Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-PWX6-FVF4-6686

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-15 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix af_unix null-ptr-deref in proto update

unix_stream_connect() sets sk_state (WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)) before it assigns a peer (unix_peer(sk) = newsk). sk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that socket is properly set up, which would include having a defined peer. IOW, there's a window when unix_stream_bpf_update_proto() can be called on socket which still has unix_peer(sk) == NULL.

     CPU0 bpf                            CPU1 connect
     --------                            ------------

                            WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)

sock_map_sk_state_allowed(sk) ... sk_pair = unix_peer(sk) sock_hold(sk_pair) sock_hold(newsk) smp_mb__after_atomic() unix_peer(sk) = newsk

BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0 Call Trace: sock_map_link+0x564/0x8b0 sock_map_update_common+0x6e/0x340 sock_map_update_elem_sys+0x17d/0x240 __sys_bpf+0x26db/0x3250 __x64_sys_bpf+0x21/0x30 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Initial idea was to move peer assignment before the sk_state update1, but that involved an additional memory barrier, and changing the hot path was rejected. Then a NULL check during proto update in unix_stream_bpf_update_proto() was considered2, but the follow-up discussion3 focused on the root cause, i.e. sockmap update taking a wrong lock. Or, more specifically, missing unix_state_lock()4. In the end it was concluded that teaching sockmap about the af_unix locking would be unnecessarily complex5. Complexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT are allowed to update sockmaps, sock_map_update_elem() taking the unix lock, as it is currently implemented in unix_state_lock(): spin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken in a process context, followed by a softirq-context TC BPF program attempting to take the same spinlock -- deadlock6. This way we circled back to the peer check idea2.

Summary of scenarios where af_unix/stream connect() may race a sockmap update:

  1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()

Implemented NULL check is sufficient. Once assigned, socket peer won't be released until socket fd is released. And that's not an issue because sock_map_update_elem_sys() bumps fd refcnf.

  1. connect() vs BPF program doing update

Update restricted per verifier.c:may_update_sockmap() to

  BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER
  BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)
  BPF_PROG_TYPE_SOCKET_FILTER
  BPF_PROG_TYPE_SCHED_CLS
  BPF_PROG_TYPE_SCHED_ACT
  BPF_PROG_TYPE_XDP
  BPF_PROG_TYPE_SK_REUSEPORT
  BPF_PROG_TYPE_FLOW_DISSECTOR
  BPF_PROG_TYPE_SK_LOOKUP

Plus one more race to consider:

        CPU0 bpf                            CPU1 connect
        --------                            ------------

                               WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)

sock_map_sk_state_allowed(sk) sock_hold(newsk) smp_mb__after_atomic()

---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53034"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix af_unix null-ptr-deref in proto update\n\nunix_stream_connect() sets sk_state (`WRITE_ONCE(sk-\u003esk_state,\nTCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).\nsk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that\nsocket is properly set up, which would include having a defined peer. IOW,\nthere\u0027s a window when unix_stream_bpf_update_proto() can be called on\nsocket which still has unix_peer(sk) == NULL.\n\n         CPU0 bpf                            CPU1 connect\n         --------                            ------------\n\n                                WRITE_ONCE(sk-\u003esk_state, TCP_ESTABLISHED)\nsock_map_sk_state_allowed(sk)\n...\nsk_pair = unix_peer(sk)\nsock_hold(sk_pair)\n                                sock_hold(newsk)\n                                smp_mb__after_atomic()\n                                unix_peer(sk) = newsk\n\nBUG: kernel NULL pointer dereference, address: 0000000000000080\nRIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0\nCall Trace:\n  sock_map_link+0x564/0x8b0\n  sock_map_update_common+0x6e/0x340\n  sock_map_update_elem_sys+0x17d/0x240\n  __sys_bpf+0x26db/0x3250\n  __x64_sys_bpf+0x21/0x30\n  do_syscall_64+0x6b/0x3a0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInitial idea was to move peer assignment _before_ the sk_state update[1],\nbut that involved an additional memory barrier, and changing the hot path\nwas rejected.\nThen a NULL check during proto update in unix_stream_bpf_update_proto() was\nconsidered[2], but the follow-up discussion[3] focused on the root cause,\ni.e. sockmap update taking a wrong lock. Or, more specifically, missing\nunix_state_lock()[4].\nIn the end it was concluded that teaching sockmap about the af_unix locking\nwould be unnecessarily complex[5].\nComplexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT\nare allowed to update sockmaps, sock_map_update_elem() taking the unix\nlock, as it is currently implemented in unix_state_lock():\nspin_lock(\u0026unix_sk(s)-\u003elock), would be problematic. unix_state_lock() taken\nin a process context, followed by a softirq-context TC BPF program\nattempting to take the same spinlock -- deadlock[6].\nThis way we circled back to the peer check idea[2].\n\n[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/\n[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/\n[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/\n[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/\n[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/\n[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/\n\nSummary of scenarios where af_unix/stream connect() may race a sockmap\nupdate:\n\n1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()\n\n   Implemented NULL check is sufficient. Once assigned, socket peer won\u0027t\n   be released until socket fd is released. And that\u0027s not an issue because\n   sock_map_update_elem_sys() bumps fd refcnf.\n\n2. connect() vs BPF program doing update\n\n   Update restricted per verifier.c:may_update_sockmap() to\n\n      BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER\n      BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)\n      BPF_PROG_TYPE_SOCKET_FILTER\n      BPF_PROG_TYPE_SCHED_CLS\n      BPF_PROG_TYPE_SCHED_ACT\n      BPF_PROG_TYPE_XDP\n      BPF_PROG_TYPE_SK_REUSEPORT\n      BPF_PROG_TYPE_FLOW_DISSECTOR\n      BPF_PROG_TYPE_SK_LOOKUP\n\n   Plus one more race to consider:\n\n            CPU0 bpf                            CPU1 connect\n            --------                            ------------\n\n                                   WRITE_ONCE(sk-\u003esk_state, TCP_ESTABLISHED)\n   sock_map_sk_state_allowed(sk)\n                                   sock_hold(newsk)\n                                   smp_mb__after_atomic()\n                \n---truncated---",
  "id": "GHSA-pwx6-fvf4-6686",
  "modified": "2026-07-15T15:32:45Z",
  "published": "2026-06-24T18:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53034"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/041eb6348d73ee5e15fc8161f1eac5a6e8289ca0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37bfcd164161b47d00b1c3bd20adc816a6977ce0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4913c94a3adcdbb64c552110c0c243cb1fdbb317"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a94d3dd78ee8b63e6b8ad629081c952c93ee5a10"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dca38b7734d2ea00af4818ff3ae836fab33d5d5a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWX9-2GVJ-242V

Vulnerability from github – Published: 2023-04-25 15:30 – Updated: 2024-02-04 09:30
VLAI
Details

x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-25T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control.",
  "id": "GHSA-pwx9-2gvj-242v",
  "modified": "2024-02-04T09:30:40Z",
  "published": "2023-04-25T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42335"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PSPFWSY6UOPGMADQGOGN2PAAS5LJRPTG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PSPFWSY6UOPGMADQGOGN2PAAS5LJRPTG"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202402-07"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-430.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/25/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-430.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWXX-FX4J-FFV3

Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-10-31 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix an NULL dereference bug

The issue here is when this is called from ntfs_load_attr_list(). The "size" comes from le32_to_cpu(attr->res.data_size) so it can't overflow on a 64bit systems but on 32bit systems the "+ 1023" can overflow and the result is zero. This means that the kmalloc will succeed by returning the ZERO_SIZE_PTR and then the memcpy() will crash with an Oops on the next line.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T07:15:40Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix an NULL dereference bug\n\nThe issue here is when this is called from ntfs_load_attr_list().  The\n\"size\" comes from le32_to_cpu(attr-\u003eres.data_size) so it can\u0027t overflow\non a 64bit systems but on 32bit systems the \"+ 1023\" can overflow and\nthe result is zero.  This means that the kmalloc will succeed by\nreturning the ZERO_SIZE_PTR and then the memcpy() will crash with an\nOops on the next line.",
  "id": "GHSA-pwxx-fx4j-ffv3",
  "modified": "2024-10-31T18:31:16Z",
  "published": "2024-04-02T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52631"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/686820fe141ea0220fc6fdfc7e5694f915cf64b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae4acad41b0f93f1c26cc0fc9135bb79d8282d0b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2dd7b953c25ffd5912dda17e980e7168bebcf6c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec1bedd797588fe38fc11cba26d77bb1d9b194c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb7bcd1722bc9bc55160378f5f99c01198fd14a7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX47-FMM9-RXW4

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-15 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()

In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device:

dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...); dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);

If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called:

if (errata.piix4.bmisx) dev_dbg(&dev->dev, ...);

To prevent this, use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value.

[ rjw: Subject adjustment, added an empty code line ]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T14:16:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()\n\nIn acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE\ndevice and then reassigned an ISA device:\n\n  dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...);\n  dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);\n\nIf the first lookup succeeds but the second fails, dev becomes NULL. This\nleads to a potential null-pointer dereference when dev_dbg() is called:\n\n  if (errata.piix4.bmisx)\n    dev_dbg(\u0026dev-\u003edev, ...);\n\nTo prevent this, use two temporary pointers and retrieve each device\nindependently, avoiding overwriting dev with a possible NULL value.\n\n[ rjw: Subject adjustment, added an empty code line ]",
  "id": "GHSA-px47-fmm9-rxw4",
  "modified": "2026-05-15T18:30:30Z",
  "published": "2026-05-08T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43313"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01e8751b37a366b1ca561add0042f2ceb18c03bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0398b641be2b66c2fc7e0163c606ef19372e7ad5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06724a60cfa9767ea90b0f5d3dfb5cdd251b64f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29f60d3d06818d40118a30d663231f027ae87a05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b803811485ac0b2f774b6bf3abc8b999ba3b7033"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f132e089fe89cadc2098991f0a3cb05c3f824ac6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX4C-XGQG-MG27

Vulnerability from github – Published: 2022-05-14 03:33 – Updated: 2025-04-20 03:48
VLAI
Details

drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-07T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.",
  "id": "GHSA-px4c-xgqg-mg27",
  "modified": "2025-04-20T03:48:09Z",
  "published": "2022-05-14T03:33:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16647"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/syzkaller/_9a6pd-p_0E/OnmnplQuAgAJ"
    },
    {
      "type": "WEB",
      "url": "https://patchwork.ozlabs.org/patch/834686"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3617-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3617-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3617-3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101767"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX5W-PF7Q-23JQ

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-04 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pmbus_core) Fix NULL pointer dereference

Pass i2c_client to _pmbus_is_enabled to drop the assumption that a regulator device is passed in.

This will fix the issue of a NULL pointer dereference when called from _pmbus_get_flags.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus_core) Fix NULL pointer dereference\n\nPass i2c_client to _pmbus_is_enabled to drop the assumption\nthat a regulator device is passed in.\n\nThis will fix the issue of a NULL pointer dereference when called from\n_pmbus_get_flags.",
  "id": "GHSA-px5w-pf7q-23jq",
  "modified": "2025-12-04T15:30:31Z",
  "published": "2025-09-15T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53206"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0bd66784274a287beada2933c2c0fa3a0ddae0d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7444253cacd92412bc8d33d1c9b5401f52cdf0e2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX6R-PJWR-J383

Vulnerability from github – Published: 2022-05-14 01:15 – Updated: 2022-05-14 01:15
VLAI
Details

An issue was discovered in Xpdf 4.01.01. There is a NULL pointer dereference in the function Gfx::opSetExtGState in Gfx.cc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-25T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Xpdf 4.01.01. There is a NULL pointer dereference in the function Gfx::opSetExtGState in Gfx.cc.",
  "id": "GHSA-px6r-pjwr-j383",
  "modified": "2022-05-14T01:15:48Z",
  "published": "2022-05-14T01:15:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10022"
    },
    {
      "type": "WEB",
      "url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=41273"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXR2-XWWM-F7F3

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI
Details

win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other "Vulnerability Type 2" CVEs listed in MS11-034, aka "Win32k Null Pointer De-reference Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-04-13T20:26:00Z",
    "severity": "HIGH"
  },
  "details": "win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other \"Vulnerability Type 2\" CVEs listed in MS11-034, aka \"Win32k Null Pointer De-reference Vulnerability.\"",
  "id": "GHSA-pxr2-xwwm-f7f3",
  "modified": "2022-05-13T01:11:20Z",
  "published": "2022-05-13T01:11:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1229"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-034"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66411"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12503"
    },
    {
      "type": "WEB",
      "url": "http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/71735"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/44156"
    },
    {
      "type": "WEB",
      "url": "http://support.avaya.com/css/P8/documents/100133352"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/47229"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1025345"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA11-102A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0952"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PXR7-H23V-3WV6

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

After Effects versions 25.1, 24.6.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T18:15:54Z",
    "severity": "MODERATE"
  },
  "details": "After Effects versions 25.1, 24.6.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-pxr7-h23v-3wv6",
  "modified": "2025-04-08T18:34:49Z",
  "published": "2025-04-08T18:34:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27185"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/after_effects/apsb25-23.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXRJ-JCHH-722X

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-13 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix missing i_op in ntfs_read_mft

There is null pointer dereference because i_op == NULL. The bug happens because we don't initialize i_op for records in $Extend.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:34Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix missing i_op in ntfs_read_mft\n\nThere is null pointer dereference because i_op == NULL.\nThe bug happens because we don\u0027t initialize i_op for records in $Extend.",
  "id": "GHSA-pxrj-jchh-722x",
  "modified": "2025-11-13T18:31:00Z",
  "published": "2025-06-18T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50056"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37a530bfe56ca9a0d3129598803f2794c7428aae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8089a1bc27b41e6800590a92d17c119e9aa8ff53"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c293e8abc09e6e1faa50d967bd8862b1cbd575e5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.