Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-242H-4QQP-HPG2

Vulnerability from github – Published: 2026-04-13 15:31 – Updated: 2026-05-20 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel.

The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists.

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64

Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-13T14:16:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn-\u003ec_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic-\u003ei_cm_id-\u003eqp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n  rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n  rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n  rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n  rds_ib_get_mr (net/rds/ib_rdma.c:615)\n  __rds_rdma_map (net/rds/rdma.c:295)\n  rds_cmsg_rdma_map (net/rds/rdma.c:860)\n  rds_sendmsg (net/rds/send.c:1363)\n  ____sys_sendmsg\n  do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker.",
  "id": "GHSA-242h-4qqp-hpg2",
  "modified": "2026-05-20T18:31:30Z",
  "published": "2026-04-13T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31425"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-243H-QCM4-F6G8

Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2025-09-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: Add callback function pointer check before its call

In dpu_core_irq_callback_handler() callback function pointer is compared to NULL, but then callback function is unconditionally called by this pointer. Fix this bug by adding conditional return.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Patchwork: https://patchwork.freedesktop.org/patch/588237/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-21T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add callback function pointer check before its call\n\nIn dpu_core_irq_callback_handler() callback function pointer is compared to NULL,\nbut then callback function is unconditionally called by this pointer.\nFix this bug by adding conditional return.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\nPatchwork: https://patchwork.freedesktop.org/patch/588237/",
  "id": "GHSA-243h-qcm4-f6g8",
  "modified": "2025-09-17T18:31:14Z",
  "published": "2024-06-21T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38622"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/530f272053a5e72243a9cb07bb1296af6c346002"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/873f67699114452c2a996c4e10faac8ff860c241"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9078630ed7f8f25d65d11823e7f2b11a8e2f4f0f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2446-2CG8-9HWR

Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25
VLAI
Details

An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-20T08:59:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the \"Bluetooth\" component. It allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.",
  "id": "GHSA-2446-2cg8-9hwr",
  "modified": "2022-05-17T02:25:26Z",
  "published": "2022-05-17T02:25:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7605"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207423"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94903"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-244C-33WX-J66J

Vulnerability from github – Published: 2025-02-07 15:32 – Updated: 2025-02-07 18:31
VLAI
Details

A vulnerability, which was classified as problematic, was found in D-Link DIR-823X 240126/240802. This affects the function set_wifi_blacklists of the file /goform/set_wifi_blacklists of the component HTTP POST Request Handler. The manipulation of the argument macList leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-07T15:15:17Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability, which was classified as problematic, was found in D-Link DIR-823X 240126/240802. This affects the function set_wifi_blacklists of the file /goform/set_wifi_blacklists of the component HTTP POST Request Handler. The manipulation of the argument macList leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-244c-33wx-j66j",
  "modified": "2025-02-07T18:31:21Z",
  "published": "2025-02-07T15:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1103"
    },
    {
      "type": "WEB",
      "url": "https://tasty-foxtrot-3a8.notion.site/D-link-DIR-823X-set_wifi_blacklists-Vulnerability-1870448e619580e5bf09cf628692f7a9"
    },
    {
      "type": "WEB",
      "url": "https://tasty-foxtrot-3a8.notion.site/D-link-DIR-823X-set_wifi_blacklists-Vulnerability-1870448e619580e5bf09cf628692f7a9?pvs=73"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.294933"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.294933"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.489603"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-245J-8GJP-C4V5

Vulnerability from github – Published: 2022-12-23 00:30 – Updated: 2022-12-28 18:30
VLAI
Details

A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability exists in the ZfileOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.",
  "id": "GHSA-245j-8gjp-c4v5",
  "modified": "2022-12-28T18:30:21Z",
  "published": "2022-12-23T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43603"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MLUXEL7AB2S5ACSDCHG67GEZHUYZBR5O"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-33"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1657"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5384"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2475-H6MJ-PRFM

Vulnerability from github – Published: 2022-08-05 00:00 – Updated: 2022-08-11 00:00
VLAI
Details

In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when a BIG-IP LTM Client SSL profile is configured on a virtual server to perform client certificate authentication with session tickets enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when a BIG-IP LTM Client SSL profile is configured on a virtual server to perform client certificate authentication with session tickets enabled, undisclosed requests cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-2475-h6mj-prfm",
  "modified": "2022-08-11T00:00:19Z",
  "published": "2022-08-05T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32455"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K16852653"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2482-HX3H-75G4

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-25 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()

Syzkaller reports a NULL deref bug as follows:

BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955

CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? lock_downgrade+0x6e0/0x6e0 ? exit_signals+0x8b0/0x8b0 ? do_raw_read_unlock+0x3b/0x70 ? do_raw_spin_unlock+0x50/0x230 arch_do_signal_or_restart+0x82/0x2470 ? kmem_cache_free+0x260/0x4b0 ? putname+0xfe/0x140 ? get_sigframe_size+0x10/0x10 ? do_execveat_common.isra.0+0x226/0x710 ? lockdep_hardirqs_on+0x79/0x100 ? putname+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Kernel panic - not syncing: panic_on_warn set ...

This happens because the adding of task_work from io_ring_exit_work() isn't synchronized with canceling all work items from eg exec. The execution of the two are ordered in that they are both run by the task itself, but if io_tctx_exit_cb() is queued while we're canceling all work items off exec AND gets executed when the task exits to userspace rather than in the main loop in io_uring_cancel_generic(), then we can find current->io_uring == NULL and hit the above crash.

It's safe to add this NULL check here, because the execution of the two paths are done by the task itself.

[axboe: add code comment and also put an explanation in the commit msg]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\n\nSyzkaller reports a NULL deref bug as follows:\n\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\n Read of size 4 at addr 0000000000000138 by task file1/1955\n\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0xcd/0x134\n  ? io_tctx_exit_cb+0x53/0xd3\n  kasan_report+0xbb/0x1f0\n  ? io_tctx_exit_cb+0x53/0xd3\n  kasan_check_range+0x140/0x190\n  io_tctx_exit_cb+0x53/0xd3\n  task_work_run+0x164/0x250\n  ? task_work_cancel+0x30/0x30\n  get_signal+0x1c3/0x2440\n  ? lock_downgrade+0x6e0/0x6e0\n  ? lock_downgrade+0x6e0/0x6e0\n  ? exit_signals+0x8b0/0x8b0\n  ? do_raw_read_unlock+0x3b/0x70\n  ? do_raw_spin_unlock+0x50/0x230\n  arch_do_signal_or_restart+0x82/0x2470\n  ? kmem_cache_free+0x260/0x4b0\n  ? putname+0xfe/0x140\n  ? get_sigframe_size+0x10/0x10\n  ? do_execveat_common.isra.0+0x226/0x710\n  ? lockdep_hardirqs_on+0x79/0x100\n  ? putname+0xfe/0x140\n  ? do_execveat_common.isra.0+0x238/0x710\n  exit_to_user_mode_prepare+0x15f/0x250\n  syscall_exit_to_user_mode+0x19/0x50\n  do_syscall_64+0x42/0xb0\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0023:0x0\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n  \u003c/TASK\u003e\n Kernel panic - not syncing: panic_on_warn set ...\n\nThis happens because the adding of task_work from io_ring_exit_work()\nisn\u0027t synchronized with canceling all work items from eg exec. The\nexecution of the two are ordered in that they are both run by the task\nitself, but if io_tctx_exit_cb() is queued while we\u0027re canceling all\nwork items off exec AND gets executed when the task exits to userspace\nrather than in the main loop in io_uring_cancel_generic(), then we can\nfind current-\u003eio_uring == NULL and hit the above crash.\n\nIt\u0027s safe to add this NULL check here, because the execution of the two\npaths are done by the task itself.\n\n[axboe: add code comment and also put an explanation in the commit msg]",
  "id": "GHSA-2482-hx3h-75g4",
  "modified": "2024-10-25T18:30:47Z",
  "published": "2024-10-21T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48983"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24CR-7GMF-XXWH

Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-04-29 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921: fix kernel panic due to null pointer dereference

Address a kernel panic caused by a null pointer dereference in the mt792x_rx_get_wcid function. The issue arises because the deflink structure is not properly initialized with the sta context. This patch ensures that the deflink structure is correctly linked to the sta context, preventing the null pointer dereference.

BUG: kernel NULL pointer dereference, address: 0000000000000400 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1 Hardware name: /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011 RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib] RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000 RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000 R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119 R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000 FS: 0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib] mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common] mt76u_alloc_queues+0x784/0x810 [mt76_usb] ? __pfxmt76worker_fn+0x10/0x10 [mt76] mt76_worker_fn+0x4f/0x80 [mt76] kthread+0xd2/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ---[ end trace 0000000000000000 ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix kernel panic due to null pointer dereference\n\nAddress a kernel panic caused by a null pointer dereference in the\n`mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure\nis not properly initialized with the `sta` context. This patch ensures that the\n`deflink` structure is correctly linked to the `sta` context, preventing the\nnull pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000400\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1\n Hardware name:  /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011\n RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]\n RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000\n RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000\n R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119\n R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000\n FS:  0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0\n Call Trace:\n  \u003cTASK\u003e\n  ? __die_body.cold+0x19/0x27\n  ? page_fault_oops+0x15a/0x2f0\n  ? search_module_extables+0x19/0x60\n  ? search_bpf_extables+0x5f/0x80\n  ? exc_page_fault+0x7e/0x180\n  ? asm_exc_page_fault+0x26/0x30\n  ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]\n  mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common]\n  mt76u_alloc_queues+0x784/0x810 [mt76_usb]\n  ? __pfx___mt76_worker_fn+0x10/0x10 [mt76]\n  __mt76_worker_fn+0x4f/0x80 [mt76]\n  kthread+0xd2/0x100\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x34/0x50\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1a/0x30\n  \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-24cr-7gmf-xxwh",
  "modified": "2025-04-29T21:31:46Z",
  "published": "2025-04-16T15:34:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22032"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0cfea60966e4b1239d20bebf02258295e189e82a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a57f8eb2a17d469d65cd1186cea26b798221d4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adc3fd2a2277b7cc0b61692463771bf9bd298036"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/effec50381991bc067acf4b3351a57831c74d27f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24FJ-279J-CVW2

Vulnerability from github – Published: 2022-02-03 00:00 – Updated: 2022-02-05 00:00
VLAI
Details

Codesys Profinet in version V4.2.0.0 is prone to null pointer dereference that allows a denial of service (DoS) attack of an unauthenticated user via SNMP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-02T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Codesys Profinet in version V4.2.0.0 is prone to null pointer dereference that allows a denial of service (DoS) attack of an unauthenticated user via SNMP.",
  "id": "GHSA-24fj-279j-cvw2",
  "modified": "2022-02-05T00:00:41Z",
  "published": "2022-02-03T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22510"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17020\u0026token=9acf91a2b5e1719ff71a019e86c3e8e411bfd252\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-24FJ-8422-2V9W

Vulnerability from github – Published: 2022-05-02 03:36 – Updated: 2025-01-21 18:31
VLAI
Details

The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly validate data sent from user mode, which allows local users to gain privileges via a crafted PE .exe file that triggers a NULL pointer dereference during chain traversal, aka "Windows Kernel NULL Pointer Dereference Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-10-14T10:30:00Z",
    "severity": "MODERATE"
  },
  "details": "The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold and SP1, and Server 2008 Gold does not properly validate data sent from user mode, which allows local users to gain privileges via a crafted PE .exe file that triggers a NULL pointer dereference during chain traversal, aka \"Windows Kernel NULL Pointer Dereference Vulnerability.\"",
  "id": "GHSA-24fj-8422-2v9w",
  "modified": "2025-01-21T18:31:00Z",
  "published": "2022-05-02T03:36:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2516"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-058"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6264"
    },
    {
      "type": "WEB",
      "url": "http://www.nsfocus.com/en/advisories/0903.html"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.