CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-2788-7PRJ-R2QV
Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-04-29 21:31In the Linux kernel, the following vulnerability has been resolved:
PCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion
When BIOS neglects to assign bus numbers to PCI bridges, the kernel attempts to correct that during PCI device enumeration. If it runs out of bus numbers, no pci_bus is allocated and the "subordinate" pointer in the bridge's pci_dev remains NULL.
The PCIe bandwidth controller erroneously does not check for a NULL subordinate pointer and dereferences it on probe.
Bandwidth control of unusable devices below the bridge is of questionable utility, so simply error out instead. This mirrors what PCIe hotplug does since commit 62e4492c3063 ("PCI: Prevent NULL dereference during pciehp probe").
The PCI core emits a message with KERN_INFO severity if it has run out of bus numbers. PCIe hotplug emits an additional message with KERN_ERR severity to inform the user that hotplug functionality is disabled at the bridge. A similar message for bandwidth control does not seem merited, given that its only purpose so far is to expose an up-to-date link speed in sysfs and throttle the link speed on certain laptops with limited Thermal Design Power. So error out silently.
User-visible messages:
pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring [...] pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74 pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them [...] pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring [...] BUG: kernel NULL pointer dereference RIP: pcie_update_link_speed pcie_bwnotif_enable pcie_bwnotif_probe pcie_port_probe_service really_probe
{
"affected": [],
"aliases": [
"CVE-2025-22031"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T15:15:55Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/bwctrl: Fix NULL pointer dereference on bus number exhaustion\n\nWhen BIOS neglects to assign bus numbers to PCI bridges, the kernel\nattempts to correct that during PCI device enumeration. If it runs out\nof bus numbers, no pci_bus is allocated and the \"subordinate\" pointer in\nthe bridge\u0027s pci_dev remains NULL.\n\nThe PCIe bandwidth controller erroneously does not check for a NULL\nsubordinate pointer and dereferences it on probe.\n\nBandwidth control of unusable devices below the bridge is of questionable\nutility, so simply error out instead. This mirrors what PCIe hotplug does\nsince commit 62e4492c3063 (\"PCI: Prevent NULL dereference during pciehp\nprobe\").\n\nThe PCI core emits a message with KERN_INFO severity if it has run out of\nbus numbers. PCIe hotplug emits an additional message with KERN_ERR\nseverity to inform the user that hotplug functionality is disabled at the\nbridge. A similar message for bandwidth control does not seem merited,\ngiven that its only purpose so far is to expose an up-to-date link speed\nin sysfs and throttle the link speed on certain laptops with limited\nThermal Design Power. So error out silently.\n\nUser-visible messages:\n\n pci 0000:16:02.0: bridge configuration invalid ([bus 00-00]), reconfiguring\n [...]\n pci_bus 0000:45: busn_res: [bus 45-74] end is updated to 74\n pci 0000:16:02.0: devices behind bridge are unusable because [bus 45-74] cannot be assigned for them\n [...]\n pcieport 0000:16:02.0: pciehp: Hotplug bridge without secondary bus, ignoring\n [...]\n BUG: kernel NULL pointer dereference\n RIP: pcie_update_link_speed\n pcie_bwnotif_enable\n pcie_bwnotif_probe\n pcie_port_probe_service\n really_probe",
"id": "GHSA-2788-7prj-r2qv",
"modified": "2025-04-29T21:31:46Z",
"published": "2025-04-16T15:34:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22031"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1181924af78e5299ddec6e457789c02dd5966559"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/667f053b05f00a007738cd7ed6fa1901de19dc7e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d93d309013e89631630a12b1770d27e4be78362a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-278H-99F9-M238
Vulnerability from github – Published: 2023-12-14 21:31 – Updated: 2023-12-19 21:32cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c.
{
"affected": [],
"aliases": [
"CVE-2023-50472"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T20:15:53Z",
"severity": "HIGH"
},
"details": "cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c.",
"id": "GHSA-278h-99f9-m238",
"modified": "2023-12-19T21:32:19Z",
"published": "2023-12-14T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50472"
},
{
"type": "WEB",
"url": "https://github.com/DaveGamble/cJSON/issues/803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2794-C693-53GF
Vulnerability from github – Published: 2024-12-16 18:31 – Updated: 2024-12-16 18:31A vulnerability classified as problematic has been found in FabulaTech USB over Network 6.0.6.1. Affected is the function 0x22040C in the library ftusbbus2.sys of the component IOCT Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-12653"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T16:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in FabulaTech USB over Network 6.0.6.1. Affected is the function 0x22040C in the library ftusbbus2.sys of the component IOCT Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-2794-c693-53gf",
"modified": "2024-12-16T18:31:09Z",
"published": "2024-12-16T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12653"
},
{
"type": "WEB",
"url": "https://shareforall.notion.site/FabulaTech-USB-over-Network-Client-ftusbbus2-0x22040C-NPD-DOS-15160437bb1e80228995f9a74a5c233c?pvs=4"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.288522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.288522"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.456026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2795-WFR2-M5V3
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-06 15:30In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Avoid fcport pointer dereference
Klocwork reported warning of NULL pointer may be dereferenced. The routine exits when sa_ctl is NULL and fcport is allocated after the exit call thus causing NULL fcport pointer to dereference at the time of exit.
To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.
{
"affected": [],
"aliases": [
"CVE-2023-53603"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:56Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Avoid fcport pointer dereference\n\nKlocwork reported warning of NULL pointer may be dereferenced. The routine\nexits when sa_ctl is NULL and fcport is allocated after the exit call thus\ncausing NULL fcport pointer to dereference at the time of exit.\n\nTo avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.",
"id": "GHSA-2795-wfr2-m5v3",
"modified": "2026-02-06T15:30:59Z",
"published": "2025-10-04T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53603"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4406fe8a96a946c7ea5724ee59625755a1d9c59d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/477bc74ad1add644b606bff6ba1284943c42818a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b504d06976fe4a61cc05dedc68b84fadb397f77"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bbeff613ec0560fb2f6f8b405288f3f043adf64"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27FW-6HP8-FGWW
Vulnerability from github – Published: 2022-05-17 00:27 – Updated: 2022-05-17 00:27The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)
{
"affected": [],
"aliases": [
"CVE-2017-14225"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-09T08:29:00Z",
"severity": "HIGH"
},
"details": "The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)",
"id": "GHSA-27fw-6hp8-fgww",
"modified": "2022-05-17T00:27:12Z",
"published": "2022-05-17T00:27:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14225"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2"
},
{
"type": "WEB",
"url": "https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2017-August/215198.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3996"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100704"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27H4-M228-RWM7
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01Improper validation of the ChassisID TLV in userdisk/vport_lldpd in Moxa Camera VPort 06EC-2V Series, version 1.1, allows attackers to cause a denial of service due to a NULL pointer dereference via a crafted lldp packet.
{
"affected": [],
"aliases": [
"CVE-2021-25845"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-10T11:15:00Z",
"severity": "HIGH"
},
"details": "Improper validation of the ChassisID TLV in userdisk/vport_lldpd in Moxa Camera VPort 06EC-2V Series, version 1.1, allows attackers to cause a denial of service due to a NULL pointer dereference via a crafted lldp packet.",
"id": "GHSA-27h4-m228-rwm7",
"modified": "2022-05-24T19:01:56Z",
"published": "2022-05-24T19:01:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25845"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/vport-06ec-2v-series-ip-cameras-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-27Q7-WQ4M-6CJM
Vulnerability from github – Published: 2022-05-14 03:24 – Updated: 2022-05-14 03:24In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, added a change to check if the pointer has been reset to NULL or not, before writing to the memory pointed by the pointer.
{
"affected": [],
"aliases": [
"CVE-2018-3592"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-11T15:29:00Z",
"severity": "CRITICAL"
},
"details": "In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, added a change to check if the pointer has been reset to NULL or not, before writing to the memory pointed by the pointer.",
"id": "GHSA-27q7-wq4m-6cjm",
"modified": "2022-05-14T03:24:17Z",
"published": "2022-05-14T03:24:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3592"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-04-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27QM-738J-QWW9
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-11 21:31In the Linux kernel, the following vulnerability has been resolved:
HID: prodikeys: Check presence of pm->input_ep82
Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later.
This does not happen with the real device, but can be provoked by imposing as one.
{
"affected": [],
"aliases": [
"CVE-2026-43251"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:45Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: prodikeys: Check presence of pm-\u003einput_ep82\n\nFake USB devices can send their own report descriptors for which the\ninput_mapping() hook does not get called. In this case, pm-\u003einput_ep82 stays\nNULL, which leads to a crash later.\n\nThis does not happen with the real device, but can be provoked by imposing as\none.",
"id": "GHSA-27qm-738j-qww9",
"modified": "2026-05-11T21:31:31Z",
"published": "2026-05-06T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43251"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f1b21cc67a15d7d081378a9b8747dd000a017b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cee8337e1bad168136aecfe6416ecd7d3aa7529a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d08f35f843881ec504d7537a9bb728a073db3366"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5512ce892f774d37c53082adadfcad04f21b50e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7ac1cd823cd2e9fcbd5cb0b261d6d35dbb79341"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/edccbf7d6dc05d692bde3a89de5a4001f72a0fa4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee572578f09f0e743e9383393a75c3a7a0f9b4c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f580c79683356632f12f2c2029f2fe936d953aa1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27QW-FFF9-QJQ8
Vulnerability from github – Published: 2025-07-07 03:30 – Updated: 2025-07-07 03:30Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability.
{
"affected": [],
"aliases": [
"CVE-2025-53180"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T03:15:29Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference vulnerability in the PDF preview module\nImpact: Successful exploitation of this vulnerability may affect function stability.",
"id": "GHSA-27qw-fff9-qjq8",
"modified": "2025-07-07T03:30:23Z",
"published": "2025-07-07T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53180"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27QW-RMPJ-379Q
Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
jfs: fix null ptr deref in dtInsertEntry
[syzbot reported] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713 ... [Analyze] In dtInsertEntry(), when the pointer h has the same value as p, after writing name in UniStrncpy_to_le(), p->header.flag will be cleared. This will cause the previously true judgment "p->header.flag & BT-LEAF" to change to no after writing the name operation, this leads to entering an incorrect branch and accessing the uninitialized object ih when judging this condition for the second time.
[Fix] After got the page, check freelist first, if freelist == 0 then exit dtInsert() and return -EINVAL.
{
"affected": [],
"aliases": [
"CVE-2024-44939"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T12:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix null ptr deref in dtInsertEntry\n\n[syzbot reported]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 5061 Comm: syz-executor404 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nRIP: 0010:dtInsertEntry+0xd0c/0x1780 fs/jfs/jfs_dtree.c:3713\n...\n[Analyze]\nIn dtInsertEntry(), when the pointer h has the same value as p, after writing\nname in UniStrncpy_to_le(), p-\u003eheader.flag will be cleared. This will cause the\npreviously true judgment \"p-\u003eheader.flag \u0026 BT-LEAF\" to change to no after writing\nthe name operation, this leads to entering an incorrect branch and accessing the\nuninitialized object ih when judging this condition for the second time.\n\n[Fix]\nAfter got the page, check freelist first, if freelist == 0 then exit dtInsert()\nand return -EINVAL.",
"id": "GHSA-27qw-rmpj-379q",
"modified": "2025-11-04T00:31:19Z",
"published": "2024-08-26T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44939"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/53023ab11836ac56fd75f7a71ec1356e50920fa9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6ea10dbb1e6c58384136e9adfd75f81951e423f6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c2ac38530d1a3ee558834dfa16c85a40fd0e702"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce6dede912f064a855acf6f04a04cbb2c25b8c8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f98bf80b20f4a930589cda48a35f751a64fe0dc2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.