CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6309 vulnerabilities reference this CWE, most recent first.
GHSA-P7R4-G84V-785W
Vulnerability from github – Published: 2024-11-04 03:30 – Updated: 2024-11-04 03:30A vulnerability has been found in Tenda i22 1.0.0.3(4687) and classified as problematic. Affected by this vulnerability is the function websReadEvent of the file /goform/GetIPTV?fgHPOST/goform/SysToo. The manipulation of the argument Content-Length leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-10750"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T02:15:14Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in Tenda i22 1.0.0.3(4687) and classified as problematic. Affected by this vulnerability is the function websReadEvent of the file /goform/GetIPTV?fgHPOST/goform/SysToo. The manipulation of the argument Content-Length leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-p7r4-g84v-785w",
"modified": "2024-11-04T03:30:39Z",
"published": "2024-11-04T03:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10750"
},
{
"type": "WEB",
"url": "https://github.com/xiaobor123/tenda-vul-i22"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.282919"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.282919"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.435407"
},
{
"type": "WEB",
"url": "https://www.tenda.com.cn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P7WM-885P-3RMG
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-10-28 03:30In the Linux kernel, the following vulnerability has been resolved:
driver core: class: Fix wild pointer dereferences in API class_dev_iter_next()
There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage:
// All members of @iter are wild pointers. struct class_dev_iter iter;
// class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...);
// Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... };
// Also dereference these wild pointers here. class_dev_iter_exit(&iter);
Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next().
{
"affected": [],
"aliases": [
"CVE-2025-21810"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T20:16:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: class: Fix wild pointer dereferences in API class_dev_iter_next()\n\nThere are a potential wild pointer dereferences issue regarding APIs\nclass_dev_iter_(init|next|exit)(), as explained by below typical usage:\n\n// All members of @iter are wild pointers.\nstruct class_dev_iter iter;\n\n// class_dev_iter_init(@iter, @class, ...) checks parameter @class for\n// potential class_to_subsys() error, and it returns void type and does\n// not initialize its output parameter @iter, so caller can not detect\n// the error and continues to invoke class_dev_iter_next(@iter) even if\n// @iter still contains wild pointers.\nclass_dev_iter_init(\u0026iter, ...);\n\n// Dereference these wild pointers in @iter here once suffer the error.\nwhile (dev = class_dev_iter_next(\u0026iter)) { ... };\n\n// Also dereference these wild pointers here.\nclass_dev_iter_exit(\u0026iter);\n\nActually, all callers of these APIs have such usage pattern in kernel tree.\nFix by:\n- Initialize output parameter @iter by memset() in class_dev_iter_init()\n and give callers prompt by pr_crit() for the error.\n- Check if @iter is valid in class_dev_iter_next().",
"id": "GHSA-p7wm-885p-3rmg",
"modified": "2025-10-28T03:30:13Z",
"published": "2025-02-27T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21810"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1614e75d1a1b63db6421c7a4bf37004720c7376c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c504e9767b947cf7d4e29b811c0c8b3c53242b7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e128f82f7006991c99a58114f70ef61e937b1ac1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4b9bc823b0cfdebfed479c0e87d6939c7562e87"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P7X5-WX33-W7GV
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-17 18:30In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Fix dummy res NULL ptr deref bug
Check the bo->resource value before accessing the resource mem_type.
v2: Fix commit description unwrapped warning
[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
[ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
[ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1
[ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]
[ 40.200754][ T184] Code: e8 72 c5 ff ff 83 f8 b8 74 d4 85 c0 75 54 49 8b 9e 58 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 3c 03 7e 44 8b 53 10 31 c0 85 d2 0f 85 58
[ 40.203685][ T184] RSP: 0018:ffffc900006df0c8 EFLAGS: 00010202
[ 40.204630][ T184] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1102f4bb71b
[ 40.205864][ T184] RDX: 0000000000000002 RSI: ffffc900006df208 RDI: 0000000000000010
[ 40.207102][ T184] RBP: 1ffff920000dbe1a R08: ffffc900006df208 R09: 0000000000000000
[ 40.208394][ T184] R10: ffff88817a5f0000 R11: 0000000000000001 R12: ffffc900006df110
[ 40.209692][ T184] R13: ffffc900006df0f0 R14: ffff88817a5db800 R15: ffffc900006df208
[ 40.210862][ T184] FS: 00007f6b1d16e8c0(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000
[ 40.212250][ T184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 40.213275][ T184] CR2: 000055a1001d4ff0 CR3: 00000001700f4000 CR4: 00000000000006e0
[ 40.214469][ T184] Call Trace:
[ 40.214974][ T184]
[ 40.215438][ T184] ? ttm_bo_bounce_temp_buffer+0x140/0x140 [ttm]
[ 40.216572][ T184] ? mutex_spin_on_owner+0x240/0x240
[ 40.217456][ T184] ? drm_vma_offset_add+0xaa/0x100 [drm]
[ 40.218457][ T184] ttm_bo_init_reserved+0x3d6/0x540 [ttm]
[ 40.219410][ T184] ? shmem_get_inode+0x744/0x980
[ 40.220231][ T184] ttm_bo_init_validate+0xb1/0x200 [ttm]
[ 40.221172][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]
[ 40.222530][ T184] ? ttm_bo_init_reserved+0x540/0x540 [ttm]
[ 40.223643][ T184] ? __do_sys_finit_module+0x11a/0x1c0
[ 40.224654][ T184] ? __shmem_file_setup+0x102/0x280
[ 40.234764][ T184] drm_gem_vram_create+0x305/0x480 [drm_vram_helper]
[ 40.235766][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]
[ 40.236846][ T184] ? __kasan_slab_free+0x108/0x180
[ 40.237650][ T184] drm_gem_vram_fill_create_dumb+0x134/0x340 [drm_vram_helper]
[ 40.238864][ T184] ? local_pci_probe+0xdf/0x180
[ 40.239674][ T184] ? drmm_vram_helper_init+0x400/0x400 [drm_vram_helper]
[ 40.240826][ T184] drm_client_framebuffer_create+0x19c/0x400 [drm]
[ 40.241955][ T184] ? drm_client_buffer_delete+0x200/0x200 [drm]
[ 40.243001][ T184] ? drm_client_pick_crtcs+0x554/0xb80 [drm]
[ 40.244030][ T184] drm_fb_helper_generic_probe+0x23f/0x940 [drm_kms_helper]
[ 40.245226][ T184] ? __cond_resched+0x1c/0xc0
[ 40.245987][ T184] ? drm_fb_helper_memory_range_to_clip+0x180/0x180 [drm_kms_helper]
[ 40.247316][ T184] ? mutex_unlock+0x80/0x100
[ 40.248005][ T184] ? __mutex_unlock_slowpath+0x2c0/0x2c0
[ 40.249083][ T184] drm_fb_helper_single_fb_probe+0x907/0xf00 [drm_kms_helper]
[ 40.250314][ T184] ? drm_fb_helper_check_var+0x1180/0x1180 [drm_kms_helper]
[ 40.251540][ T184] ? __cond_resched+0x1c/0xc0
[ 40.252321][ T184] ? mutex_lock+0x9f/0x100
[ 40.253062][ T184] __drm_fb_helper_initial_config_and_unlock+0xb9/0x2c0 [drm_kms_helper]
[ 40.254394][ T184] drm_fbdev_client_hotplug+0x56f/0x840 [drm_kms_helper]
[ 40.255477][ T184] drm_fbdev_generic_setup+0x165/0x3c0 [drm_kms_helper]
[ 40.256607][ T184] bochs_pci_probe+0x6b7/0x900 [bochs]
[
---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-50068"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix dummy res NULL ptr deref bug\n\nCheck the bo-\u003eresource value before accessing the resource\nmem_type.\n\nv2: Fix commit description unwrapped warning\n\n\u003clog snip\u003e\n[ 40.191227][ T184] general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI\n[ 40.192995][ T184] KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n[ 40.194411][ T184] CPU: 1 PID: 184 Comm: systemd-udevd Not tainted 5.19.0-rc4-00721-gb297c22b7070 #1\n[ 40.196063][ T184] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014\n[ 40.199605][ T184] RIP: 0010:ttm_bo_validate+0x1b3/0x240 [ttm]\n[ 40.200754][ T184] Code: e8 72 c5 ff ff 83 f8 b8 74 d4 85 c0 75 54 49 8b 9e 58 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 10 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 04 02 84 c0 74 04 3c 03 7e 44 8b 53 10 31 c0 85 d2 0f 85 58\n[ 40.203685][ T184] RSP: 0018:ffffc900006df0c8 EFLAGS: 00010202\n[ 40.204630][ T184] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1102f4bb71b\n[ 40.205864][ T184] RDX: 0000000000000002 RSI: ffffc900006df208 RDI: 0000000000000010\n[ 40.207102][ T184] RBP: 1ffff920000dbe1a R08: ffffc900006df208 R09: 0000000000000000\n[ 40.208394][ T184] R10: ffff88817a5f0000 R11: 0000000000000001 R12: ffffc900006df110\n[ 40.209692][ T184] R13: ffffc900006df0f0 R14: ffff88817a5db800 R15: ffffc900006df208\n[ 40.210862][ T184] FS: 00007f6b1d16e8c0(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000\n[ 40.212250][ T184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 40.213275][ T184] CR2: 000055a1001d4ff0 CR3: 00000001700f4000 CR4: 00000000000006e0\n[ 40.214469][ T184] Call Trace:\n[ 40.214974][ T184] \u003cTASK\u003e\n[ 40.215438][ T184] ? ttm_bo_bounce_temp_buffer+0x140/0x140 [ttm]\n[ 40.216572][ T184] ? mutex_spin_on_owner+0x240/0x240\n[ 40.217456][ T184] ? drm_vma_offset_add+0xaa/0x100 [drm]\n[ 40.218457][ T184] ttm_bo_init_reserved+0x3d6/0x540 [ttm]\n[ 40.219410][ T184] ? shmem_get_inode+0x744/0x980\n[ 40.220231][ T184] ttm_bo_init_validate+0xb1/0x200 [ttm]\n[ 40.221172][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]\n[ 40.222530][ T184] ? ttm_bo_init_reserved+0x540/0x540 [ttm]\n[ 40.223643][ T184] ? __do_sys_finit_module+0x11a/0x1c0\n[ 40.224654][ T184] ? __shmem_file_setup+0x102/0x280\n[ 40.234764][ T184] drm_gem_vram_create+0x305/0x480 [drm_vram_helper]\n[ 40.235766][ T184] ? bo_driver_evict_flags+0x340/0x340 [drm_vram_helper]\n[ 40.236846][ T184] ? __kasan_slab_free+0x108/0x180\n[ 40.237650][ T184] drm_gem_vram_fill_create_dumb+0x134/0x340 [drm_vram_helper]\n[ 40.238864][ T184] ? local_pci_probe+0xdf/0x180\n[ 40.239674][ T184] ? drmm_vram_helper_init+0x400/0x400 [drm_vram_helper]\n[ 40.240826][ T184] drm_client_framebuffer_create+0x19c/0x400 [drm]\n[ 40.241955][ T184] ? drm_client_buffer_delete+0x200/0x200 [drm]\n[ 40.243001][ T184] ? drm_client_pick_crtcs+0x554/0xb80 [drm]\n[ 40.244030][ T184] drm_fb_helper_generic_probe+0x23f/0x940 [drm_kms_helper]\n[ 40.245226][ T184] ? __cond_resched+0x1c/0xc0\n[ 40.245987][ T184] ? drm_fb_helper_memory_range_to_clip+0x180/0x180 [drm_kms_helper]\n[ 40.247316][ T184] ? mutex_unlock+0x80/0x100\n[ 40.248005][ T184] ? __mutex_unlock_slowpath+0x2c0/0x2c0\n[ 40.249083][ T184] drm_fb_helper_single_fb_probe+0x907/0xf00 [drm_kms_helper]\n[ 40.250314][ T184] ? drm_fb_helper_check_var+0x1180/0x1180 [drm_kms_helper]\n[ 40.251540][ T184] ? __cond_resched+0x1c/0xc0\n[ 40.252321][ T184] ? mutex_lock+0x9f/0x100\n[ 40.253062][ T184] __drm_fb_helper_initial_config_and_unlock+0xb9/0x2c0 [drm_kms_helper]\n[ 40.254394][ T184] drm_fbdev_client_hotplug+0x56f/0x840 [drm_kms_helper]\n[ 40.255477][ T184] drm_fbdev_generic_setup+0x165/0x3c0 [drm_kms_helper]\n[ 40.256607][ T184] bochs_pci_probe+0x6b7/0x900 [bochs]\n[ \n---truncated---",
"id": "GHSA-p7x5-wx33-w7gv",
"modified": "2025-11-17T18:30:23Z",
"published": "2025-06-18T12:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50068"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76672cd326c146ded2c2712ff257b8908dcf23d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9bd970d4097287778a4449452e70b35d0bfaa3aa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf4b7387c0a842d64bdd7c353e6d3298174a7740"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P7X7-VRH2-WVVC
Vulnerability from github – Published: 2024-11-21 21:33 – Updated: 2024-12-24 15:30In the Linux kernel, the following vulnerability has been resolved:
virtio_pci: Fix admin vq cleanup by using correct info pointer
vp_modern_avq_cleanup() and vp_del_vqs() clean up admin vq resources by virtio_pci_vq_info pointer. The info pointer of admin vq is stored in vp_dev->admin_vq.info instead of vp_dev->vqs[]. Using the info pointer from vp_dev->vqs[] for admin vq causes a kernel NULL pointer dereference bug. In vp_modern_avq_cleanup() and vp_del_vqs(), get the info pointer from vp_dev->admin_vq.info for admin vq to clean up the resources. Also make info ptr as argument of vp_del_vq() to be symmetric with vp_setup_vq().
vp_reset calls vp_modern_avq_cleanup, and causes the Call Trace:
BUG: kernel NULL pointer dereference, address:0000000000000000 ... CPU: 49 UID: 0 PID: 4439 Comm: modprobe Not tainted 6.11.0-rc5 #1 RIP: 0010:vp_reset+0x57/0x90 [virtio_pci] Call Trace: ... ? vp_reset+0x57/0x90 [virtio_pci] ? vp_reset+0x38/0x90 [virtio_pci] virtio_reset_device+0x1d/0x30 remove_vq_common+0x1c/0x1a0 [virtio_net] virtnet_remove+0xa1/0xc0 [virtio_net] virtio_dev_remove+0x46/0xa0 ... virtio_pci_driver_exit+0x14/0x810 [virtio_pci] ==================================================================
{
"affected": [],
"aliases": [
"CVE-2024-53092"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-21T19:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pci: Fix admin vq cleanup by using correct info pointer\n\nvp_modern_avq_cleanup() and vp_del_vqs() clean up admin vq\nresources by virtio_pci_vq_info pointer. The info pointer of admin\nvq is stored in vp_dev-\u003eadmin_vq.info instead of vp_dev-\u003evqs[].\nUsing the info pointer from vp_dev-\u003evqs[] for admin vq causes a\nkernel NULL pointer dereference bug.\nIn vp_modern_avq_cleanup() and vp_del_vqs(), get the info pointer\nfrom vp_dev-\u003eadmin_vq.info for admin vq to clean up the resources.\nAlso make info ptr as argument of vp_del_vq() to be symmetric with\nvp_setup_vq().\n\nvp_reset calls vp_modern_avq_cleanup, and causes the Call Trace:\n==================================================================\nBUG: kernel NULL pointer dereference, address:0000000000000000\n...\nCPU: 49 UID: 0 PID: 4439 Comm: modprobe Not tainted 6.11.0-rc5 #1\nRIP: 0010:vp_reset+0x57/0x90 [virtio_pci]\nCall Trace:\n \u003cTASK\u003e\n...\n ? vp_reset+0x57/0x90 [virtio_pci]\n ? vp_reset+0x38/0x90 [virtio_pci]\n virtio_reset_device+0x1d/0x30\n remove_vq_common+0x1c/0x1a0 [virtio_net]\n virtnet_remove+0xa1/0xc0 [virtio_net]\n virtio_dev_remove+0x46/0xa0\n...\n virtio_pci_driver_exit+0x14/0x810 [virtio_pci]\n==================================================================",
"id": "GHSA-p7x7-vrh2-wvvc",
"modified": "2024-12-24T15:30:31Z",
"published": "2024-11-21T21:33:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53092"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/018d3d4ad4be7fbc95d8a2367642a32d21df55c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97ee04feb682c906a1fa973ebe586fe91567d165"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P83G-X445-4QM2
Vulnerability from github – Published: 2024-10-21 12:30 – Updated: 2024-10-24 15:31In the Linux kernel, the following vulnerability has been resolved:
RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data
With the latest Linux-6.11-rc3, the below NULL pointer crash is observed when SBI PMU snapshot is enabled for the guest and the guest is forcefully powered-off.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508 Oops [#1] Modules linked in: kvm CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3 Hardware name: riscv-virtio,qemu (DT) epc : __kvm_write_guest_page+0x94/0xa6 [kvm] ra : __kvm_write_guest_page+0x54/0xa6 [kvm] epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0 gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000 t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0 s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086 a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0 a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000 s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000 s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001 s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3 t5 : ffffffff814126e0 t6 : ffffffff81412700 status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d [] __kvm_write_guest_page+0x94/0xa6 [kvm] [] kvm_vcpu_write_guest+0x56/0x90 [kvm] [] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm] [] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm] [] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm] [] kvm_arch_vcpu_destroy+0x28/0x4c [kvm] [] kvm_destroy_vcpus+0x5a/0xda [kvm] [] kvm_arch_destroy_vm+0x14/0x28 [kvm] [] kvm_destroy_vm+0x168/0x2a0 [kvm] [] kvm_put_kvm+0x3c/0x58 [kvm] [] kvm_vm_release+0x22/0x2e [kvm]
Clearly, the kvm_vcpu_write_guest() function is crashing because it is being called from kvm_pmu_clear_snapshot_area() upon guest tear down.
To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because the guest is anyway being tore down.
The kvm_pmu_clear_snapshot_area() is also called when guest changes PMU snapshot area of a VCPU but even in this case the previous PMU snaphsot area must not be zeroed-out because the guest might have reclaimed the pervious PMU snapshot area for some other purpose.
{
"affected": [],
"aliases": [
"CVE-2024-47717"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T12:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: Don\u0027t zero-out PMU snapshot area before freeing data\n\nWith the latest Linux-6.11-rc3, the below NULL pointer crash is observed\nwhen SBI PMU snapshot is enabled for the guest and the guest is forcefully\npowered-off.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508\n Oops [#1]\n Modules linked in: kvm\n CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3\n Hardware name: riscv-virtio,qemu (DT)\n epc : __kvm_write_guest_page+0x94/0xa6 [kvm]\n ra : __kvm_write_guest_page+0x54/0xa6 [kvm]\n epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0\n gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000\n t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0\n s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086\n a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0\n a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc\n s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000\n s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000\n s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001\n s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3\n t5 : ffffffff814126e0 t6 : ffffffff81412700\n status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d\n [\u003cffffffff01590e98\u003e] __kvm_write_guest_page+0x94/0xa6 [kvm]\n [\u003cffffffff015943a6\u003e] kvm_vcpu_write_guest+0x56/0x90 [kvm]\n [\u003cffffffff015a175c\u003e] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]\n [\u003cffffffff015a1972\u003e] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]\n [\u003cffffffff015a2ad0\u003e] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]\n [\u003cffffffff0159b344\u003e] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]\n [\u003cffffffff0158e420\u003e] kvm_destroy_vcpus+0x5a/0xda [kvm]\n [\u003cffffffff0159930c\u003e] kvm_arch_destroy_vm+0x14/0x28 [kvm]\n [\u003cffffffff01593260\u003e] kvm_destroy_vm+0x168/0x2a0 [kvm]\n [\u003cffffffff015933d4\u003e] kvm_put_kvm+0x3c/0x58 [kvm]\n [\u003cffffffff01593412\u003e] kvm_vm_release+0x22/0x2e [kvm]\n\nClearly, the kvm_vcpu_write_guest() function is crashing because it is\nbeing called from kvm_pmu_clear_snapshot_area() upon guest tear down.\n\nTo address the above issue, simplify the kvm_pmu_clear_snapshot_area() to\nnot zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because\nthe guest is anyway being tore down.\n\nThe kvm_pmu_clear_snapshot_area() is also called when guest changes\nPMU snapshot area of a VCPU but even in this case the previous PMU\nsnaphsot area must not be zeroed-out because the guest might have\nreclaimed the pervious PMU snapshot area for some other purpose.",
"id": "GHSA-p83g-x445-4qm2",
"modified": "2024-10-24T15:31:08Z",
"published": "2024-10-21T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47717"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47d40d93292d9cff8dabb735bed83d930fa03950"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d0a5dcfc78bd18f2abb9641f83380135494559b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P83V-M67P-PFFW
Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2026-01-09 15:30In the Linux kernel, the following vulnerability has been resolved:
clk: xilinx: vcu: unregister pll_post only if registered correctly
If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace:
Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr : clk_hw_unregister_fixed_factor+0x18/0x30 sp : ffff800011923850 ... Call trace: clk_hw_unregister+0xc/0x20 clk_hw_unregister_fixed_factor+0x18/0x30 xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu] xvcu_probe+0x2bc/0x53c [xlnx_vcu]
{
"affected": [],
"aliases": [
"CVE-2025-38583"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T17:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: xilinx: vcu: unregister pll_post only if registered correctly\n\nIf registration of pll_post is failed, it will be set to NULL or ERR,\nunregistering same will fail with following call trace:\n\nUnable to handle kernel NULL pointer dereference at virtual address 008\npc : clk_hw_unregister+0xc/0x20\nlr : clk_hw_unregister_fixed_factor+0x18/0x30\nsp : ffff800011923850\n...\nCall trace:\n clk_hw_unregister+0xc/0x20\n clk_hw_unregister_fixed_factor+0x18/0x30\n xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]\n xvcu_probe+0x2bc/0x53c [xlnx_vcu]",
"id": "GHSA-p83v-m67p-pffw",
"modified": "2026-01-09T15:30:23Z",
"published": "2025-08-19T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38583"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51990eecf22f446550befdfd1a9f54147eafd636"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e903da71f8bec4beb7c06707900e1ed8db843ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86124c5cfceb5ac04d2fddbf1b6f7147332d96a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/88bd875b7f9c3652c27d6e4bb7a23701b764f762"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a72b1c2d3b53e088bfaeb593949ff6fbd2cbe8ed"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1a1be99d5ae53d3b404415f1665eb59e8e02a8c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P85V-4HP9-VQ4R
Vulnerability from github – Published: 2024-12-04 15:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".
This series fixes null pointer dereference bugs that occur when using nilfs2 and two block-related tracepoints.
This patch (of 2):
It has been reported that when using "block:block_touch_buffer" tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a NULL pointer dereference, or a general protection fault when KASAN is enabled.
This happens because since the tracepoint was added in touch_buffer(), it references the dev_t member bh->b_bdev->bd_dev regardless of whether the buffer head has a pointer to a block_device structure. In the current implementation, the block_device structure is set after the function returns to the caller.
Here, touch_buffer() is used to mark the folio/page that owns the buffer head as accessed, but the common search helper for folio/page used by the caller function was optimized to mark the folio/page as accessed when it was reimplemented a long time ago, eliminating the need to call touch_buffer() here in the first place.
So this solves the issue by eliminating the touch_buffer() call itself.
{
"affected": [],
"aliases": [
"CVE-2024-53131"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-04T15:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_touch_buffer tracepoint\n\nPatch series \"nilfs2: fix null-ptr-deref bugs on block tracepoints\".\n\nThis series fixes null pointer dereference bugs that occur when using\nnilfs2 and two block-related tracepoints.\n\n\nThis patch (of 2):\n\nIt has been reported that when using \"block:block_touch_buffer\"\ntracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a\nNULL pointer dereference, or a general protection fault when KASAN is\nenabled.\n\nThis happens because since the tracepoint was added in touch_buffer(), it\nreferences the dev_t member bh-\u003eb_bdev-\u003ebd_dev regardless of whether the\nbuffer head has a pointer to a block_device structure. In the current\nimplementation, the block_device structure is set after the function\nreturns to the caller.\n\nHere, touch_buffer() is used to mark the folio/page that owns the buffer\nhead as accessed, but the common search helper for folio/page used by the\ncaller function was optimized to mark the folio/page as accessed when it\nwas reimplemented a long time ago, eliminating the need to call\ntouch_buffer() here in the first place.\n\nSo this solves the issue by eliminating the touch_buffer() call itself.",
"id": "GHSA-p85v-4hp9-vq4r",
"modified": "2025-11-04T00:32:09Z",
"published": "2024-12-04T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53131"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/085556bf8c70e2629e02e79268dac3016a08b8bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19c71cdd77973f99a9adc3190130bc3aa7ae5423"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b2a4fd9bbee77afdd3ed5a05a0c02b6cde8d3b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59b49ca67cca7b007a5afd3de0283c8008157665"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6438f3f42cda825f6f59b4e45ac3a1da28a6f2c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/77e47f89d32c2d72eb33d0becbce7abe14d061f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b017697a517f8779ada4e8ce1c2c75dbf60a2636"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P863-5FGM-RGQ4
Vulnerability from github – Published: 2026-02-24 15:36 – Updated: 2026-02-24 15:36A NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in Denial of Service.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3704942==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x7f9d141239e0 bp 0x7ffd4c5711e0 sp 0x7ffd4c571148 T0)
#0 0x7f9d141239e0 (/lib/x86_64-linux-gnu/libc.so.6+0xc49e0)
#1 0x558a25e4f08d in ClonePixelCacheRepository._omp_fn.0 MagickCore/cache.c:784
#2 0x7f9d14c06a15 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x14a15)
#3 0x558a25e43151 in ClonePixelCacheRepository MagickCore/cache.c:753
#4 0x558a25e49a96 in OpenPixelCache MagickCore/cache.c:3849
#5 0x558a25e45117 in GetImagePixelCache MagickCore/cache.c:1829
#6 0x558a25e4dde3 in SyncImagePixelCache MagickCore/cache.c:5647
#7 0x558a256ba57d in SetImageExtent MagickCore/image.c:2713
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25798"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T15:36:08Z",
"nvd_published_at": "2026-02-24T01:16:14Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in Denial of Service.\n\n```\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==3704942==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x7f9d141239e0 bp 0x7ffd4c5711e0 sp 0x7ffd4c571148 T0)\n #0 0x7f9d141239e0 (/lib/x86_64-linux-gnu/libc.so.6+0xc49e0)\n #1 0x558a25e4f08d in ClonePixelCacheRepository._omp_fn.0 MagickCore/cache.c:784\n #2 0x7f9d14c06a15 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x14a15)\n #3 0x558a25e43151 in ClonePixelCacheRepository MagickCore/cache.c:753\n #4 0x558a25e49a96 in OpenPixelCache MagickCore/cache.c:3849\n #5 0x558a25e45117 in GetImagePixelCache MagickCore/cache.c:1829\n #6 0x558a25e4dde3 in SyncImagePixelCache MagickCore/cache.c:5647\n #7 0x558a256ba57d in SetImageExtent MagickCore/image.c:2713\n```",
"id": "GHSA-p863-5fgm-rgq4",
"modified": "2026-02-24T15:36:08Z",
"published": "2026-02-24T15:36:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25798"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/8567"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/e046417675d5c26e5f48816851a406c121c77469"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has NULL Pointer Dereference in ClonePixelCacheRepository via crafted image"
}
GHSA-P884-V7P5-5858
Vulnerability from github – Published: 2026-02-23 21:31 – Updated: 2026-02-24 21:31libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.
{
"affected": [],
"aliases": [
"CVE-2025-61143"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-23T19:22:56Z",
"severity": "MODERATE"
},
"details": "libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.",
"id": "GHSA-p884-v7p5-5858",
"modified": "2026-02-24T21:31:40Z",
"published": "2026-02-23T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61143"
},
{
"type": "WEB",
"url": "https://gist.github.com/optionGo/9c024cd8e7b131463b84dc60af9bb0aa"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/737"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/755"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P89J-VJGQ-2RFV
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44In read_and_discard_scanlines of jdapistd.c, there is a possible null pointer exception due to a missing NULL check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173702583
{
"affected": [],
"aliases": [
"CVE-2021-0384"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "In read_and_discard_scanlines of jdapistd.c, there is a possible null pointer exception due to a missing NULL check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173702583",
"id": "GHSA-p89j-vjgq-2rfv",
"modified": "2022-05-24T17:44:08Z",
"published": "2022-05-24T17:44:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0384"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.