CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-PRGG-RGFW-VR94
Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
ipv6: add NULL checks for idev in SRv6 paths
__in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).
Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences.
{
"affected": [],
"aliases": [
"CVE-2026-23442"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T16:16:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: add NULL checks for idev in SRv6 paths\n\n__in6_dev_get() can return NULL when the device has no IPv6 configuration\n(e.g. MTU \u003c IPV6_MIN_MTU or after NETDEV_UNREGISTER).\n\nAdd NULL checks for idev returned by __in6_dev_get() in both\nseg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL\npointer dereferences.",
"id": "GHSA-prgg-rgfw-vr94",
"modified": "2026-06-01T18:31:23Z",
"published": "2026-04-03T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23442"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0348fa0ada37cef7c6b5ab2a428bb2c6aee784e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06413793526251870e20402c39930804f14d59c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50352fc103928e10e8729abc79a0d05abef26c4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/83d705d35e583cb1b1eacf196dfe7b77d442018e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a25853c9feea7bbf31d157ff6e004d2d3b4f7f13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bc9843c39f9932a8b36efd1d362ea00bb88e4e78"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5cedee5d97382176573bbe21e1724e737a5eb64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d1bd8b9edc6752d10f84d28ff64f842401ce336d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PRGW-72F3-X883
Vulnerability from github – Published: 2024-09-13 09:30 – Updated: 2024-09-13 09:30Illustrator versions 28.6, 27.9.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a DoS condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-43759"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T09:15:12Z",
"severity": "MODERATE"
},
"details": "Illustrator versions 28.6, 27.9.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a DoS condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-prgw-72f3-x883",
"modified": "2024-09-13T09:30:33Z",
"published": "2024-09-13T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43759"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/illustrator/apsb24-66.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PRHC-6F6Q-3VRJ
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed.
On ADSP stop, the q6apm-audio .remove callback unloads topology and removes PCM runtimes during ASoC teardown. This deletes the RTDs that contain the q6apm DAI components before their removal pass runs, leaving those components still linked to the card and causing crashes on the next rebind.
Fix this by ensuring that all dependent (child) components are removed first, and the q6apm component is removed last.
[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [ 48.114763] Mem abort info: [ 48.117650] ESR = 0x0000000096000004 [ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits [ 48.127010] SET = 0, FnV = 0 [ 48.130172] EA = 0, S1PTW = 0 [ 48.133415] FSC = 0x04: level 0 translation fault [ 48.138446] Data abort info: [ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000 [ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000 [ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP [ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core [ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6 [ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT [ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT) [ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] [ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 48.330825] pc : mutex_lock+0xc/0x54 [ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core] [ 48.340794] sp : ffff800084ddb7b0 [ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00 [ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098 [ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0 [ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff [ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f [ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673 [ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001 [ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000 [ 48.402854] x5 : 0000000000000 ---truncated---
{
"affected": [],
"aliases": [
"CVE-2026-43412"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start\n\nDuring ADSP stop and start, the kernel crashes due to the order in which\nASoC components are removed.\n\nOn ADSP stop, the q6apm-audio .remove callback unloads topology and removes\nPCM runtimes during ASoC teardown. This deletes the RTDs that contain the\nq6apm DAI components before their removal pass runs, leaving those\ncomponents still linked to the card and causing crashes on the next rebind.\n\nFix this by ensuring that all dependent (child) components are removed\nfirst, and the q6apm component is removed last.\n\n[ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0\n[ 48.114763] Mem abort info:\n[ 48.117650] ESR = 0x0000000096000004\n[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 48.127010] SET = 0, FnV = 0\n[ 48.130172] EA = 0, S1PTW = 0\n[ 48.133415] FSC = 0x04: level 0 translation fault\n[ 48.138446] Data abort info:\n[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000\n[ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000\n[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core\n[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6\n[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT\n[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)\n[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]\n[ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 48.330825] pc : mutex_lock+0xc/0x54\n[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core]\n[ 48.340794] sp : ffff800084ddb7b0\n[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00\n[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098\n[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0\n[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff\n[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f\n[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673\n[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001\n[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000\n[ 48.402854] x5 : 0000000000000\n---truncated---",
"id": "GHSA-prhc-6f6q-3vrj",
"modified": "2026-05-21T18:33:06Z",
"published": "2026-05-08T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43412"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0da170b9e600da6930cfb8352e4cc036db3b6159"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22b05abb17e3c6ef45035141fe3d26f815ff9d30"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/897f32cab7945f4662a50b3841ba31c6c3204876"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94bda21adb2a51f69366b847b4d80dfe50bd9fb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a8e9cab16771b15160465783507496dc83742d8e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6db827b430bdcca3976cebca7bd69cca03cde2c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PRJQ-F4Q3-FVFR
Vulnerability from github – Published: 2022-11-15 19:05 – Updated: 2024-05-20 19:38Impact
In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.
Patches
The issue was patched in v0.7.0, released on March 2, 2022.
Workarounds
Callers to gosaml2 can use recover() to handle panics to mitigate a potential DoS.
References
See issue #59 for details.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/russellhaering/gosaml2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/russellhaering/goxmldsig"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7731"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-15T19:05:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nIn versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.\n\n### Patches\nThe issue was patched in v0.7.0, released on March 2, 2022.\n\n### Workarounds\nCallers to `gosaml2` can use `recover()` to handle panics to mitigate a potential DoS.\n\n### References\nSee issue [#59](https://github.com/russellhaering/gosaml2/issues/59) for details.",
"id": "GHSA-prjq-f4q3-fvfr",
"modified": "2024-05-20T19:38:33Z",
"published": "2022-11-15T19:05:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/security/advisories/GHSA-prjq-f4q3-fvfr"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/issues/59"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/goxmldsig/issues/48"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/pull/90"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/commit/66e3b7affd622b8b24ea1e18845f045e46b23424"
},
{
"type": "PACKAGE",
"url": "https://github.com/russellhaering/gosaml2"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/releases/tag/v0.7.0"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOSAML2-608302"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "github.com/russellhaering/gosaml2 is vulnerable to NULL Pointer Dereference"
}
GHSA-PRWP-XRV5-5JV3
Vulnerability from github – Published: 2023-08-25 21:30 – Updated: 2023-12-12 15:30An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6.
{
"affected": [],
"aliases": [
"CVE-2023-38711"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-25T21:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6.",
"id": "GHSA-prwp-xrv5-5jv3",
"modified": "2023-12-12T15:30:58Z",
"published": "2023-08-25T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38711"
},
{
"type": "WEB",
"url": "https://github.com/libreswan/libreswan/tags"
},
{
"type": "WEB",
"url": "https://libreswan.org/security/CVE-2023-38711"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PV35-9GQP-7Q2C
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-30 12:30In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):
value = *(u64 *)payload_addr(pkt);
check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).
IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.
Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero.
{
"affected": [],
"aliases": [
"CVE-2026-46114"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:26Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads\n\natomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c\nunconditionally dereferences 8 bytes at payload_addr(pkt):\n\n value = *(u64 *)payload_addr(pkt);\n\ncheck_rkey() previously accepted an ATOMIC_WRITE request with pktlen ==\nresid == 0 because the length validation only compared pktlen against\nresid. A remote initiator that sets the RETH length to 0 therefore reaches\natomic_write_reply() with a zero-byte logical payload, and the responder\nreads sizeof(u64) bytes from past the logical end of the packet into\nskb-\u003ehead tailroom, then writes those 8 bytes into the attacker\u0027s MR via\nrxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel\ntailroom per probe (the other 4 bytes are the packet\u0027s own trailing ICRC).\n\nIBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is\nprotocol-invalid. Hoist a strict length check into check_rkey() so the\nresponder never reaches the unchecked dereference, and keep the existing\nWRITE-family length logic for the normal RDMA WRITE path.\n\nReproduced on mainline with an unmodified rxe driver: a sustained\nzero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer\nbytes into the attacker\u0027s MR, including recognisable kernel strings and\npartial kernel-direct-map pointer words. With this patch applied the\nresponder rejects the PDU and the MR stays all-zero.",
"id": "GHSA-pv35-9gqp-7q2c",
"modified": "2026-05-30T12:30:25Z",
"published": "2026-05-28T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46114"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/105bf79a23b85cf3a761d18a4f3e10ce88526bc1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1114c87aa6f195cf07da55a27b2122ae26557b26"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/539cabb7b2d8ba70f55bba91db55faef11c2a6d7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7ec1ed4747f5f99f8b797bb438c5efd36079fad5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d415fce3fcde6d7aeea6c25362a395b905811452"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PV82-VF69-RQQM
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2024-12-13 15:30systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.
{
"affected": [],
"aliases": [
"CVE-2017-9217"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-24T05:29:00Z",
"severity": "HIGH"
},
"details": "systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section.",
"id": "GHSA-pv82-vf69-rqqm",
"modified": "2024-12-13T15:30:38Z",
"published": "2022-05-13T01:04:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9217"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/pull/5998"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/commit/a924f43f30f9c4acaf70618dd2a055f8b0f166be"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1621396"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241213-0003"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PVCC-25WC-FRXR
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2025-04-20 03:31The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2016-9813"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-13T16:59:00Z",
"severity": "MODERATE"
},
"details": "The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.",
"id": "GHSA-pvcc-25wc-frxr",
"modified": "2025-04-20T03:31:12Z",
"published": "2022-05-14T03:54:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9813"
},
{
"type": "WEB",
"url": "https://bugzilla.gnome.org/show_bug.cgi?id=775120"
},
{
"type": "WEB",
"url": "https://gstreamer.freedesktop.org/releases/1.10/#1.10.2"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201705-10"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42162"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0021.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3818"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/01/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/05/8"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PVCM-VR92-9WX7
Vulnerability from github – Published: 2024-02-27 21:31 – Updated: 2025-01-08 18:30In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Reserve extra IRQ vectors
Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs.
That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as:
ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode)
max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available.
qla2xxx_queuecommand() tries to find a qpair in the map and crashes:
if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL;
tag = blk_mq_unique_tag(cmd->request);
hwq = blk_mq_unique_tag_to_hwq(tag);
qpair = ha->queue_pair_map[hwq]; # <- HERE
if (qpair)
return qla2xxx_mqueuecommand(host, cmd, qpair);
}
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30
The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts.
The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs.
{
"affected": [],
"aliases": [
"CVE-2021-46964"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-27T19:04:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Reserve extra IRQ vectors\n\nCommit a6dcfe08487e (\"scsi: qla2xxx: Limit interrupt vectors to number of\nCPUs\") lowers the number of allocated MSI-X vectors to the number of CPUs.\n\nThat breaks vector allocation assumptions in qla83xx_iospace_config(),\nqla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions\ncomputes maximum number of qpairs as:\n\n ha-\u003emax_qpairs = ha-\u003emsix_count - 1 (MB interrupt) - 1 (default\n response queue) - 1 (ATIO, in dual or pure target mode)\n\nmax_qpairs is set to zero in case of two CPUs and initiator mode. The\nnumber is then used to allocate ha-\u003equeue_pair_map inside\nqla2x00_alloc_queues(). No allocation happens and ha-\u003equeue_pair_map is\nleft NULL but the driver thinks there are queue pairs available.\n\nqla2xxx_queuecommand() tries to find a qpair in the map and crashes:\n\n if (ha-\u003emqenable) {\n uint32_t tag;\n uint16_t hwq;\n struct qla_qpair *qpair = NULL;\n\n tag = blk_mq_unique_tag(cmd-\u003erequest);\n hwq = blk_mq_unique_tag_to_hwq(tag);\n qpair = ha-\u003equeue_pair_map[hwq]; # \u003c- HERE\n\n if (qpair)\n return qla2xxx_mqueuecommand(host, cmd, qpair);\n }\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP PTI\n CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014\n Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]\n RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]\n Call Trace:\n scsi_queue_rq+0x58c/0xa60\n blk_mq_dispatch_rq_list+0x2b7/0x6f0\n ? __sbitmap_get_word+0x2a/0x80\n __blk_mq_sched_dispatch_requests+0xb8/0x170\n blk_mq_sched_dispatch_requests+0x2b/0x50\n __blk_mq_run_hw_queue+0x49/0xb0\n __blk_mq_delay_run_hw_queue+0xfb/0x150\n blk_mq_sched_insert_request+0xbe/0x110\n blk_execute_rq+0x45/0x70\n __scsi_execute+0x10e/0x250\n scsi_probe_and_add_lun+0x228/0xda0\n __scsi_scan_target+0xf4/0x620\n ? __pm_runtime_resume+0x4f/0x70\n scsi_scan_target+0x100/0x110\n fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]\n process_one_work+0x1ea/0x3b0\n worker_thread+0x28/0x3b0\n ? process_one_work+0x3b0/0x3b0\n kthread+0x112/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nThe driver should allocate enough vectors to provide every CPU it\u0027s own HW\nqueue and still handle reserved (MB, RSP, ATIO) interrupts.\n\nThe change fixes the crash on dual core VM and prevents unbalanced QP\nallocation where nr_hw_queues is two less than the number of CPUs.",
"id": "GHSA-pvcm-vr92-9wx7",
"modified": "2025-01-08T18:30:40Z",
"published": "2024-02-27T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46964"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PVCR-V8J8-J5Q3
Vulnerability from github – Published: 2024-01-09 16:18 – Updated: 2024-01-09 21:52Summary
Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference.
Details
This seems to also affect other functions that calls Parse internally, like jws.Verify.
My understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don't require any prior validation.
Based on the stack trace in the PoC, the issue seems to be that the processing done in jws/message.go:UnmarshalJSON() assumes that if a signature field is present, then a protected field is also present. If this is not the case, then the subsequent call to getB64Value(sig.protected) will dereference sig.protected, which is nil.
PoC
Reproducer:
package poc
import (
"testing"
"github.com/lestrrat-go/jwx/v2/jws"
)
func TestPOC(t *testing.T) {
_, _ = jws.Parse([]byte(`{"signature": ""}`))
}
Result:
$ go test
--- FAIL: TestPOC (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618]
goroutine 6 [running]:
testing.tRunner.func1.2({0x628800, 0x831030})
/usr/local/go/src/testing/testing.go:1545 +0x238
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1548 +0x397
panic({0x628800?, 0x831030?})
/usr/local/go/src/runtime/panic.go:914 +0x21f
github.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:484 +0x18
github.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/message.go:323 +0x4ad
encoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?})
/usr/local/go/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?})
/usr/local/go/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?})
/usr/local/go/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140})
/usr/local/go/src/encoding/json/stream.go:73 +0x179
github.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/internal/json/json.go:26 +0x97
github.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:588 +0x50
github.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?})
/home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:525 +0x89
poc.TestPOC(0x0?)
/home/fredrik/src/jwx_poc/poc_test.go:10 +0x57
testing.tRunner(0xc0000e4340, 0x68ef30)
/usr/local/go/src/testing/testing.go:1595 +0xff
created by testing.(*T).Run in goroutine 1
/usr/local/go/src/testing/testing.go:1648 +0x3ad
exit status 2
FAIL poc 0.005s
Impact
The vulnerability can be used to crash / DOS a system doing JWS verification.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lestrrat-go/jwx"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.8"
},
{
"fixed": "1.2.28"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/lestrrat-go/jwx/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21664"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T16:18:48Z",
"nvd_published_at": "2024-01-09T20:15:43Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nCalling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference.\n\n### Details\n\nThis seems to also affect other functions that calls `Parse` internally, like `jws.Verify`.\n\nMy understanding of these functions from the docs is that they are supposed to fail gracefully on invalid input and don\u0027t require any prior validation.\n\nBased on the stack trace in the PoC, the issue seems to be that the processing done in `jws/message.go:UnmarshalJSON()` assumes that if a `signature` field is present, then a `protected` field is also present. If this is not the case, then the subsequent call to `getB64Value(sig.protected)` will dereference `sig.protected`, which is `nil`.\n\n### PoC\n\nReproducer:\n\n```go\npackage poc\n\nimport (\n \"testing\"\n\n \"github.com/lestrrat-go/jwx/v2/jws\"\n)\n\nfunc TestPOC(t *testing.T) {\n _, _ = jws.Parse([]byte(`{\"signature\": \"\"}`))\n}\n```\n\nResult:\n\n```\n$ go test \n--- FAIL: TestPOC (0.00s)\npanic: runtime error: invalid memory address or nil pointer dereference [recovered]\n panic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x5fd618]\n\ngoroutine 6 [running]:\ntesting.tRunner.func1.2({0x628800, 0x831030})\n /usr/local/go/src/testing/testing.go:1545 +0x238\ntesting.tRunner.func1()\n /usr/local/go/src/testing/testing.go:1548 +0x397\npanic({0x628800?, 0x831030?})\n /usr/local/go/src/runtime/panic.go:914 +0x21f\ngithub.com/lestrrat-go/jwx/v2/jws.getB64Value({0x0?, 0x0?})\n /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:484 +0x18\ngithub.com/lestrrat-go/jwx/v2/jws.(*Message).UnmarshalJSON(0xc0000a2140, {0xc0000ec000, 0x11, 0x200})\n /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/message.go:323 +0x4ad\nencoding/json.(*decodeState).object(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0x16?})\n /usr/local/go/src/encoding/json/decode.go:604 +0x6cc\nencoding/json.(*decodeState).value(0xc0000ea028, {0x64fa60?, 0xc0000a2140?, 0xc00006e630?})\n /usr/local/go/src/encoding/json/decode.go:374 +0x3e\nencoding/json.(*decodeState).unmarshal(0xc0000ea028, {0x64fa60?, 0xc0000a2140?})\n /usr/local/go/src/encoding/json/decode.go:181 +0x133\nencoding/json.(*Decoder).Decode(0xc0000ea000, {0x64fa60, 0xc0000a2140})\n /usr/local/go/src/encoding/json/stream.go:73 +0x179\ngithub.com/lestrrat-go/jwx/v2/internal/json.Unmarshal({0xc00001a288, 0x11, 0x11}, {0x64fa60, 0xc0000a2140})\n /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/internal/json/json.go:26 +0x97\ngithub.com/lestrrat-go/jwx/v2/jws.parseJSON({0xc00001a288, 0x11, 0x11})\n /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:588 +0x50\ngithub.com/lestrrat-go/jwx/v2/jws.Parse({0xc00001a288, 0x11, 0x11}, {0x0?, 0xc00006e760?, 0x48450f?})\n /home/fredrik/go/pkg/mod/github.com/lestrrat-go/jwx/v2@v2.0.18/jws/jws.go:525 +0x89\npoc.TestPOC(0x0?)\n /home/fredrik/src/jwx_poc/poc_test.go:10 +0x57\ntesting.tRunner(0xc0000e4340, 0x68ef30)\n /usr/local/go/src/testing/testing.go:1595 +0xff\ncreated by testing.(*T).Run in goroutine 1\n /usr/local/go/src/testing/testing.go:1648 +0x3ad\nexit status 2\nFAIL poc 0.005s\n```\n\n### Impact\n\nThe vulnerability can be used to crash / DOS a system doing JWS verification.\n",
"id": "GHSA-pvcr-v8j8-j5q3",
"modified": "2024-01-09T21:52:54Z",
"published": "2024-01-09T16:18:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21664"
},
{
"type": "WEB",
"url": "https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f"
},
{
"type": "WEB",
"url": "https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65"
},
{
"type": "WEB",
"url": "https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"
},
{
"type": "PACKAGE",
"url": "https://github.com/lestrrat-go/jwx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Parsing JSON serialized payload without protected field can lead to segfault"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.