Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-J9P8-CC5Q-CG54

Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-04 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize

Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than the calculated "min" value, but greater than zero, the logic sets tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in cdc_ncm_fill_tx_frame() where all the data is handled.

For small values of dwNtbOutMaxSize the memory allocated during alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to how size is aligned at alloc time: size = SKB_DATA_ALIGN(size); size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); Thus we hit the same bug that we tried to squash with commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")

Low values of dwNtbOutMaxSize do not cause an issue presently because at alloc_skb() time more memory (512b) is allocated than required for the SKB headers alone (320b), leaving some space (512b - 320b = 192b) for CDC data (172b).

However, if more elements (for example 3 x u64 = [24b]) were added to one of the SKB header structs, say 'struct skb_shared_info', increasing its original size (320b [320b aligned]) to something larger (344b [384b aligned]), then suddenly the CDC data (172b) no longer fits in the spare SKB data area (512b - 384b = 128b).

Consequently the SKB bounds checking semantics fails and panics:

skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic net/core/skbuff.c:113 [inline] RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118 [snip] Call Trace: skb_put+0x151/0x210 net/core/skbuff.c:2047 skb_put_zero include/linux/skbuff.h:2422 [inline] cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline] cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308 cdc_ncm_tx_fixup+0xa3/0x100

Deal with too low values of dwNtbOutMaxSize, clamp it in the range [USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure enough data space is allocated to handle CDC data by making sure dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:50Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n        size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say \u0027struct skb_shared_info\u0027,\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:\u003cNULL\u003e\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n \u003cTASK\u003e\n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.",
  "id": "GHSA-j9p8-cc5q-cg54",
  "modified": "2026-02-04T00:30:28Z",
  "published": "2025-10-07T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53667"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9PP-7WFG-Q7FJ

Vulnerability from github – Published: 2026-07-01 17:40 – Updated: 2026-07-01 17:40
VLAI
Summary
Open Babel has NULL pointer dereference in ChemKinFormat::ReadReactionQualifierLines
Details

Summary

A memory-safety vulnerability in Open Babel's ChemKin parser caused a NULL pointer dereference when reading a crafted input file.

Details

The flaw was in ChemKinFormat::ReadReactionQualifierLines. A malformed reaction qualifier record caused the parser to dereference a NULL pointer.

Impact

Open Babel is a C++ library and CLI used to read and write chemistry file formats; it is shipped by Linux distributions and embedded in services that may parse untrusted input. Triggering this vulnerability requires the victim to open a malicious ChemKin file with the obabel tool, the OBConversion API, or any of the language bindings (Python, Ruby, Java, R, Perl, C#, PHP).

Affected versions

All releases up to and including 3.1.1.

Patched version

3.2.0 (released 2026-05-26).

Patch

Fix commit: https://github.com/openbabel/openbabel/commit/af4a4212 Originally reported as #2829; fixes consolidated in #2913.

A minimized reproducer for this CVE is checked in under test/files/fuzz_regress/ and is exercised on every CI build under ASAN+UBSAN by the fuzzregresstest harness.

Credit

Reported via OSS-Fuzz.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openbabel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-10998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T17:40:09Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s ChemKin parser caused\na NULL pointer dereference when reading a crafted input file.\n\n### Details\n\nThe flaw was in `ChemKinFormat::ReadReactionQualifierLines`. A\nmalformed reaction qualifier record caused the parser to dereference\na NULL pointer.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious ChemKin file with the\n`obabel` tool, the `OBConversion` API, or any of the language\nbindings (Python, Ruby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/af4a4212\nOriginally reported as #2829; fixes consolidated in #2913.\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported via OSS-Fuzz.",
  "id": "GHSA-j9pp-7wfg-q7fj",
  "modified": "2026-07-01T17:40:09Z",
  "published": "2026-07-01T17:40:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-j9pp-7wfg-q7fj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10998"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/issues/2829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/commit/af4a4212"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbabel/openbabel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/22318526/poc.zip"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325926"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325926"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.654063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Open Babel has NULL pointer dereference in ChemKinFormat::ReadReactionQualifierLines"
}

GHSA-J9Q9-W9X6-QG3M

Vulnerability from github – Published: 2025-03-14 00:30 – Updated: 2025-03-14 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()

It will cause null-ptr-deref when using 'res', if platform_get_resource() returns NULL, so move using 'res' after devm_ioremap_resource() that will check it to avoid null-ptr-deref. And use devm_platform_get_and_ioremap_resource() to simplify code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()\n\nIt will cause null-ptr-deref when using \u0027res\u0027, if platform_get_resource()\nreturns NULL, so move using \u0027res\u0027 after devm_ioremap_resource() that\nwill check it to avoid null-ptr-deref.\nAnd use devm_platform_get_and_ioremap_resource() to simplify code.",
  "id": "GHSA-j9q9-w9x6-qg3m",
  "modified": "2025-03-14T00:30:51Z",
  "published": "2025-03-14T00:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49323"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3660db29b0305f9a1d95979c7af0f5db6ea99f5d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/449fc4561762ad9ad85362d5f01f0d0df397457a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80776a71340f57d6a4952635fc89f0342072f3ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98dd53a92825747395649f54d23512a13c3ed471"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9ed8af1dee37f181096631fb03729ece98ba816"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9QG-FC9X-6R3R

Vulnerability from github – Published: 2022-01-26 00:00 – Updated: 2022-03-17 00:06
VLAI
Details

A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The self pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-25T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it\u0027s not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node.",
  "id": "GHSA-j9qg-fc9x-6r3r",
  "modified": "2022-03-17T00:06:13Z",
  "published": "2022-01-26T00:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4145"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034602"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/qemu-project/qemu/-/commit/66fed30c9cd11854fc878a4eceb507e915d7c9cd"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-27"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220311-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9XF-8J9Q-6CVR

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null

Fixes a NULL pointer derefence bug triggered from tap driver. When tap_get_user calls virtio_net_hdr_to_skb the skb->dev is null (in tap.c skb->dev is set after the call to virtio_net_hdr_to_skb) virtio_net_hdr_to_skb calls dev_parse_header_protocol which needs skb->dev field to be valid.

The line that trigers the bug is in dev_parse_header_protocol (dev is at offset 0x10 from skb and is stored in RAX register) if (!dev->header_ops || !dev->header_ops->parse_protocol) 22e1: mov 0x10(%rbx),%rax 22e5: mov 0x230(%rax),%rax

Setting skb->dev before the call in tap.c fixes the issue.

BUG: kernel NULL pointer dereference, address: 0000000000000230 RIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap] Code: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 <48> 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48 RSP: 0018:ffffc90005c27c38 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010 RDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300 RBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8 R10: ffff88858ec77458 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6 FS: 0000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0 Call Trace: tap_get_user+0x3f1/0x540 [tap] tap_sendmsg+0x56/0x362 [tap] ? get_tx_bufs+0xc2/0x1e0 [vhost_net] handle_tx_copy+0x114/0x670 [vhost_net] handle_tx+0xb0/0xe0 [vhost_net] handle_tx_kick+0x15/0x20 [vhost_net] vhost_worker+0x7b/0xc0 [vhost] ? vhost_vring_call_reset+0x40/0x40 [vhost] kthread+0xfa/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tap: NULL pointer derefence in dev_parse_header_protocol when skb-\u003edev is null\n\nFixes a NULL pointer derefence bug triggered from tap driver.\nWhen tap_get_user calls virtio_net_hdr_to_skb the skb-\u003edev is null\n(in tap.c skb-\u003edev is set after the call to virtio_net_hdr_to_skb)\nvirtio_net_hdr_to_skb calls dev_parse_header_protocol which\nneeds skb-\u003edev field to be valid.\n\nThe line that trigers the bug is in dev_parse_header_protocol\n(dev is at offset 0x10 from skb and is stored in RAX register)\n  if (!dev-\u003eheader_ops || !dev-\u003eheader_ops-\u003eparse_protocol)\n  22e1:   mov    0x10(%rbx),%rax\n  22e5:\t  mov    0x230(%rax),%rax\n\nSetting skb-\u003edev before the call in tap.c fixes the issue.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000230\nRIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap]\nCode: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 \u003c48\u003e 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48\nRSP: 0018:ffffc90005c27c38 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010\nRDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300\nRBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8\nR10: ffff88858ec77458 R11: 0000000000000000 R12: 0000000000000001\nR13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6\nFS:  0000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0\nCall Trace:\n tap_get_user+0x3f1/0x540 [tap]\n tap_sendmsg+0x56/0x362 [tap]\n ? get_tx_bufs+0xc2/0x1e0 [vhost_net]\n handle_tx_copy+0x114/0x670 [vhost_net]\n handle_tx+0xb0/0xe0 [vhost_net]\n handle_tx_kick+0x15/0x20 [vhost_net]\n vhost_worker+0x7b/0xc0 [vhost]\n ? vhost_vring_call_reset+0x40/0x40 [vhost]\n kthread+0xfa/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30",
  "id": "GHSA-j9xf-8j9q-6cvr",
  "modified": "2026-06-01T18:31:20Z",
  "published": "2025-06-18T12:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50073"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/447ba770cfe798925f4923548b367fd49f0ee5f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f61f133f354853bc394ec7d6028adb9b02dd701"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f90163f9e013c8fc791aab338aab44a46044cfc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd29648fcf69339713f2d25f7014ae905dcdfc18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC3Q-V54H-R8HH

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2026-03-25 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: drop redundant sched job cleanup when cs is aborted

Once command submission failed due to userptr invalidation in amdgpu_cs_submit, legacy code will perform cleanup of scheduler job. However, it's not needed at all, as former commit has integrated job cleanup stuff into amdgpu_job_free. Otherwise, because of double free, a NULL pointer dereference will occur in such scenario.

Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2457

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:49Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: drop redundant sched job cleanup when cs is aborted\n\nOnce command submission failed due to userptr invalidation in\namdgpu_cs_submit, legacy code will perform cleanup of scheduler\njob. However, it\u0027s not needed at all, as former commit has integrated\njob cleanup stuff into amdgpu_job_free. Otherwise, because of double\nfree, a NULL pointer dereference will occur in such scenario.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/2457",
  "id": "GHSA-jc3q-v54h-r8hh",
  "modified": "2026-03-25T12:30:18Z",
  "published": "2025-09-15T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53228"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1253685f0d3eb3eab0bfc4bf15ab341a5f3da0c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1564d4b105ae535eb3183ecaaa987685b20a888"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cdce1644d85e858c68fb5fa67d78eb1035bf34f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec02a29c3c2ef8ad3e15a0e3f96b99a00e5d97b4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCCX-FVX2-CQJJ

Vulnerability from github – Published: 2024-01-03 09:30 – Updated: 2025-11-04 00:30
VLAI
Details

IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-03T08:15:10Z",
    "severity": "HIGH"
  },
  "details": "IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-jccx-fvx2-cqjj",
  "modified": "2025-11-04T00:30:42Z",
  "published": "2024-01-03T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0209"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/19501"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2024-02.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCM6-3979-RVMM

Vulnerability from github – Published: 2022-05-14 03:55 – Updated: 2025-04-20 03:34
VLAI
Details

The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-28T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690.",
  "id": "GHSA-jcm6-3979-rvmm",
  "modified": "2025-04-20T03:34:57Z",
  "published": "2022-05-14T03:55:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1208"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1385499"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EGI2FZQLOTSZI3VA4ECJERI74SMNQDL4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/10/23/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/10/23/9"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93834"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCMJ-4VM7-4478

Vulnerability from github – Published: 2025-10-01 09:30 – Updated: 2025-12-12 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: remove oem i2c adapter on finish

Fixes a bug where unbinding of the GPU would leave the oem i2c adapter registered resulting in a null pointer dereference when applications try to access the invalid device.

(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T08:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: remove oem i2c adapter on finish\n\nFixes a bug where unbinding of the GPU would leave the oem i2c adapter\nregistered resulting in a null pointer dereference when applications try\nto access the invalid device.\n\n(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)",
  "id": "GHSA-jcmj-4vm7-4478",
  "modified": "2025-12-12T18:30:28Z",
  "published": "2025-10-01T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39906"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1dfd2864a1c4909147663e5a27c055f50f7c2796"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c686124bcf06253620790857ff462f00f3f7a4ab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCX5-2HXR-PWQ4

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

platform/x86: int3472: Check for adev == NULL

Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs.

Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T03:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Check for adev == NULL\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL. This\ncan e.g. (theoretically) happen when a user manually binds one of\nthe int3472 drivers to another i2c/platform device through sysfs.\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().",
  "id": "GHSA-jcx5-2hxr-pwq4",
  "modified": "2026-07-14T15:31:17Z",
  "published": "2025-02-27T03:34:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58011"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a30353beca2693d30bde477024d755ffecea514"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46263a0b687a044e645387a9c7692ccd693f09f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f8b210823cc2d1f9d967f089a6c00d025bb237f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a808ecf878ad646ebc9c83d9fc4ce72fd9c49d3d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9c7cc44758f4930b41285a6d54afa8cbd9762b4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.