CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6309 vulnerabilities reference this CWE, most recent first.
GHSA-M9M2-8MH5-2H2V
Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2025-11-04 00:30In the Linux kernel, the following vulnerability has been resolved:
liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet
In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value, but then it is unconditionally passed to skb_add_rx_frag() which looks strange and could lead to null pointer dereference.
lio_vf_rep_copy_packet() call trace looks like: octeon_droq_process_packets octeon_droq_fast_process_packets octeon_droq_dispatch_pkt octeon_create_recv_info ...search in the dispatch_list... ->disp_fn(rdisp->rinfo, ...) lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...) In this path there is no code which sets pg_info->page to NULL. So this check looks unneeded and doesn't solve potential problem. But I guess the author had reason to add a check and I have no such card and can't do real test. In addition, the code in the function liquidio_push_packet() in liquidio/lio_core.c does exactly the same.
Based on this, I consider the most acceptable compromise solution to adjust this issue by moving skb_add_rx_frag() into conditional scope.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
{
"affected": [],
"aliases": [
"CVE-2024-39506"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-12T13:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nliquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet\n\nIn lio_vf_rep_copy_packet() pg_info-\u003epage is compared to a NULL value,\nbut then it is unconditionally passed to skb_add_rx_frag() which looks\nstrange and could lead to null pointer dereference.\n\nlio_vf_rep_copy_packet() call trace looks like:\n\tocteon_droq_process_packets\n\t octeon_droq_fast_process_packets\n\t octeon_droq_dispatch_pkt\n\t octeon_create_recv_info\n\t ...search in the dispatch_list...\n\t -\u003edisp_fn(rdisp-\u003erinfo, ...)\n\t lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)\nIn this path there is no code which sets pg_info-\u003epage to NULL.\nSo this check looks unneeded and doesn\u0027t solve potential problem.\nBut I guess the author had reason to add a check and I have no such card\nand can\u0027t do real test.\nIn addition, the code in the function liquidio_push_packet() in\nliquidio/lio_core.c does exactly the same.\n\nBased on this, I consider the most acceptable compromise solution to\nadjust this issue by moving skb_add_rx_frag() into conditional scope.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"id": "GHSA-m9m2-8mh5-2h2v",
"modified": "2025-11-04T00:30:52Z",
"published": "2024-07-12T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39506"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87d6bdc006f0cbf297a3b2ad6e40ede4c3ee5dc2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6f4d0ec170a46b5f453cacf55dff5989b42bbfa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a86490a3712cc513113440a606a0e77130abd47c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c44711b78608c98a3e6b49ce91678cd0917d5349"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cbf18d8128a753cb632bef39470d19befd9c7347"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dcc7440f32c7a26b067aff6e7d931ec593024a79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1ab15a09492a5ae8ab1e2c35ba2cf9e150d25ee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd2b613bc4c508e55c1221c6595bb889812a4fea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9M6-WCR9-HH75
Vulnerability from github – Published: 2025-02-19 00:31 – Updated: 2025-11-04 00:32libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.
{
"affected": [],
"aliases": [
"CVE-2025-27113"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-18T23:15:10Z",
"severity": "LOW"
},
"details": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.",
"id": "GHSA-m9m6-wcr9-hh75",
"modified": "2025-11-04T00:32:20Z",
"published": "2025-02-19T00:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250306-0004"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/13"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/4"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/5"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M9MX-49MX-WHCC
Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-28 00:00A CWE-476: NULL Pointer Dereference vulnerability exists that could cause a denial of service of the webserver when parsing JSON content type. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and later), OPC UA Modicon Communication Module (BMENUA0100) (V1.10 and prior)
{
"affected": [],
"aliases": [
"CVE-2022-34761"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-13T21:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-476: NULL Pointer Dereference vulnerability exists that could cause a denial of service of the webserver when parsing JSON content type. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and later), OPC UA Modicon Communication Module (BMENUA0100) (V1.10 and prior)",
"id": "GHSA-m9mx-49mx-whcc",
"modified": "2022-07-28T00:00:38Z",
"published": "2022-07-14T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34761"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-01_OPC_UA_X80_Advanced_RTU_Modicon_Communication_Modules+_Security_Notification.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9P5-M8GG-JGG8
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 18:30In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: fix NULL pointer dereference during unbind race
Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown") introduced two stages of synchronization waits totaling 1500ms in uvc_function_unbind() to prevent several types of kernel panics. However, this timing-based approach is insufficient during power management (PM) transitions.
When the PM subsystem starts freezing user space processes, the wait_event_interruptible_timeout() is aborted early, which allows the unbind thread to proceed and nullify the gadget pointer (cdev->gadget = NULL):
[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind() [ 814.178583][ T3173] PM: suspend entry (deep) [ 814.192487][ T3173] Freezing user space processes [ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release
When the PM subsystem resumes or aborts the suspend and tasks are restarted, the V4L2 release path is executed and attempts to access the already nullified gadget pointer, triggering a kernel panic:
[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake [ 814.386727][ T3173] Restarting tasks ... [ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 [ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4 [ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94 [ 814.404078][ T4558] Call trace: [ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4 [ 814.404083][ T4558] usb_function_deactivate+0x54/0x94 [ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c [ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac [ 814.404095][ T4558] v4l2_release+0xcc/0x130
Address the race condition and NULL pointer dereference by:
-
State Synchronization (flag + mutex) Introduce a 'func_unbound' flag in struct uvc_device. This allows uvc_function_disconnect() to safely skip accessing the nullified cdev->gadget pointer. As suggested by Alan Stern, this flag is protected by a new mutex (uvc->lock) to ensure proper memory ordering and prevent instruction reordering or speculative loads. This mutex is also used to protect 'func_connected' for consistent state management.
-
Explicit Synchronization (completion) Use a completion to synchronize uvc_function_unbind() with the uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by ensuring struct uvc_device is freed after all video device resources are released.
{
"affected": [],
"aliases": [
"CVE-2026-31726"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix NULL pointer dereference during unbind race\n\nCommit b81ac4395bbe (\"usb: gadget: uvc: allow for application to cleanly\nshutdown\") introduced two stages of synchronization waits totaling 1500ms\nin uvc_function_unbind() to prevent several types of kernel panics.\nHowever, this timing-based approach is insufficient during power\nmanagement (PM) transitions.\n\nWhen the PM subsystem starts freezing user space processes, the\nwait_event_interruptible_timeout() is aborted early, which allows the\nunbind thread to proceed and nullify the gadget pointer\n(cdev-\u003egadget = NULL):\n\n[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()\n[ 814.178583][ T3173] PM: suspend entry (deep)\n[ 814.192487][ T3173] Freezing user space processes\n[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release\n\nWhen the PM subsystem resumes or aborts the suspend and tasks are\nrestarted, the V4L2 release path is executed and attempts to access the\nalready nullified gadget pointer, triggering a kernel panic:\n\n[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake\n[ 814.386727][ T3173] Restarting tasks ...\n[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030\n[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4\n[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94\n[ 814.404078][ T4558] Call trace:\n[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4\n[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94\n[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c\n[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac\n[ 814.404095][ T4558] v4l2_release+0xcc/0x130\n\nAddress the race condition and NULL pointer dereference by:\n\n1. State Synchronization (flag + mutex)\nIntroduce a \u0027func_unbound\u0027 flag in struct uvc_device. This allows\nuvc_function_disconnect() to safely skip accessing the nullified\ncdev-\u003egadget pointer. As suggested by Alan Stern, this flag is protected\nby a new mutex (uvc-\u003elock) to ensure proper memory ordering and prevent\ninstruction reordering or speculative loads. This mutex is also used to\nprotect \u0027func_connected\u0027 for consistent state management.\n\n2. Explicit Synchronization (completion)\nUse a completion to synchronize uvc_function_unbind() with the\nuvc_vdev_release() callback. This prevents Use-After-Free (UAF) by\nensuring struct uvc_device is freed after all video device resources\nare released.",
"id": "GHSA-m9p5-m8gg-jgg8",
"modified": "2026-05-07T18:30:34Z",
"published": "2026-05-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31726"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0587de744615628c38e33ddc1601160a5ea8c50a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c00ec409d7b2bce3fcac73188b79a141db7cfda"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1aa9356881ee4ed414bf72d0c56d915492cb5345"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8a1128d604c360eca135f15b882b70256a522145"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c038ba56b92e410d1caec22b2dc68780a0b42091"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c78e463ee134b4669579d453c81ae00795e4c19a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d92d1532e05b1b31d36d48765e43bf73d793d19f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eba2936bbe6b752a31725a9eb5c674ecbf21ee7d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9R2-4RM8-4W6G
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash.
{
"affected": [],
"aliases": [
"CVE-2017-16728"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-05T08:29:00Z",
"severity": "HIGH"
},
"details": "An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash.",
"id": "GHSA-m9r2-4rm8-4w6g",
"modified": "2022-05-13T01:37:21Z",
"published": "2022-05-13T01:37:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16728"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-004-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102424"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9VH-P652-J35F
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31A NULL Pointer Dereference vulnerability [CWE-476] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker to crash the HTTP daemon via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2026-24641"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:28Z",
"severity": "LOW"
},
"details": "A NULL Pointer Dereference vulnerability [CWE-476] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker to crash the HTTP daemon via crafted HTTP requests.",
"id": "GHSA-m9vh-p652-j35f",
"modified": "2026-03-10T18:31:20Z",
"published": "2026-03-10T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24641"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M9W6-R7MG-6GQQ
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-20 21:31Unchecked Return Value to NULL Pointer Dereference vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine fluid_msg::QueuePropertyList::unpack13.
This issue affects libfluid: 0.1.0.
{
"affected": [],
"aliases": [
"CVE-2024-31167"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-690"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T14:15:13Z",
"severity": "MODERATE"
},
"details": "Unchecked Return Value to NULL Pointer Dereference vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine\u00a0fluid_msg::QueuePropertyList::unpack13.\n\nThis issue affects libfluid: 0.1.0.",
"id": "GHSA-m9w6-r7mg-6gqq",
"modified": "2024-09-20T21:31:38Z",
"published": "2024-09-18T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31167"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-31167"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M9X4-X7J5-6V8X
Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-04-27 15:30In the Linux kernel, the following vulnerability has been resolved:
NFSD: Defer sub-object cleanup in export put callbacks
svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) without holding a reference. If cache_clean removes the entry and drops the last reference concurrently, the sub-objects are freed while still in use, producing a NULL pointer dereference in d_path.
Commit 2530766492ec ("nfsd: fix UAF when access ex_uuid or ex_stats") moved kfree of ex_uuid and ex_stats into the call_rcu callback, but left path_put() and auth_domain_put() running before the grace period because both may sleep and call_rcu callbacks execute in softirq context.
Replace call_rcu/kfree_rcu with queue_rcu_work(), which defers the callback until after the RCU grace period and executes it in process context where sleeping is permitted. This allows path_put() and auth_domain_put() to be moved into the deferred callback alongside the other resource releases. Apply the same fix to expkey_put(), which has the identical pattern with ek_path and ek_client.
A dedicated workqueue scopes the shutdown drain to only NFSD export release work items; flushing the shared system_unbound_wq would stall on unrelated work from other subsystems. nfsd_export_shutdown() uses rcu_barrier() followed by flush_workqueue() to ensure all deferred release callbacks complete before the export caches are destroyed.
Reviwed-by: Jeff Layton jlayton@kernel.org
{
"affected": [],
"aliases": [
"CVE-2026-31404"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T16:16:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callbacks\n\nsvc_export_put() calls path_put() and auth_domain_put() immediately\nwhen the last reference drops, before the RCU grace period. RCU\nreaders in e_show() and c_show() access both ex_path (via\nseq_path/d_path) and ex_client-\u003ename (via seq_escape) without\nholding a reference. If cache_clean removes the entry and drops the\nlast reference concurrently, the sub-objects are freed while still\nin use, producing a NULL pointer dereference in d_path.\n\nCommit 2530766492ec (\"nfsd: fix UAF when access ex_uuid or\nex_stats\") moved kfree of ex_uuid and ex_stats into the\ncall_rcu callback, but left path_put() and auth_domain_put() running\nbefore the grace period because both may sleep and call_rcu\ncallbacks execute in softirq context.\n\nReplace call_rcu/kfree_rcu with queue_rcu_work(), which defers the\ncallback until after the RCU grace period and executes it in process\ncontext where sleeping is permitted. This allows path_put() and\nauth_domain_put() to be moved into the deferred callback alongside\nthe other resource releases. Apply the same fix to expkey_put(),\nwhich has the identical pattern with ek_path and ek_client.\n\nA dedicated workqueue scopes the shutdown drain to only NFSD\nexport release work items; flushing the shared\nsystem_unbound_wq would stall on unrelated work from other\nsubsystems. nfsd_export_shutdown() uses rcu_barrier() followed\nby flush_workqueue() to ensure all deferred release callbacks\ncomplete before the export caches are destroyed.\n\nReviwed-by: Jeff Layton \u003cjlayton@kernel.org\u003e",
"id": "GHSA-m9x4-x7j5-6v8x",
"modified": "2026-04-27T15:30:32Z",
"published": "2026-04-03T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31404"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2829e80d29b627886d12b5ea40856d56b516e67d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48db892356d6cb80f6942885545de4a6dd8d2a29"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f5ab1bec5fa18731e0b1b1e60c9a68667ac73ea2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MC25-GF3G-FGGC
Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2024-11-14 18:30In the Linux kernel, the following vulnerability has been resolved:
phy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend
Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data from the qcom-qmp-usb driver, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks. This bug was later reproduced when the driver was copied to create the qmp-usb-legacy driver.
Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend.
Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with these drivers.
{
"affected": [],
"aliases": [
"CVE-2024-50239"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T11:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom: qmp-usb-legacy: fix NULL-deref on runtime suspend\n\nCommit 413db06c05e7 (\"phy: qcom-qmp-usb: clean up probe initialisation\")\nremoved most users of the platform device driver data from the\nqcom-qmp-usb driver, but mistakenly also removed the initialisation\ndespite the data still being used in the runtime PM callbacks. This bug\nwas later reproduced when the driver was copied to create the\nqmp-usb-legacy driver.\n\nRestore the driver data initialisation at probe to avoid a NULL-pointer\ndereference on runtime suspend.\n\nApparently no one uses runtime PM, which currently needs to be enabled\nmanually through sysfs, with these drivers.",
"id": "GHSA-mc25-gf3g-fggc",
"modified": "2024-11-14T18:30:32Z",
"published": "2024-11-09T12:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50239"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29240130ab77c80bea1464317ae2a5fd29c16a0c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e8066811a2c43fbb5f53c2c26d389e4bab9da34"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1cffd00daa9cf499b49a0da698eff5032914f6e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MC36-8C37-GC5W
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-12-31 21:30In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix a possible null pointer dereference
In radeon_fp_native_mode(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
The failure status of drm_cvt_mode() on the other path is checked too.
{
"affected": [],
"aliases": [
"CVE-2022-48710"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix a possible null pointer dereference\n\nIn radeon_fp_native_mode(), the return value of drm_mode_duplicate()\nis assigned to mode, which will lead to a NULL pointer dereference\non failure of drm_mode_duplicate(). Add a check to avoid npd.\n\nThe failure status of drm_cvt_mode() on the other path is checked too.",
"id": "GHSA-mc36-8c37-gc5w",
"modified": "2024-12-31T21:30:44Z",
"published": "2024-05-21T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48710"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/140d9807b96e1303f6f2675a7ae8710a2094bd17"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16a0f0b63c4c7eb46fc4c3f00bf2836e6ee46a9f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28fd384c78d7d8ed8af0d086d778c3e438ba7f60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b7fba107b2c4ec7673d0f45bdbb9d1af697d9b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8a89bfeef9abe93371e3ea8796377f2d132eee29"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2b28708b645c5632dc93669ab06e97874c8244f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b33f7d99c9226892c7794dc2500fae35966020c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e938d24f0b7392e142b8aa434f18590d99dbe479"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fee8ae0a0bb66eb7730c22f44fbd7203f63c2eab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.