CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-PFPP-Q6GH-6XMM
Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2024-08-21 18:31In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()
bdev->bd_super has been removed and commit 8887b94d9322 change the usage from bdev->bd_super to b_assoc_map->host->i_sb. This introduces the following NULL pointer dereference in ocfs2_journal_dirty() since b_assoc_map is still not initialized. This can be easily reproduced by running xfstests generic/186, which simulate no more credits.
[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2] ... [ 134.365071] Call Trace: [ 134.365312] [ 134.365524] ? __die_body+0x1e/0x60 [ 134.365868] ? page_fault_oops+0x13d/0x4f0 [ 134.366265] ? __pfx_bit_wait_io+0x10/0x10 [ 134.366659] ? schedule+0x27/0xb0 [ 134.366981] ? exc_page_fault+0x6a/0x140 [ 134.367356] ? asm_exc_page_fault+0x26/0x30 [ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2] [ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2] [ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2] [ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2] [ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2] [ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2] [ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2] [ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2] [ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2] [ 134.372994] ? inode_update_timestamps+0x4a/0x120 [ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] [ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2] [ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2] [ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2] [ 134.376971] ? security_file_permission+0x29/0x50 [ 134.377644] vfs_clone_file_range+0xfe/0x320 [ 134.378268] ioctl_file_clone+0x45/0xa0 [ 134.378853] do_vfs_ioctl+0x457/0x990 [ 134.379422] __x64_sys_ioctl+0x6e/0xd0 [ 134.379987] do_syscall_64+0x5d/0x170 [ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 134.381231] RIP: 0033:0x7fa4926397cb [ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48 [ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb [ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003 [ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000 [ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000 [ 134.389207]
Fix it by only aborting transaction and journal in ocfs2_journal_dirty() now, and leave ocfs2_abort() later when detecting an aborted handle, e.g. start next transaction. Also log the handle details in this case.
{
"affected": [],
"aliases": [
"CVE-2024-40952"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-12T13:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix NULL pointer dereference in ocfs2_journal_dirty()\n\nbdev-\u003ebd_super has been removed and commit 8887b94d9322 change the usage\nfrom bdev-\u003ebd_super to b_assoc_map-\u003ehost-\u003ei_sb. This introduces the\nfollowing NULL pointer dereference in ocfs2_journal_dirty() since\nb_assoc_map is still not initialized. This can be easily reproduced by\nrunning xfstests generic/186, which simulate no more credits.\n\n[ 134.351592] BUG: kernel NULL pointer dereference, address: 0000000000000000\n...\n[ 134.355341] RIP: 0010:ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n...\n[ 134.365071] Call Trace:\n[ 134.365312] \u003cTASK\u003e\n[ 134.365524] ? __die_body+0x1e/0x60\n[ 134.365868] ? page_fault_oops+0x13d/0x4f0\n[ 134.366265] ? __pfx_bit_wait_io+0x10/0x10\n[ 134.366659] ? schedule+0x27/0xb0\n[ 134.366981] ? exc_page_fault+0x6a/0x140\n[ 134.367356] ? asm_exc_page_fault+0x26/0x30\n[ 134.367762] ? ocfs2_journal_dirty+0x14f/0x160 [ocfs2]\n[ 134.368305] ? ocfs2_journal_dirty+0x13d/0x160 [ocfs2]\n[ 134.368837] ocfs2_create_new_meta_bhs.isra.51+0x139/0x2e0 [ocfs2]\n[ 134.369454] ocfs2_grow_tree+0x688/0x8a0 [ocfs2]\n[ 134.369927] ocfs2_split_and_insert.isra.67+0x35c/0x4a0 [ocfs2]\n[ 134.370521] ocfs2_split_extent+0x314/0x4d0 [ocfs2]\n[ 134.371019] ocfs2_change_extent_flag+0x174/0x410 [ocfs2]\n[ 134.371566] ocfs2_add_refcount_flag+0x3fa/0x630 [ocfs2]\n[ 134.372117] ocfs2_reflink_remap_extent+0x21b/0x4c0 [ocfs2]\n[ 134.372994] ? inode_update_timestamps+0x4a/0x120\n[ 134.373692] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.374545] ? __pfx_ocfs2_journal_access_di+0x10/0x10 [ocfs2]\n[ 134.375393] ocfs2_reflink_remap_blocks+0xe4/0x4e0 [ocfs2]\n[ 134.376197] ocfs2_remap_file_range+0x1de/0x390 [ocfs2]\n[ 134.376971] ? security_file_permission+0x29/0x50\n[ 134.377644] vfs_clone_file_range+0xfe/0x320\n[ 134.378268] ioctl_file_clone+0x45/0xa0\n[ 134.378853] do_vfs_ioctl+0x457/0x990\n[ 134.379422] __x64_sys_ioctl+0x6e/0xd0\n[ 134.379987] do_syscall_64+0x5d/0x170\n[ 134.380550] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 134.381231] RIP: 0033:0x7fa4926397cb\n[ 134.381786] Code: 73 01 c3 48 8b 0d bd 56 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 56 38 00 f7 d8 64 89 01 48\n[ 134.383930] RSP: 002b:00007ffc2b39f7b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[ 134.384854] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fa4926397cb\n[ 134.385734] RDX: 00007ffc2b39f7f0 RSI: 000000004020940d RDI: 0000000000000003\n[ 134.386606] RBP: 0000000000000000 R08: 00111a82a4f015bb R09: 00007fa494221000\n[ 134.387476] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 134.388342] R13: 0000000000f10000 R14: 0000558e844e2ac8 R15: 0000000000f10000\n[ 134.389207] \u003c/TASK\u003e\n\nFix it by only aborting transaction and journal in ocfs2_journal_dirty()\nnow, and leave ocfs2_abort() later when detecting an aborted handle,\ne.g. start next transaction. Also log the handle details in this case.",
"id": "GHSA-pfpp-q6gh-6xmm",
"modified": "2024-08-21T18:31:26Z",
"published": "2024-07-12T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40952"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0550ad87711f815b3d73e487ec58ca7d8f56edbc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58f7e1e2c9e72c7974054c64c3abeac81c11f822"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72663d3e09091f431a0774227ca207c0358362dd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQ9-GMXF-FP7R
Vulnerability from github – Published: 2022-12-20 18:30 – Updated: 2022-12-20 18:30In sdpu_find_most_specific_service_uuid of sdp_utils.cc, there is a possible way to crash Bluetooth due to a missing null check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227203684
{
"affected": [],
"aliases": [
"CVE-2022-20521"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In sdpu_find_most_specific_service_uuid of sdp_utils.cc, there is a possible way to crash Bluetooth due to a missing null check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227203684",
"id": "GHSA-pfq9-gmxf-fp7r",
"modified": "2022-12-20T18:30:20Z",
"published": "2022-12-20T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20521"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQP-2WHQ-57G2
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-11 09:30In the Linux kernel, the following vulnerability has been resolved:
net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags().
BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr().
{
"affected": [],
"aliases": [
"CVE-2026-43441"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:56Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If bonding ARP/NS validation is enabled, an IPv6\nNS/NA packet received on a slave can reach bond_validate_na(), which\ncalls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can\ncrash in __ipv6_chk_addr_and_flags().\n\n BUG: kernel NULL pointer dereference, address: 00000000000005d8\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170\n Call Trace:\n \u003cIRQ\u003e\n ipv6_chk_addr+0x1f/0x30\n bond_validate_na+0x12e/0x1d0 [bonding]\n ? __pfx_bond_handle_frame+0x10/0x10 [bonding]\n bond_rcv_validate+0x1a0/0x450 [bonding]\n bond_handle_frame+0x5e/0x290 [bonding]\n ? srso_alias_return_thunk+0x5/0xfbef5\n __netif_receive_skb_core.constprop.0+0x3e8/0xe50\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? update_cfs_rq_load_avg+0x1a/0x240\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __enqueue_entity+0x5e/0x240\n __netif_receive_skb_one_core+0x39/0xa0\n process_backlog+0x9c/0x150\n __napi_poll+0x30/0x200\n ? srso_alias_return_thunk+0x5/0xfbef5\n net_rx_action+0x338/0x3b0\n handle_softirqs+0xc9/0x2a0\n do_softirq+0x42/0x60\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0x62/0x70\n __dev_queue_xmit+0x2d3/0x1000\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? packet_parse_headers+0x10a/0x1a0\n packet_sendmsg+0x10da/0x1700\n ? kick_pool+0x5f/0x140\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __queue_work+0x12d/0x4f0\n __sys_sendto+0x1f3/0x220\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x101/0xf80\n ? exc_page_fault+0x6e/0x170\n ? srso_alias_return_thunk+0x5/0xfbef5\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nFix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to\nbond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()\nand avoid the path to ipv6_chk_addr().",
"id": "GHSA-pfqp-2whq-57g2",
"modified": "2026-05-11T09:30:31Z",
"published": "2026-05-08T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43441"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30021e969d48e5819d5ae56936c2f34c0f7ce997"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49dbfcb70eca5f6f9043594e1e323c74c39e3863"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95faa1459b83fa544191e82ccc73856f03b7741f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c78f01abe535853f13f0b26cd5b1d2f19bf52e2f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c9c238066fb254dabf65e27379f93c56112c5b96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf6099ef493b94e140b0fad52482a78853115318"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQW-H6QM-MP6M
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2011-4594"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-05-17T11:00:00Z",
"severity": "MODERATE"
},
"details": "The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.",
"id": "GHSA-pfqw-h6qm-mp6m",
"modified": "2022-05-13T01:24:58Z",
"published": "2022-05-13T01:24:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4594"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/bc909d9ddbf7778371e36a651d6e4194b1cc7d4c"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=761646"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=bc909d9ddbf7778371e36a651d6e4194b1cc7d4c"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bc909d9ddbf7778371e36a651d6e4194b1cc7d4c"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/12/08/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFV6-3F5P-J5C6
Vulnerability from github – Published: 2024-02-17 00:31 – Updated: 2024-10-31 21:31ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.
{
"affected": [],
"aliases": [
"CVE-2023-45918"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T22:15:07Z",
"severity": "MODERATE"
},
"details": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.",
"id": "GHSA-pfv6-3f5p-j5c6",
"modified": "2024-10-31T21:31:44Z",
"published": "2024-02-17T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300290#c1"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240315-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFXC-R4M8-GW9P
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 21:30In the Linux kernel, the following vulnerability has been resolved:
kprobes: avoid crash when rmmod/insmod after ftrace killed
After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes.
BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:kprobes_module_callback+0x89/0x790 RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02 RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90 RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002 R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040 FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0 Call Trace: notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is because the kprobe on ftrace does not correctly handles the kprobe_ftrace_disabled flag set by ftrace_kill().
To prevent this error, check kprobe_ftrace_disabled in __disarm_kprobe_ftrace() and skip all ftrace related operations.
{
"affected": [],
"aliases": [
"CVE-2026-43409"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: avoid crash when rmmod/insmod after ftrace killed\n\nAfter we hit ftrace is killed by some errors, the kernel crash if\nwe remove modules in which kprobe probes.\n\nBUG: unable to handle page fault for address: fffffbfff805000d\nPGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0\nOops: Oops: 0000 [#1] SMP KASAN PTI\nCPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE\nTainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nRIP: 0010:kprobes_module_callback+0x89/0x790\nRSP: 0018:ffff88812e157d30 EFLAGS: 00010a02\nRAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90\nRDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a\nR10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002\nR13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040\nFS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n notifier_call_chain+0xc6/0x280\n blocking_notifier_call_chain+0x60/0x90\n __do_sys_delete_module.constprop.0+0x32a/0x4e0\n do_syscall_64+0x5d/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis is because the kprobe on ftrace does not correctly handles\nthe kprobe_ftrace_disabled flag set by ftrace_kill().\n\nTo prevent this error, check kprobe_ftrace_disabled in\n__disarm_kprobe_ftrace() and skip all ftrace related operations.",
"id": "GHSA-pfxc-r4m8-gw9p",
"modified": "2026-05-21T21:30:30Z",
"published": "2026-05-08T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43409"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b6767e4141b2a42745b544d4555cf1614ba1a2d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9edc79d664832a842012ad105b1521c1a3c35ab3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b0ca81616a010807e91fc31db9be242b96326adc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cae928e3178c75602c21d67e21255d73e7e9ed4f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e113f0b46d19626ec15388bcb91432c9a4fd6261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PG75-XXXV-PV8J
Vulnerability from github – Published: 2023-11-17 06:31 – Updated: 2024-06-20 18:34An issue was discovered in OpenNDS Captive Portal before 10.1.2. it has a do_binauth NULL pointer dereference that can be triggered with a crafted GET HTTP request with a missing client redirect query string parameter. Triggering this issue results in crashing openNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.
{
"affected": [],
"aliases": [
"CVE-2023-38313"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-17T06:15:33Z",
"severity": "HIGH"
},
"details": "An issue was discovered in OpenNDS Captive Portal before 10.1.2. it has a do_binauth NULL pointer dereference that can be triggered with a crafted GET HTTP request with a missing client redirect query string parameter. Triggering this issue results in crashing openNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.",
"id": "GHSA-pg75-xxxv-pv8j",
"modified": "2024-06-20T18:34:06Z",
"published": "2023-11-17T06:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38313"
},
{
"type": "WEB",
"url": "https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80"
},
{
"type": "WEB",
"url": "https://github.com/openNDS/openNDS/releases/tag/v10.1.2"
},
{
"type": "WEB",
"url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PG76-Q8R9-XQW5
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31In the Linux kernel, the following vulnerability has been resolved:
phy: qcom-qmp-combo: fix NULL-deref on runtime resume
Commit fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate PCS_USB region") started treating the PCS_USB registers as potentially separate from the PCS registers but used the wrong base when no PCS_USB offset has been provided.
Fix the PCS_USB base used at runtime resume to prevent dereferencing a NULL pointer on platforms that do not provide a PCS_USB offset (e.g. SC7180).
{
"affected": [],
"aliases": [
"CVE-2022-49848"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: qcom-qmp-combo: fix NULL-deref on runtime resume\n\nCommit fc64623637da (\"phy: qcom-qmp-combo,usb: add support for separate\nPCS_USB region\") started treating the PCS_USB registers as potentially\nseparate from the PCS registers but used the wrong base when no PCS_USB\noffset has been provided.\n\nFix the PCS_USB base used at runtime resume to prevent dereferencing a\nNULL pointer on platforms that do not provide a PCS_USB offset (e.g.\nSC7180).",
"id": "GHSA-pg76-q8r9-xqw5",
"modified": "2025-05-07T15:31:24Z",
"published": "2025-05-01T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49848"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04948e757148f870a31f4887ea2239403f516c3c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c559a8b5cfa3db196ced0257b288f17027621348"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PGCR-7VHJ-26W2
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2024-10-25 15:31In the Linux kernel, the following vulnerability has been resolved:
gpiolib: Fix potential NULL pointer dereference in gpiod_get_label()
In gpiod_get_label(), it is possible that srcu_dereference_check() may
return a NULL pointer, leading to a scenario where label->str is accessed
without verifying if label itself is NULL.
This patch adds a proper NULL check for label before accessing
label->str. The check for label->str != NULL is removed because
label->str can never be NULL if label is not NULL.
This fixes the issue where the label name was being printed as (efault)
when dumping the sysfs GPIO file when label == NULL.
{
"affected": [],
"aliases": [
"CVE-2024-49941"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: Fix potential NULL pointer dereference in gpiod_get_label()\n\nIn `gpiod_get_label()`, it is possible that `srcu_dereference_check()` may\nreturn a NULL pointer, leading to a scenario where `label-\u003estr` is accessed\nwithout verifying if `label` itself is NULL.\n\nThis patch adds a proper NULL check for `label` before accessing\n`label-\u003estr`. The check for `label-\u003estr != NULL` is removed because\n`label-\u003estr` can never be NULL if `label` is not NULL.\n\nThis fixes the issue where the label name was being printed as `(efault)`\nwhen dumping the sysfs GPIO file when `label == NULL`.",
"id": "GHSA-pgcr-7vhj-26w2",
"modified": "2024-10-25T15:31:26Z",
"published": "2024-10-21T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49941"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b99b5ab885993bff010ebcd93be5e511c56e28a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ee4b907d7a5d7a53b4ff7727c371ff3d44ccbbb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PGFV-564H-29R2
Vulnerability from github – Published: 2022-05-14 03:25 – Updated: 2022-05-14 03:25In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9625, MDM9635M, MDM9640, MDM9645, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 615/16/SD 415, SD 800, SD 808, and SD 810, the device may crash while accessing an invalid pointer or expose otherwise inaccessible memory contents.
{
"affected": [],
"aliases": [
"CVE-2015-9124"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-18T14:29:00Z",
"severity": "CRITICAL"
},
"details": "In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9625, MDM9635M, MDM9640, MDM9645, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 615/16/SD 415, SD 800, SD 808, and SD 810, the device may crash while accessing an invalid pointer or expose otherwise inaccessible memory contents.",
"id": "GHSA-pgfv-564h-29r2",
"modified": "2022-05-14T03:25:09Z",
"published": "2022-05-14T03:25:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9124"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-04-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.