX-39M3-HR5W
Vulnerability from github – Published: 2022-05-14 03:58 – Updated: 2022-05-14 03:58bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.
{
"affected": [],
"aliases": [
"CVE-2015-8916"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-20T14:15:00Z",
"severity": "MODERATE"
},
"details": "bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a \"split file in multivolume RAR,\" which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.",
"id": "GHSA-22rx-39m3-hr5w",
"modified": "2022-05-14T03:58:20Z",
"published": "2022-05-14T03:58:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8916"
},
{
"type": "WEB",
"url": "https://github.com/libarchive/libarchive/issues/504"
},
{
"type": "WEB",
"url": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2015-8916"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-03"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1844.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3657"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/17/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/17/5"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91296"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3033-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-22WR-XR3P-42C4
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check phantom_stream before it is used
dcn32_enable_phantom_stream can return null, so returned value must be checked before used.
This fixes 1 NULL_RETURNS issue reported by Coverity.
{
"affected": [],
"aliases": [
"CVE-2024-49897"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check phantom_stream before it is used\n\ndcn32_enable_phantom_stream can return null, so returned value\nmust be checked before used.\n\nThis fixes 1 NULL_RETURNS issue reported by Coverity.",
"id": "GHSA-22wr-xr3p-42c4",
"modified": "2025-11-03T21:31:22Z",
"published": "2024-10-21T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49897"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1decf695ce08e23d9ded6ce83d121b2282ce9899"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3718a619a8c0a53152e76bb6769b6c414e1e83f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ba1219e299ab5462b5cb374c2fa2a67af0ea190"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d247af7c5dbf143ad6be8179bb1550e76d6af57e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db1d7e1794fed62ee16d6a72a85997bb069e2e27"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-232P-M442-J9M4
Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-10-23 15:30In the Linux kernel, the following vulnerability has been resolved:
firmware: qcom: scm: smc: Handle missing SCM device
Commit ca61d6836e6f ("firmware: qcom: scm: fix a NULL-pointer dereference") makes it explicit that qcom_scm_get_tzmem_pool() can return NULL, therefore its users should handle this.
{
"affected": [],
"aliases": [
"CVE-2024-57852"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T03:15:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: qcom: scm: smc: Handle missing SCM device\n\nCommit ca61d6836e6f (\"firmware: qcom: scm: fix a NULL-pointer\ndereference\") makes it explicit that qcom_scm_get_tzmem_pool() can\nreturn NULL, therefore its users should handle this.",
"id": "GHSA-232p-m442-j9m4",
"modified": "2025-10-23T15:30:22Z",
"published": "2025-02-27T03:34:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57852"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57a811c0886f3f3677bb4619502b35b5bb917f2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94f48ecf0a538019ca2025e0b0da391f8e7cc58c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd955b75849b58b650ca3f87b83bd78cde1da8bc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-233V-W7H6-4599
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-05-07 21:30In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: avoid use of half-online-committed context
One major usage of damon_call() is online DAMON parameters update. It is done by calling damon_commit_ctx() inside the damon_call() callback function. damon_commit_ctx() can fail for two reasons: 1) invalid parameters and 2) internal memory allocation failures. In case of failures, the damon_ctx that attempted to be updated (commit destination) can be partially updated (or, corrupted from a perspective), and therefore shouldn't be used anymore. The function only ensures the damon_ctx object can safely deallocated using damon_destroy_ctx().
The API callers are, however, calling damon_commit_ctx() only after asserting the parameters are valid, to avoid damon_commit_ctx() fails due to invalid input parameters. But it can still theoretically fail if the internal memory allocation fails. In the case, DAMON may run with the partially updated damon_ctx. This can result in unexpected behaviors including even NULL pointer dereference in case of damos_commit_dests() failure [1]. Such allocation failure is arguably too small to fail, so the real world impact would be rare. But, given the bad consequence, this needs to be fixed.
Avoid such partially-committed (maybe-corrupted) damon_ctx use by saving the damon_commit_ctx() failure on the damon_ctx object. For this, introduce damon_ctx->maybe_corrupted field. damon_commit_ctx() sets it when it is failed. kdamond_call() checks if the field is set after each damon_call_control->fn() is executed. If it is set, ignore remaining callback requests and return. All kdamond_call() callers including kdamond_fn() also check the maybe_corrupted field right after kdamond_call() invocations. If the field is set, break the kdamond_fn() main loop so that DAMON sill doesn't use the context that might be corrupted.
[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]
{
"affected": [],
"aliases": [
"CVE-2026-31445"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid use of half-online-committed context\n\nOne major usage of damon_call() is online DAMON parameters update. It is\ndone by calling damon_commit_ctx() inside the damon_call() callback\nfunction. damon_commit_ctx() can fail for two reasons: 1) invalid\nparameters and 2) internal memory allocation failures. In case of\nfailures, the damon_ctx that attempted to be updated (commit destination)\ncan be partially updated (or, corrupted from a perspective), and therefore\nshouldn\u0027t be used anymore. The function only ensures the damon_ctx object\ncan safely deallocated using damon_destroy_ctx().\n\nThe API callers are, however, calling damon_commit_ctx() only after\nasserting the parameters are valid, to avoid damon_commit_ctx() fails due\nto invalid input parameters. But it can still theoretically fail if the\ninternal memory allocation fails. In the case, DAMON may run with the\npartially updated damon_ctx. This can result in unexpected behaviors\nincluding even NULL pointer dereference in case of damos_commit_dests()\nfailure [1]. Such allocation failure is arguably too small to fail, so\nthe real world impact would be rare. But, given the bad consequence, this\nneeds to be fixed.\n\nAvoid such partially-committed (maybe-corrupted) damon_ctx use by saving\nthe damon_commit_ctx() failure on the damon_ctx object. For this,\nintroduce damon_ctx-\u003emaybe_corrupted field. damon_commit_ctx() sets it\nwhen it is failed. kdamond_call() checks if the field is set after each\ndamon_call_control-\u003efn() is executed. If it is set, ignore remaining\ncallback requests and return. All kdamond_call() callers including\nkdamond_fn() also check the maybe_corrupted field right after\nkdamond_call() invocations. If the field is set, break the kdamond_fn()\nmain loop so that DAMON sill doesn\u0027t use the context that might be\ncorrupted.\n\n[sj@kernel.org: let kdamond_call() with cancel regardless of maybe_corrupted]",
"id": "GHSA-233v-w7h6-4599",
"modified": "2026-05-07T21:30:23Z",
"published": "2026-04-22T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31445"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b247cd0654a3a306996fa80741d79296c683a56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26f775a054c3cda86ad465a64141894a90a9e145"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c495f9d3781cd692bd199531cabd4627155e8cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-239H-283C-GXPH
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2019-12412"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-19T00:15:00Z",
"severity": "HIGH"
},
"details": "A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.",
"id": "GHSA-239h-283c-gxph",
"modified": "2022-05-24T17:34:36Z",
"published": "2022-05-24T17:34:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12412"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/939937"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rce5814279a615d4a17c870a3c5b77f57975874d382ffee0b73b7f9da%40%3Cmodperl.perl.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-23C2-HG9M-2PW8
Vulnerability from github – Published: 2024-02-29 21:30 – Updated: 2024-11-20 00:32D-Link DIR-823G A1V1.0.2B05 was discovered to contain a Null-pointer dereferences in sub_41C488(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
{
"affected": [],
"aliases": [
"CVE-2024-27660"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T20:15:41Z",
"severity": "MODERATE"
},
"details": "D-Link DIR-823G A1V1.0.2B05 was discovered to contain a Null-pointer dereferences in sub_41C488(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.",
"id": "GHSA-23c2-hg9m-2pw8",
"modified": "2024-11-20T00:32:08Z",
"published": "2024-02-29T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27660"
},
{
"type": "WEB",
"url": "https://calm-healer-839.notion.site/D-LINK-DIR-823G-NPD-0x41C708-e46f864c48114f45894f4563588d7968?pvs=4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-23C8-GV7J-76HV
Vulnerability from github – Published: 2024-04-19 03:31 – Updated: 2025-05-06 18:30A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.
{
"affected": [],
"aliases": [
"CVE-2024-24991"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T02:15:08Z",
"severity": "MODERATE"
},
"details": "A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.",
"id": "GHSA-23c8-gv7j-76hv",
"modified": "2025-05-06T18:30:30Z",
"published": "2024-04-19T03:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24991"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.