CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-Q96P-Q693-5MH2
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Windows Kernel Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43520"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:15Z",
"severity": "MODERATE"
},
"details": "Windows Kernel Denial of Service Vulnerability",
"id": "GHSA-q96p-q693-5mh2",
"modified": "2024-10-08T18:33:15Z",
"published": "2024-10-08T18:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43520"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43520"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q992-G8CH-J442
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.
{
"affected": [],
"aliases": [
"CVE-2022-36622"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "HIGH"
},
"details": "Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.",
"id": "GHSA-q992-g8ch-j442",
"modified": "2022-09-08T00:00:33Z",
"published": "2022-09-02T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36622"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/mTower"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/mTower/blob/18f4b592a8a973ce5972f4e2658ea0f6e3686284/tee/lib/libutee/tee_api_objects.c#L84"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/mTower/blob/18f4b592a8a973ce5972f4e2658ea0f6e3686284/tee/tee/tee_svc.c#L965"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9JV-J4WG-CW5R
Vulnerability from github – Published: 2022-05-14 04:04 – Updated: 2022-05-14 04:04GNU Libextractor 1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted GIF, IT (Impulse Tracker), NSFE, S3M (Scream Tracker 3), SID, or XM (eXtended Module) file, as demonstrated by the EXTRACTOR_xm_extract_method function in plugins/xm_extractor.c.
{
"affected": [],
"aliases": [
"CVE-2017-17440"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-06T17:29:00Z",
"severity": "MODERATE"
},
"details": "GNU Libextractor 1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted GIF, IT (Impulse Tracker), NSFE, S3M (Scream Tracker 3), SID, or XM (eXtended Module) file, as demonstrated by the EXTRACTOR_xm_extract_method function in plugins/xm_extractor.c.",
"id": "GHSA-q9jv-j4wg-cw5r",
"modified": "2022-05-14T04:04:14Z",
"published": "2022-05-14T04:04:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17440"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/883528#35"
},
{
"type": "WEB",
"url": "https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00004.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00005.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102116"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9P8-C796-R5Q2
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03libdwarf 20151114 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a debug_abbrev section marked NOBITS in an ELF file.
{
"affected": [],
"aliases": [
"CVE-2015-8750"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T18:59:00Z",
"severity": "MODERATE"
},
"details": "libdwarf 20151114 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a debug_abbrev section marked NOBITS in an ELF file.",
"id": "GHSA-q9p8-c796-r5q2",
"modified": "2022-05-13T01:03:25Z",
"published": "2022-05-13T01:03:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8750"
},
{
"type": "WEB",
"url": "https://github.com/tomhughes/libdwarf/commit/11750a2838e52953013e3114ef27b3c7b1780697"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1294264"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/01/07/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9V3-53XG-6F9P
Vulnerability from github – Published: 2023-09-09 15:30 – Updated: 2024-04-04 07:34Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12
{
"affected": [],
"aliases": [
"CVE-2023-4874"
],
"database_specific": {
"cwe_ids": [
"CWE-475",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-09T15:15:34Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference when viewing a specially crafted email in Mutt \u003e1.5.2 \u003c2.2.12",
"id": "GHSA-q9v3-53xg-6f9p",
"modified": "2024-04-04T07:34:33Z",
"published": "2023-09-09T15:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4874"
},
{
"type": "WEB",
"url": "https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch"
},
{
"type": "WEB",
"url": "https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0.patch"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00021.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5494"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/26/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q9X4-RF37-MQH3
Vulnerability from github – Published: 2022-05-17 03:01 – Updated: 2025-04-20 03:32The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted BMP image, a different vulnerability than CVE-2016-8694 and CVE-2016-8695.
{
"affected": [],
"aliases": [
"CVE-2016-8696"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-31T22:59:00Z",
"severity": "MODERATE"
},
"details": "The bm_readbody_bmp function in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted BMP image, a different vulnerability than CVE-2016-8694 and CVE-2016-8695.",
"id": "GHSA-q9x4-rf37-mqh3",
"modified": "2025-04-20T03:32:04Z",
"published": "2022-05-17T03:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8696"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c"
},
{
"type": "WEB",
"url": "http://potrace.sourceforge.net/ChangeLog"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/08/18/11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/10/16/12"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93778"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9X5-5X5X-RGJ4
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-12-17 18:31In the Linux kernel, the following vulnerability has been resolved:
btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref
btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert().
Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref.
To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable
Perform some writeback operations.
Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0
{
"affected": [],
"aliases": [
"CVE-2025-38034"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T10:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref\n\nbtrfs_prelim_ref() calls the old and new reference variables in the\nincorrect order. This causes a NULL pointer dereference because oldref\nis passed as NULL to trace_btrfs_prelim_ref_insert().\n\nNote, trace_btrfs_prelim_ref_insert() is being called with newref as\noldref (and oldref as NULL) on purpose in order to print out\nthe values of newref.\n\nTo reproduce:\necho 1 \u003e /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable\n\nPerform some writeback operations.\n\nBacktrace:\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130\n Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 \u003c49\u003e 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88\n RSP: 0018:ffffce44820077a0 EFLAGS: 00010286\n RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b\n RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010\n RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010\n R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000\n R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540\n FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n prelim_ref_insert+0x1c1/0x270\n find_parent_nodes+0x12a6/0x1ee0\n ? __entry_text_end+0x101f06/0x101f09\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? srso_alias_return_thunk+0x5/0xfbef5\n btrfs_is_data_extent_shared+0x167/0x640\n ? fiemap_process_hole+0xd0/0x2c0\n extent_fiemap+0xa5c/0xbc0\n ? __entry_text_end+0x101f05/0x101f09\n btrfs_fiemap+0x7e/0xd0\n do_vfs_ioctl+0x425/0x9d0\n __x64_sys_ioctl+0x75/0xc0",
"id": "GHSA-q9x5-5x5x-rgj4",
"modified": "2025-12-17T18:31:31Z",
"published": "2025-06-18T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38034"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0528bba48dce7820d2da72e1a114e1c4552367eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/137bfa08c6441f324d00692d1e9d22cfd773329b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a97f961a568a8f72472dc804af02a0f73152c5f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f7c8c03feba5f2454792fab3bb8bd45bd6883f9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a641154cedf9d69730f8af5d0a901fe86e6486bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a876703894a6dd6e8c04b0635d86e9f7a7c81b79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC2G-M5W4-FFMQ
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2022-08-31 00:00res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk.
{
"affected": [],
"aliases": [
"CVE-2019-15297"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk.",
"id": "GHSA-qc2g-m5w4-ffmq",
"modified": "2022-08-31T00:00:25Z",
"published": "2022-05-24T16:55:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15297"
},
{
"type": "WEB",
"url": "http://downloads.asterisk.org/pub/security/AST-2019-004.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154371/Asterisk-Project-Security-Advisory-AST-2019-004.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/161671/Asterisk-Project-Security-Advisory-AST-2021-006.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Mar/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC3R-F2R4-QCC5
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03An issue was discovered in FIS GT.M through V7.0-000 (related to the YottaDB code base). A lack of NULL checks in calls to ious_open in sr_unix/ious_open.c allows attackers to crash the application by dereferencing a NULL pointer.
{
"affected": [],
"aliases": [
"CVE-2021-44508"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in FIS GT.M through V7.0-000 (related to the YottaDB code base). A lack of NULL checks in calls to ious_open in sr_unix/ious_open.c allows attackers to crash the application by dereferencing a NULL pointer.",
"id": "GHSA-qc3r-f2r4-qcc5",
"modified": "2022-04-23T00:03:13Z",
"published": "2022-04-16T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44508"
},
{
"type": "WEB",
"url": "https://gitlab.com/YottaDB/DB/YDB/-/issues/828"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/fis-gtm/files"
},
{
"type": "WEB",
"url": "http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC6X-3767-556F
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-10-31 18:31In the Linux kernel, the following vulnerability has been resolved:
net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device
ethnl_req_get_phydev() is used to lookup a phy_device, in the case an ethtool netlink command targets a specific phydev within a netdev's topology.
It takes as a parameter a const struct nlattr *header that's used for error handling :
if (!phydev) {
NL_SET_ERR_MSG_ATTR(extack, header,
"no phy matching phyindex");
return ERR_PTR(-ENODEV);
}
In the notify path after a ->set operation however, there's no request attributes available.
The typical callsite for the above function looks like:
phydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],
info->extack);
So, when tb is NULL (such as in the ethnl notify path), we have a nice crash.
It turns out that there's only the PLCA command that is in that case, as the other phydev-specific commands don't have a notification.
This commit fixes the crash by passing the cmd index and the nlattr array separately, allowing NULL-checking it directly inside the helper.
{
"affected": [],
"aliases": [
"CVE-2025-21921"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T16:15:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethtool: netlink: Allow NULL nlattrs when getting a phy_device\n\nethnl_req_get_phydev() is used to lookup a phy_device, in the case an\nethtool netlink command targets a specific phydev within a netdev\u0027s\ntopology.\n\nIt takes as a parameter a const struct nlattr *header that\u0027s used for\nerror handling :\n\n if (!phydev) {\n NL_SET_ERR_MSG_ATTR(extack, header,\n \"no phy matching phyindex\");\n return ERR_PTR(-ENODEV);\n }\n\nIn the notify path after a -\u003eset operation however, there\u0027s no request\nattributes available.\n\nThe typical callsite for the above function looks like:\n\n\tphydev = ethnl_req_get_phydev(req_base, tb[ETHTOOL_A_XXX_HEADER],\n\t\t\t\t info-\u003eextack);\n\nSo, when tb is NULL (such as in the ethnl notify path), we have a nice\ncrash.\n\nIt turns out that there\u0027s only the PLCA command that is in that case, as\nthe other phydev-specific commands don\u0027t have a notification.\n\nThis commit fixes the crash by passing the cmd index and the nlattr\narray separately, allowing NULL-checking it directly inside the helper.",
"id": "GHSA-qc6x-3767-556f",
"modified": "2025-10-31T18:31:11Z",
"published": "2025-04-01T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21921"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f458fa42c29144cef280e05bc49fc21b873d897"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/637399bf7e77797811adf340090b561a8f9d1213"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/639c70352958735addbba5ae7dd65985da96e061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.