Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-2F9P-C2RC-CFF7

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-10-08 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfs/blocklayout: Don't attempt unregister for invalid block device

Since commit d869da91cccb ("nfs/blocklayout: Fix premature PR key unregistration") an unmount of a pNFS SCSI layout-enabled NFS may dereference a NULL block_device in:

bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver] bl_free_device+0x70/0x80 [blocklayoutdriver] bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver] nfs4_put_deviceid_node+0x60/0xc0 [nfsv4] nfs4_deviceid_purge_client+0x132/0x190 [nfsv4] unset_pnfs_layoutdriver+0x59/0x60 [nfsv4] nfs4_destroy_server+0x36/0x70 [nfsv4] nfs_free_server+0x23/0xe0 [nfs] deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x59/0x90 syscall_exit_to_user_mode+0x217/0x220 do_syscall_64+0x8e/0x160

This happens because even though we were able to create the nfs4_deviceid_node, the lookup for the device was unable to attach the block device to the pnfs_block_dev.

If we never found a block device to register, we can avoid this case with the PNFS_BDEV_REGISTERED flag. Move the deref behind the test for the flag.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:23Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/blocklayout: Don\u0027t attempt unregister for invalid block device\n\nSince commit d869da91cccb (\"nfs/blocklayout: Fix premature PR key\nunregistration\") an unmount of a pNFS SCSI layout-enabled NFS may\ndereference a NULL block_device in:\n\n  bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver]\n  bl_free_device+0x70/0x80 [blocklayoutdriver]\n  bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver]\n  nfs4_put_deviceid_node+0x60/0xc0 [nfsv4]\n  nfs4_deviceid_purge_client+0x132/0x190 [nfsv4]\n  unset_pnfs_layoutdriver+0x59/0x60 [nfsv4]\n  nfs4_destroy_server+0x36/0x70 [nfsv4]\n  nfs_free_server+0x23/0xe0 [nfs]\n  deactivate_locked_super+0x30/0xb0\n  cleanup_mnt+0xba/0x150\n  task_work_run+0x59/0x90\n  syscall_exit_to_user_mode+0x217/0x220\n  do_syscall_64+0x8e/0x160\n\nThis happens because even though we were able to create the\nnfs4_deviceid_node, the lookup for the device was unable to attach the\nblock device to the pnfs_block_dev.\n\nIf we never found a block device to register, we can avoid this case with\nthe PNFS_BDEV_REGISTERED flag.  Move the deref behind the test for the\nflag.",
  "id": "GHSA-2f9p-c2rc-cff7",
  "modified": "2025-10-08T15:32:24Z",
  "published": "2024-12-27T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53167"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3402704a424f34bbcca7f4a4503859357f422217"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a4ce14d9a6b868e0787e4582420b721c04ee41e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faa4bacfaeed827a4ca8cb8529a3ce65a9e8ef46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FM3-57PQ-4JP3

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-01-23 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()

If device_register() fails in cxl_register_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device.

As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_device(), then goes to put dev when register fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()\n\nIf device_register() fails in cxl_register_afu|adapter(), the device\nis not added, device_unregister() can not be called in the error path,\notherwise it will cause a null-ptr-deref because of removing not added\ndevice.\n\nAs comment of device_register() says, it should use put_device() to give\nup the reference in the error path. So split device_unregister() into\ndevice_del() and put_device(), then goes to put dev when register fails.",
  "id": "GHSA-2fm3-57pq-4jp3",
  "modified": "2026-01-23T21:30:37Z",
  "published": "2025-10-04T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50481"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/170e8c2d2b61e15e7f7cfeded81bc1e959a15ed8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ae581696b7a799afa39a664c4b721569643f58a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60b2ed21a65f3f5318666ccd765c3507991370cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61c80d1c3833e196256fb060382db94f24d3d9a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96fba6fb95bdede80583c262ac185da09661f264"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab44c182353be101c3be9465e1d15d42130c53c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b32559ee4e6667c5c3daf4ec5454c277d1f255d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d775a1da5a52b4f4bb02f2707ba420d1bec48dbb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e5021bbf11b024cc65ea1e84c377df484183be4b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FMW-P7GW-97JJ

Vulnerability from github – Published: 2026-02-24 03:30 – Updated: 2026-02-24 03:30
VLAI
Details

A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T02:15:59Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.",
  "id": "GHSA-2fmw-p7gw-97jj",
  "modified": "2026-02-24T03:30:19Z",
  "published": "2026-02-24T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11845"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FPX-8PWQ-8G84

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An authenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-29T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Null pointer dereference vulnerability. An authenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-2fpx-8pwq-8g84",
  "modified": "2022-05-24T19:16:05Z",
  "published": "2022-05-24T19:16:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39849"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb21-55.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2FQV-9F8V-R6J4

Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()

A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could possibly return NULL pointer. NULL Pointer Dereference may be triggerred without addtional check. Add a NULL check for the returned pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()\n\nA devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could\npossibly return NULL pointer. NULL Pointer Dereference may be\ntriggerred without addtional check.\nAdd a NULL check for the returned pointer.",
  "id": "GHSA-2fqv-9f8v-r6j4",
  "modified": "2025-11-04T00:31:54Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03c9c2c2d2d0fe203dfe8f56bedbcf04e303d7c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e235d02d803660777ec911a2c467ae41f8539f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49da1463c9e3d2082276c3e0e2a8b65a88711cd2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/73cc3f905ca9aa95694eea3dfa1acadc90686368"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8e691fe1894c8bdf815a6171ee22ae7da8b18aa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e19bf49e903337641fc230d430d49813e3199902"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FWQ-2WWR-QRWW

Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2024-11-14 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

phy: qcom: qmp-usb: fix NULL-deref on runtime suspend

Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks.

Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend.

Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with this driver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom: qmp-usb: fix NULL-deref on runtime suspend\n\nCommit 413db06c05e7 (\"phy: qcom-qmp-usb: clean up probe initialisation\")\nremoved most users of the platform device driver data, but mistakenly\nalso removed the initialisation despite the data still being used in the\nruntime PM callbacks.\n\nRestore the driver data initialisation at probe to avoid a NULL-pointer\ndereference on runtime suspend.\n\nApparently no one uses runtime PM, which currently needs to be enabled\nmanually through sysfs, with this driver.",
  "id": "GHSA-2fwq-2wwr-qrww",
  "modified": "2024-11-14T18:30:32Z",
  "published": "2024-11-09T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50240"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/370814e9d512ba289612c3780890b80bf2605046"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ebde521fbb9a813b993d4436329a3ca0eeb6574"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd9e4d4a3b127686efc60096271b0a44c3100061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G6C-R55G-M734

Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2024-09-03 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: lgdt3306a: Add a check against null-pointer-def

The driver should check whether the client provides the platform_data.

The following log reveals it:

[ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40 [ 29.610730] Read of size 40 at addr 0000000000000000 by task bash/414 [ 29.612820] Call Trace: [ 29.613030] [ 29.613201] dump_stack_lvl+0x56/0x6f [ 29.613496] ? kmemdup+0x30/0x40 [ 29.613754] print_report.cold+0x494/0x6b7 [ 29.614082] ? kmemdup+0x30/0x40 [ 29.614340] kasan_report+0x8a/0x190 [ 29.614628] ? kmemdup+0x30/0x40 [ 29.614888] kasan_check_range+0x14d/0x1d0 [ 29.615213] memcpy+0x20/0x60 [ 29.615454] kmemdup+0x30/0x40 [ 29.615700] lgdt3306a_probe+0x52/0x310 [ 29.616339] i2c_device_probe+0x951/0xa90

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T15:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: lgdt3306a: Add a check against null-pointer-def\n\nThe driver should check whether the client provides the platform_data.\n\nThe following log reveals it:\n\n[   29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40\n[   29.610730] Read of size 40 at addr 0000000000000000 by task bash/414\n[   29.612820] Call Trace:\n[   29.613030]  \u003cTASK\u003e\n[   29.613201]  dump_stack_lvl+0x56/0x6f\n[   29.613496]  ? kmemdup+0x30/0x40\n[   29.613754]  print_report.cold+0x494/0x6b7\n[   29.614082]  ? kmemdup+0x30/0x40\n[   29.614340]  kasan_report+0x8a/0x190\n[   29.614628]  ? kmemdup+0x30/0x40\n[   29.614888]  kasan_check_range+0x14d/0x1d0\n[   29.615213]  memcpy+0x20/0x60\n[   29.615454]  kmemdup+0x30/0x40\n[   29.615700]  lgdt3306a_probe+0x52/0x310\n[   29.616339]  i2c_device_probe+0x951/0xa90",
  "id": "GHSA-2g6c-r55g-m734",
  "modified": "2024-09-03T18:31:31Z",
  "published": "2024-06-25T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48772"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/526238d32c3acc3d597fd8c9a34652bfe9086cea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d12e918f2994c883f41f22552a61b9310fa1e87"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8915dcd29a82096acacf54364a8425363782aea0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e1e00718d0d9dd83337300572561e30b9c0d115"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b479fd59a1f4a342b69fce34f222d93bf791dca4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1115ddbda9c930fba0fdd062e7a8873ebaf898d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d082757b8359201c3864323cea4b91ea30a1e676"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G78-G7C6-X75P

Vulnerability from github – Published: 2025-10-23 12:31 – Updated: 2025-10-23 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

sfc: fix kernel panic when creating VF

When creating VFs a kernel panic can happen when calling to efx_ef10_try_update_nic_stats_vf.

When releasing a DMA coherent buffer, sometimes, I don't know in what specific circumstances, it has to unmap memory with vunmap. It is disallowed to do that in IRQ context or with BH disabled. Otherwise, we hit this line in vunmap, causing the crash: BUG_ON(in_interrupt());

This patch reenables BH to release the buffer.

Log messages when the bug is hit: kernel BUG at mm/vmalloc.c:2727! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020 RIP: 0010:vunmap+0x2e/0x30 ...skip... Call Trace: __iommu_dma_free+0x96/0x100 efx_nic_free_buffer+0x2b/0x40 [sfc] efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc] efx_ef10_update_stats_vf+0x18/0x40 [sfc] efx_start_all+0x15e/0x1d0 [sfc] efx_net_open+0x5a/0xe0 [sfc] __dev_open+0xe7/0x1a0 __dev_change_flags+0x1d7/0x240 dev_change_flags+0x21/0x60 ...skip...

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix kernel panic when creating VF\n\nWhen creating VFs a kernel panic can happen when calling to\nefx_ef10_try_update_nic_stats_vf.\n\nWhen releasing a DMA coherent buffer, sometimes, I don\u0027t know in what\nspecific circumstances, it has to unmap memory with vunmap. It is\ndisallowed to do that in IRQ context or with BH disabled. Otherwise, we\nhit this line in vunmap, causing the crash:\n  BUG_ON(in_interrupt());\n\nThis patch reenables BH to release the buffer.\n\nLog messages when the bug is hit:\n kernel BUG at mm/vmalloc.c:2727!\n invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G          I      --------- ---  5.14.0-119.el9.x86_64 #1\n Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020\n RIP: 0010:vunmap+0x2e/0x30\n ...skip...\n Call Trace:\n  __iommu_dma_free+0x96/0x100\n  efx_nic_free_buffer+0x2b/0x40 [sfc]\n  efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc]\n  efx_ef10_update_stats_vf+0x18/0x40 [sfc]\n  efx_start_all+0x15e/0x1d0 [sfc]\n  efx_net_open+0x5a/0xe0 [sfc]\n  __dev_open+0xe7/0x1a0\n  __dev_change_flags+0x1d7/0x240\n  dev_change_flags+0x21/0x60\n  ...skip...",
  "id": "GHSA-2g78-g7c6-x75p",
  "modified": "2025-10-23T12:31:16Z",
  "published": "2025-10-23T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49625"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16662524ec5da801fb78a1afcaf6e782f1cf103a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68e5f32f0de9594629ff9e599294d9801c6187de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/82bcb730f856086f033e6c04082eb4503d4c2fa4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ada74c5539eba06cf8b47d068f92e0b3963a9a6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b82e4ad58a7fb72456503958a93060f87896e629"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9072305270579a9d6afc9b926166231e5b1a7c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9840212a9c00507347c703f4fdeda16400407e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da346adcf5573fd8663cabfdfe8371009629a906"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G84-5882-FHCM

Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-04-15 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

acpi: Fix suspend with Xen PV

Commit f1e525009493 ("x86/boot: Skip realmode init code when running as Xen PV guest") missed one code path accessing real_mode_header, leading to dereferencing NULL when suspending the system under Xen:

[  348.284004] PM: suspend entry (deep)
[  348.289532] Filesystems sync: 0.005 seconds
[  348.291545] Freezing user space processes ... (elapsed 0.000 seconds) done.
[  348.292457] OOM killer disabled.
[  348.292462] Freezing remaining freezable tasks ... (elapsed 0.104 seconds) done.
[  348.396612] printk: Suspending console(s) (use no_console_suspend to debug)
[  348.749228] PM: suspend devices took 0.352 seconds
[  348.769713] ACPI: EC: interrupt blocked
[  348.816077] BUG: kernel NULL pointer dereference, address: 000000000000001c
[  348.816080] #PF: supervisor read access in kernel mode
[  348.816081] #PF: error_code(0x0000) - not-present page
[  348.816083] PGD 0 P4D 0
[  348.816086] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  348.816089] CPU: 0 PID: 6764 Comm: systemd-sleep Not tainted 6.1.3-1.fc32.qubes.x86_64 #1
[  348.816092] Hardware name: Star Labs StarBook/StarBook, BIOS 8.01 07/03/2022
[  348.816093] RIP: e030:acpi_get_wakeup_address+0xc/0x20

Fix that by adding an optional acpi callback allowing to skip setting the wakeup address, as in the Xen PV case this will be handled by the hypervisor anyway.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T17:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: Fix suspend with Xen PV\n\nCommit f1e525009493 (\"x86/boot: Skip realmode init code when running as\nXen PV guest\") missed one code path accessing real_mode_header, leading\nto dereferencing NULL when suspending the system under Xen:\n\n    [  348.284004] PM: suspend entry (deep)\n    [  348.289532] Filesystems sync: 0.005 seconds\n    [  348.291545] Freezing user space processes ... (elapsed 0.000 seconds) done.\n    [  348.292457] OOM killer disabled.\n    [  348.292462] Freezing remaining freezable tasks ... (elapsed 0.104 seconds) done.\n    [  348.396612] printk: Suspending console(s) (use no_console_suspend to debug)\n    [  348.749228] PM: suspend devices took 0.352 seconds\n    [  348.769713] ACPI: EC: interrupt blocked\n    [  348.816077] BUG: kernel NULL pointer dereference, address: 000000000000001c\n    [  348.816080] #PF: supervisor read access in kernel mode\n    [  348.816081] #PF: error_code(0x0000) - not-present page\n    [  348.816083] PGD 0 P4D 0\n    [  348.816086] Oops: 0000 [#1] PREEMPT SMP NOPTI\n    [  348.816089] CPU: 0 PID: 6764 Comm: systemd-sleep Not tainted 6.1.3-1.fc32.qubes.x86_64 #1\n    [  348.816092] Hardware name: Star Labs StarBook/StarBook, BIOS 8.01 07/03/2022\n    [  348.816093] RIP: e030:acpi_get_wakeup_address+0xc/0x20\n\nFix that by adding an optional acpi callback allowing to skip setting\nthe wakeup address, as in the Xen PV case this will be handled by the\nhypervisor anyway.",
  "id": "GHSA-2g84-5882-fhcm",
  "modified": "2025-04-15T15:30:52Z",
  "published": "2025-03-27T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52994"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b96903b7fc8c82ddfd92df4cdd83db3e567da0a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe0ba8c23f9a35b0307eb662f16dd3a75fcdae41"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G8F-3MWG-X245

Vulnerability from github – Published: 2025-01-19 12:31 – Updated: 2025-10-01 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: sysctl: sched: avoid using current->nsproxy

Using the 'net' structure via 'current' is not recommended for different reasons.

First, if the goal is to use it to read or write per-netns data, this is inconsistent with how the "generic" sysctl entries are doing: directly by only using pointers set to the table entry, e.g. table->data. Linked to that, the per-netns data should always be obtained from the table linked to the netns it had been created for, which may not coincide with the reader's or writer's netns.

Another reason is that access to current->nsproxy->netns can oops if attempted when current->nsproxy had been dropped when the current task is exiting. This is what syzbot found, when using acct(2):

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 RSP: 0018:ffffc900034774e8 EFLAGS: 00010206

RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612 __kernel_write+0xf6/0x140 fs/read_write.c:632 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539 acct_pin_kill+0x2d/0x100 kernel/acct.c:192 pin_kill+0x194/0x7c0 fs/fs_pin.c:44 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366 task_work_run+0x14e/0x250 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 get_signal+0x2576/0x2610 kernel/signal.c:3017 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fee3cb87a6a Code: Unable to access opcode bytes at 0x7fee3cb87a40. RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037 RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7 R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500 R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-19T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: sysctl: sched: avoid using current-\u003ensproxy\n\nUsing the \u0027net\u0027 structure via \u0027current\u0027 is not recommended for different\nreasons.\n\nFirst, if the goal is to use it to read or write per-netns data, this is\ninconsistent with how the \"generic\" sysctl entries are doing: directly\nby only using pointers set to the table entry, e.g. table-\u003edata. Linked\nto that, the per-netns data should always be obtained from the table\nlinked to the netns it had been created for, which may not coincide with\nthe reader\u0027s or writer\u0027s netns.\n\nAnother reason is that access to current-\u003ensproxy-\u003enetns can oops if\nattempted when current-\u003ensproxy had been dropped when the current task\nis exiting. This is what syzbot found, when using acct(2):\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI\n  KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n  CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125\n  Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00\n  RSP: 0018:ffffc900034774e8 EFLAGS: 00010206\n\n  RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620\n  RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028\n  RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040\n  R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000\n  R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000\n  FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601\n   __kernel_write_iter+0x318/0xa80 fs/read_write.c:612\n   __kernel_write+0xf6/0x140 fs/read_write.c:632\n   do_acct_process+0xcb0/0x14a0 kernel/acct.c:539\n   acct_pin_kill+0x2d/0x100 kernel/acct.c:192\n   pin_kill+0x194/0x7c0 fs/fs_pin.c:44\n   mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81\n   cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366\n   task_work_run+0x14e/0x250 kernel/task_work.c:239\n   exit_task_work include/linux/task_work.h:43 [inline]\n   do_exit+0xad8/0x2d70 kernel/exit.c:938\n   do_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n   get_signal+0x2576/0x2610 kernel/signal.c:3017\n   arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337\n   exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n   exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n   __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n   syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218\n   do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7fee3cb87a6a\n  Code: Unable to access opcode bytes at 0x7fee3cb87a40.\n  RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037\n  RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a\n  RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003\n  RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7\n  R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500\n  R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000\n   \u003c/TASK\u003e\n  Modules linked in:\n  ---[ end trace 0000000000000000 ]---\n  RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125\n  Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc\n---truncated---",
  "id": "GHSA-2g8f-3mwg-x245",
  "modified": "2025-10-01T21:30:49Z",
  "published": "2025-01-19T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21642"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6035702381c35a8f16757332381e58b348a9eaf9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0e394fd6b887e84da17e38aaa6c1c104f9c86c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d38e26e36206ae3d544d496513212ae931d1da0a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.