CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-2J25-8CWQ-VGVC
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-24 21:30In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: Fix NULL dereference in avx512_status()
Problem
With CONFIG_X86_DEBUG_FPU enabled, reading /proc/[kthread]/arch_status causes a warning and a NULL pointer dereference.
This is because the AVX-512 timestamp code uses x86_task_fpu() but doesn't check it for NULL. CONFIG_X86_DEBUG_FPU addles that function for kernel threads (PF_KTHREAD specifically), making it return NULL.
The point of the warning was to ensure that kernel threads only access task->fpu after going through kernel_fpu_begin()/_end(). Note: all kernel tasks exposed in /proc have a valid task->fpu.
Solution
One option is to silence the warning and check for NULL from x86_task_fpu(). However, that warning is fairly fresh and seems like a defense against misuse of the FPU state in kernel threads.
Instead, stop outputting AVX-512_elapsed_ms for kernel threads altogether. The data was garbage anyway because avx512_timestamp is only updated for user threads, not kernel threads.
If anyone ever wants to track kernel thread AVX-512 use, they can come back later and do it properly, separate from this bug fix.
[ dhansen: mostly rewrite changelog ]
{
"affected": [],
"aliases": [
"CVE-2025-38689"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Fix NULL dereference in avx512_status()\n\nProblem\n-------\nWith CONFIG_X86_DEBUG_FPU enabled, reading /proc/[kthread]/arch_status\ncauses a warning and a NULL pointer dereference.\n\nThis is because the AVX-512 timestamp code uses x86_task_fpu() but\ndoesn\u0027t check it for NULL. CONFIG_X86_DEBUG_FPU addles that function\nfor kernel threads (PF_KTHREAD specifically), making it return NULL.\n\nThe point of the warning was to ensure that kernel threads only access\ntask-\u003efpu after going through kernel_fpu_begin()/_end(). Note: all\nkernel tasks exposed in /proc have a valid task-\u003efpu.\n\nSolution\n--------\nOne option is to silence the warning and check for NULL from\nx86_task_fpu(). However, that warning is fairly fresh and seems like a\ndefense against misuse of the FPU state in kernel threads.\n\nInstead, stop outputting AVX-512_elapsed_ms for kernel threads\naltogether. The data was garbage anyway because avx512_timestamp is\nonly updated for user threads, not kernel threads.\n\nIf anyone ever wants to track kernel thread AVX-512 use, they can come\nback later and do it properly, separate from this bug fix.\n\n[ dhansen: mostly rewrite changelog ]",
"id": "GHSA-2j25-8cwq-vgvc",
"modified": "2025-11-24T21:30:56Z",
"published": "2025-09-05T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38689"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ca887e81095b99d890a8878841f36f4920181e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31cd31c9e17ece125aad27259501a2af69ccb020"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J3V-48PV-MVCJ
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
s390/dasd: protect device queue against concurrent access
In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses.
Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path.
{
"affected": [],
"aliases": [
"CVE-2023-52774"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: protect device queue against concurrent access\n\nIn dasd_profile_start() the amount of requests on the device queue are\ncounted. The access to the device queue is unprotected against\nconcurrent access. With a lot of parallel I/O, especially with alias\ndevices enabled, the device queue can change while dasd_profile_start()\nis accessing the queue. In the worst case this leads to a kernel panic\ndue to incorrect pointer accesses.\n\nFix this by taking the device lock before accessing the queue and\ncounting the requests. Additionally the check for a valid profile data\npointer can be done earlier to avoid unnecessary locking in a hot path.",
"id": "GHSA-2j3v-48pv-mvcj",
"modified": "2025-09-23T21:30:53Z",
"published": "2024-05-21T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52774"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6062c527d0403cef27c54b91ac8390c3a497b250"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9372aab5d0ff621ea203c8c603e7e5f75e888240"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c841de6247e94e07566d57163d3c0d8b29278f7a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db46cd1e0426f52999d50fa72cfa97fa39952885"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc96fde8fcb2b896fd6c64802a7f4ece2e69b0be"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ebdc569a07a3e8dbe66b4184922ad6f88ac0b96f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1ac7789406e2ca9ac51c41ad2daa597f47bdd4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f75617cc8df4155374132f0b500b0b3ebb967458"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J79-5JHX-WG65
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2023-10-24 18:30The find_color_or_error function in gifsicle 1.92 contains a NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2020-19752"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-07T20:15:00Z",
"severity": "HIGH"
},
"details": "The find_color_or_error function in gifsicle 1.92 contains a NULL pointer dereference.",
"id": "GHSA-2j79-5jhx-wg65",
"modified": "2023-10-24T18:30:22Z",
"published": "2022-05-24T19:13:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19752"
},
{
"type": "WEB",
"url": "https://github.com/kohler/gifsicle/issues/140"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7H3ASG2BD4D4SAUUI6TOLUZYP2QYYHXY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DH7X7PGUN5BYXKW533DAX4KAEM4HPMJC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J82-CF92-X9QH
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function.
However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer.
To resolve this issue, it is necessary to pass the address of a stub variable to the function.
{
"affected": [],
"aliases": [
"CVE-2026-23084"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list\n\nWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is\nset to false, the driver may request the PMAC_ID from the firmware of the\nnetwork card, and this function will store that PMAC_ID at the provided\naddress pmac_id. This is the contract of this function.\n\nHowever, there is a location within the driver where both\npmac_id_valid == false and pmac_id == NULL are being passed. This could\nresult in dereferencing a NULL pointer.\n\nTo resolve this issue, it is necessary to pass the address of a stub\nvariable to the function.",
"id": "GHSA-2j82-cf92-x9qh",
"modified": "2026-07-14T15:31:39Z",
"published": "2026-02-04T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23084"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J82-GGVF-VJMX
Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-22 18:30In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix dereference of stale list iterator after loop body
The list iterator variable will be a bogus pointer if no break was hit. Dereferencing it (cur->page in this case) could load an out-of-bounds/undefined value making it unsafe to use that in the comparision to determine if the specific element was found.
Since 'cur->page' can be out-ouf-bounds it cannot be guaranteed that by chance (or intention of an attacker) it matches the value of 'page' even though the correct element was not found.
This is fixed by using a separate list iterator variable for the loop and only setting the original variable if a suitable element was found. Then determing if the element was found is simply checking if the variable is set.
{
"affected": [],
"aliases": [
"CVE-2022-49425"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix dereference of stale list iterator after loop body\n\nThe list iterator variable will be a bogus pointer if no break was hit.\nDereferencing it (cur-\u003epage in this case) could load an out-of-bounds/undefined\nvalue making it unsafe to use that in the comparision to determine if the\nspecific element was found.\n\nSince \u0027cur-\u003epage\u0027 *can* be out-ouf-bounds it cannot be guaranteed that\nby chance (or intention of an attacker) it matches the value of \u0027page\u0027\neven though the correct element was not found.\n\nThis is fixed by using a separate list iterator variable for the loop\nand only setting the original variable if a suitable element was found.\nThen determing if the element was found is simply checking if the\nvariable is set.",
"id": "GHSA-2j82-ggvf-vjmx",
"modified": "2025-10-22T18:30:30Z",
"published": "2025-10-22T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49425"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2aaf51dd39afb6d01d13f1e6fe20b684733b37d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/385edd3ce5b4b1e9d31f474a5e35a39779ec1110"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45b2b7d7108ae1e25a5036cab04ab9273e792332"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51d584704d18e60fa473823654f35611c777b291"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e47a7add3dda7f236548c5ec3017776dc2a729f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b26e1c777890e4b938136deb8ec07a29f33862e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed7efc472c00986dcd6903ab6ed165c7fa167674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J8H-RQ7H-37CQ
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw()
cpufreq_cpu_get_raw() may return NULL if the cpu is not in policy->cpus cpu mask and it will cause null pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2024-53231"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T14:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw()\n\ncpufreq_cpu_get_raw() may return NULL if the cpu is not in\npolicy-\u003ecpus cpu mask and it will cause null pointer dereference.",
"id": "GHSA-2j8h-rq7h-37cq",
"modified": "2025-11-03T21:31:50Z",
"published": "2024-12-27T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53231"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65fe2f7fdafe2698a343661800434b3f2e51041e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a357b63fd21e4b2791008c2175ba7a8c235ebce1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a78e7207564258db6e373e86294a85f9d646d35a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e07570a8f2cfc51260c6266cb8e1bd4777a610d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9b39f1924b76abc18881e4ce899fb232dd23d12"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JFJ-PQMF-3WQ3
Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: return EIO on RAID1 block group write pointer mismatch
There was a bug report about a NULL pointer dereference in __btrfs_add_free_space_zoned() that ultimately happens because a conversion from the default metadata profile DUP to a RAID1 profile on two disks.
The stack trace has the following signature:
BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001 RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410 RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000 R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000 FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15c/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 btrfs_add_free_space_async_trimmed+0x34/0x40 btrfs_add_new_free_space+0x107/0x120 btrfs_make_block_group+0x104/0x2b0 btrfs_create_chunk+0x977/0xf20 btrfs_chunk_alloc+0x174/0x510 ? srso_return_thunk+0x5/0x5f btrfs_inc_block_group_ro+0x1b1/0x230 btrfs_relocate_block_group+0x9e/0x410 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x8ac/0x12b0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? __kmalloc_cache_noprof+0x14c/0x3e0 btrfs_ioctl+0x2686/0x2a80 ? srso_return_thunk+0x5/0x5f ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x82/0x160 ? srso_return_thunk+0x5/0x5f ? __memcg_slab_free_hook+0x11a/0x170 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x3f0/0x450 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? sysfs_emit+0xaf/0xc0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? seq_read_iter+0x207/0x460 ? srso_return_thunk+0x5/0x5f ? vfs_read+0x29c/0x370 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7e/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdab1e0ca6d RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001 CR2: 0000000000000058 ---[ end trace 0000000000000000 ]---
The 1st line is the most interesting here:
BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile
When a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected, btrfs sets the alloc_offset to the length of the block group marking it as full. Afterwards the code expects that a balance operation will evacuate the data in this block-group and repair the problems.
But before this is possible, the new space of this block-group will be accounted in the free space cache. But in __btrfs_ ---truncated---
{
"affected": [],
"aliases": [
"CVE-2025-37827"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-08T07:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: return EIO on RAID1 block group write pointer mismatch\n\nThere was a bug report about a NULL pointer dereference in\n__btrfs_add_free_space_zoned() that ultimately happens because a\nconversion from the default metadata profile DUP to a RAID1 profile on two\ndisks.\n\nThe stack trace has the following signature:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001\n RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410\n RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000\n R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000\n FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15c/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n btrfs_add_free_space_async_trimmed+0x34/0x40\n btrfs_add_new_free_space+0x107/0x120\n btrfs_make_block_group+0x104/0x2b0\n btrfs_create_chunk+0x977/0xf20\n btrfs_chunk_alloc+0x174/0x510\n ? srso_return_thunk+0x5/0x5f\n btrfs_inc_block_group_ro+0x1b1/0x230\n btrfs_relocate_block_group+0x9e/0x410\n btrfs_relocate_chunk+0x3f/0x130\n btrfs_balance+0x8ac/0x12b0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? __kmalloc_cache_noprof+0x14c/0x3e0\n btrfs_ioctl+0x2686/0x2a80\n ? srso_return_thunk+0x5/0x5f\n ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120\n __x64_sys_ioctl+0x97/0xc0\n do_syscall_64+0x82/0x160\n ? srso_return_thunk+0x5/0x5f\n ? __memcg_slab_free_hook+0x11a/0x170\n ? srso_return_thunk+0x5/0x5f\n ? kmem_cache_free+0x3f0/0x450\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? syscall_exit_to_user_mode+0x10/0x210\n ? srso_return_thunk+0x5/0x5f\n ? do_syscall_64+0x8e/0x160\n ? sysfs_emit+0xaf/0xc0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? seq_read_iter+0x207/0x460\n ? srso_return_thunk+0x5/0x5f\n ? vfs_read+0x29c/0x370\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? syscall_exit_to_user_mode+0x10/0x210\n ? srso_return_thunk+0x5/0x5f\n ? do_syscall_64+0x8e/0x160\n ? srso_return_thunk+0x5/0x5f\n ? exc_page_fault+0x7e/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fdab1e0ca6d\n RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d\n RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003\n RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001\n \u003c/TASK\u003e\n CR2: 0000000000000058\n ---[ end trace 0000000000000000 ]---\n\nThe 1st line is the most interesting here:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n\nWhen a RAID1 block-group is created and a write pointer mismatch between\nthe disks in the RAID set is detected, btrfs sets the alloc_offset to the\nlength of the block group marking it as full. Afterwards the code expects\nthat a balance operation will evacuate the data in this block-group and\nrepair the problems.\n\nBut before this is possible, the new space of this block-group will be\naccounted in the free space cache. But in __btrfs_\n---truncated---",
"id": "GHSA-2jfj-pqmf-3wq3",
"modified": "2025-11-12T21:31:02Z",
"published": "2025-05-08T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37827"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a447f748f6c7287dad68fa91913cd382fa0fcc8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b0c26f47992672661340dd6ea931240213016609"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4717a02cc422cf4bb2dbb280b154a1ae65c5f84"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JRX-VP4G-6WGJ
Vulnerability from github – Published: 2025-06-06 18:30 – Updated: 2025-06-18 18:30A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
{
"affected": [],
"aliases": [
"CVE-2025-29877"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T16:15:25Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.4847 and later",
"id": "GHSA-2jrx-vp4g-6wgj",
"modified": "2025-06-18T18:30:32Z",
"published": "2025-06-06T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29877"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2JV6-V65M-QJX7
Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2024-12-23 15:30In the Linux kernel, the following vulnerability has been resolved:
powercap: intel_rapl: Fix a NULL pointer dereference
A NULL pointer dereference is triggered when probing the MMIO RAPL driver on platforms with CPU ID not listed in intel_rapl_common CPU model list.
This is because the intel_rapl_common module still probes on such platforms even if 'defaults_msr' is not set after commit 1488ac990ac8 ("powercap: intel_rapl: Allow probing without CPUID match"). Thus the MMIO RAPL rp->priv->defaults is NULL when registering to RAPL framework.
Fix the problem by adding sanity check to ensure rp->priv->rapl_defaults is always valid.
{
"affected": [],
"aliases": [
"CVE-2024-26975"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T06:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: Fix a NULL pointer dereference\n\nA NULL pointer dereference is triggered when probing the MMIO RAPL\ndriver on platforms with CPU ID not listed in intel_rapl_common CPU\nmodel list.\n\nThis is because the intel_rapl_common module still probes on such\nplatforms even if \u0027defaults_msr\u0027 is not set after commit 1488ac990ac8\n(\"powercap: intel_rapl: Allow probing without CPUID match\"). Thus the\nMMIO RAPL rp-\u003epriv-\u003edefaults is NULL when registering to RAPL framework.\n\nFix the problem by adding sanity check to ensure rp-\u003epriv-\u003erapl_defaults\nis always valid.",
"id": "GHSA-2jv6-v65m-qjx7",
"modified": "2024-12-23T15:30:46Z",
"published": "2024-05-01T06:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26975"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0641908b906a133f1494c312a71f9fecbe2b6c78"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d1f5006ff95770da502f8cee2a224a1ff83866e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f73cf2ae5e0f4e629db5be3a4380ff7807148e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b254feb249981b66ccdb1dae54e757789a15ba1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JXQ-CXCR-QQCJ
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2025-04-20 03:33The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted ZIP file.
{
"affected": [],
"aliases": [
"CVE-2017-5979"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-01T15:59:00Z",
"severity": "MODERATE"
},
"details": "The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted ZIP file.",
"id": "GHSA-2jxq-cxcr-qqcj",
"modified": "2025-04-20T03:33:29Z",
"published": "2022-05-17T00:26:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5979"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3878"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.