Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-QJ8Q-W772-32V5

Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix NULL access in assign channel context handler

Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn).

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix NULL access in assign channel context handler\n\nCurrently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle\n(ar) gets accessed from the link VIF handle (arvif) for debug logging, This\nis incorrect. In the fail scenario, radio handle is NULL. Fix the NULL\naccess, avoid radio handle access by moving to the hardware debug logging\nhelper function (ath12k_hw_warn).\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3",
  "id": "GHSA-qj8q-w772-32v5",
  "modified": "2025-11-19T21:31:15Z",
  "published": "2025-07-10T09:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38294"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f919f76893069ec3c7475acaeb611eb31fca22d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea24531d00f782f4e659e8c74578b7ac144720ca"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ9W-7HH5-MF2Q

Vulnerability from github – Published: 2023-07-01 00:30 – Updated: 2024-04-04 05:19
VLAI
Details

A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.",
  "id": "GHSA-qj9w-7hh5-mf2q",
  "modified": "2024-04-04T05:19:18Z",
  "published": "2023-07-01T00:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3338"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-3338"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218618"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/oss-sec/2023/q2/276"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230824-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5480"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJGQ-4G88-9X8V

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2024-08-20 06:31
VLAI
Details

LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-21T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.",
  "id": "GHSA-qjgq-4g88-9x8v",
  "modified": "2024-08-20T06:31:36Z",
  "published": "2022-05-13T01:11:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10126"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/libtiff/libtiff/-/issues/128"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://bugzilla.maptools.org/show_bug.cgi?id=2786"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJGQ-7W73-7HVF

Vulnerability from github – Published: 2024-08-22 03:31 – Updated: 2024-09-12 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xen/netfront: destroy queues before real_num_tx_queues is zeroed

xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two facts together means, that xennet_destroy_queues() called from xennet_remove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes:

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 52 Comm: xenwatch Tainted: G        W         5.16.10-1.32.fc32.qubes.x86_64+ #226
RIP: 0010:free_netdev+0xa3/0x1a0
Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00
RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff
RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050
R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680
FS:  0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0
Call Trace:
 <TASK>
 xennet_remove+0x13d/0x300 [xen_netfront]
 xenbus_dev_remove+0x6d/0xf0
 __device_release_driver+0x17a/0x240
 device_release_driver+0x24/0x30
 bus_remove_device+0xd8/0x140
 device_del+0x18b/0x410
 ? _raw_spin_unlock+0x16/0x30
 ? klist_iter_exit+0x14/0x20
 ? xenbus_dev_request_and_reply+0x80/0x80
 device_unregister+0x13/0x60
 xenbus_dev_changed+0x18e/0x1f0
 xenwatch_thread+0xc0/0x1a0
 ? do_wait_intr_irq+0xa0/0xa0
 kthread+0x16b/0x190
 ? set_kthread_struct+0x40/0x40
 ret_from_fork+0x22/0x30
 </TASK>

Fix this by calling xennet_destroy_queues() from xennet_uninit(), when real_num_tx_queues is still available. This ensures that queues are destroyed when real_num_tx_queues is set to 0, regardless of how unregister_netdev() was called.

Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T02:15:05Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/netfront: destroy queues before real_num_tx_queues is zeroed\n\nxennet_destroy_queues() relies on info-\u003enetdev-\u003ereal_num_tx_queues to\ndelete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5\n(\"net-sysfs: update the queue counts in the unregistration path\"),\nunregister_netdev() indirectly sets real_num_tx_queues to 0. Those two\nfacts together means, that xennet_destroy_queues() called from\nxennet_remove() cannot do its job, because it\u0027s called after\nunregister_netdev(). This results in kfree-ing queues that are still\nlinked in napi, which ultimately crashes:\n\n    BUG: kernel NULL pointer dereference, address: 0000000000000000\n    #PF: supervisor read access in kernel mode\n    #PF: error_code(0x0000) - not-present page\n    PGD 0 P4D 0\n    Oops: 0000 [#1] PREEMPT SMP PTI\n    CPU: 1 PID: 52 Comm: xenwatch Tainted: G        W         5.16.10-1.32.fc32.qubes.x86_64+ #226\n    RIP: 0010:free_netdev+0xa3/0x1a0\n    Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff \u003c48\u003e 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00\n    RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286\n    RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000\n    RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff\n    RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000\n    R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050\n    R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680\n    FS:  0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0\n    Call Trace:\n     \u003cTASK\u003e\n     xennet_remove+0x13d/0x300 [xen_netfront]\n     xenbus_dev_remove+0x6d/0xf0\n     __device_release_driver+0x17a/0x240\n     device_release_driver+0x24/0x30\n     bus_remove_device+0xd8/0x140\n     device_del+0x18b/0x410\n     ? _raw_spin_unlock+0x16/0x30\n     ? klist_iter_exit+0x14/0x20\n     ? xenbus_dev_request_and_reply+0x80/0x80\n     device_unregister+0x13/0x60\n     xenbus_dev_changed+0x18e/0x1f0\n     xenwatch_thread+0xc0/0x1a0\n     ? do_wait_intr_irq+0xa0/0xa0\n     kthread+0x16b/0x190\n     ? set_kthread_struct+0x40/0x40\n     ret_from_fork+0x22/0x30\n     \u003c/TASK\u003e\n\nFix this by calling xennet_destroy_queues() from xennet_uninit(),\nwhen real_num_tx_queues is still available. This ensures that queues are\ndestroyed when real_num_tx_queues is set to 0, regardless of how\nunregister_netdev() was called.\n\nOriginally reported at\nhttps://github.com/QubesOS/qubes-issues/issues/7257",
  "id": "GHSA-qjgq-7w73-7hvf",
  "modified": "2024-09-12T15:32:59Z",
  "published": "2024-08-22T03:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48914"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/198cdc287769c717dafff5887c6125cb7a373bf3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47e2f166ed9fe17f24561d6315be2228f6a90209"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a63eb1e4a2e1a191a90217871e67fba42fd39255"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b40c912624775a21da32d1105e158db5f6d0554a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJHX-FG4J-47H8

Vulnerability from github – Published: 2022-05-14 01:45 – Updated: 2022-05-14 01:45
VLAI
Details

NULL Pointer Dereference vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to crash the NAS media server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-28T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "NULL Pointer Dereference vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to crash the NAS media server.",
  "id": "GHSA-qjhx-fg4j-47h8",
  "modified": "2022-05-14T01:45:05Z",
  "published": "2022-05-14T01:45:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14747"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/zh-tw/security-advisory/nas-201811-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJJP-Q69M-V8XM

Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-06-26 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()

Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T17:16:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()\n\nAdd the same NULL guard already present in\nl2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
  "id": "GHSA-qjjp-q69m-v8xm",
  "modified": "2026-06-26T21:32:04Z",
  "published": "2026-05-26T18:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45835"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/140b63cb46f2855ac4ec8fba2f1e974a9c2974e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2422eaed0925973c0f318c94eb13e76f14c7381e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/684a1f9ee2325437ae18ac5371884e4c6a25ae73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJM8-W443-C8H4

Vulnerability from github – Published: 2022-05-17 02:54 – Updated: 2025-04-20 03:34
VLAI
Details

The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-15T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.",
  "id": "GHSA-qjm8-w443-c8h4",
  "modified": "2025-04-20T03:34:08Z",
  "published": "2022-05-17T02:54:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6847"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJMQ-CHG2-32XR

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()

A NULL pointer dereference can occur in skb_dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3).

[ 93.672166] Bluetooth: hci0: ACL memdump size(589824)

[ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth] [ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80

The issue stems from handle_dump_pkt_qca() returning 0 even when a dump packet is successfully processed. This is because it incorrectly forwards the return value of hci_devcd_init() (which returns 0 on success). As a result, the caller (btusb_recv_acl_qca() or btusb_recv_evt_qca()) assumes the packet was not handled and passes it to hci_recv_frame(), leading to premature kfree() of the skb.

Later, hci_devcd_rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference.

Fix this by: 1. Making handle_dump_pkt_qca() return 0 on success and negative errno on failure, consistent with kernel conventions. 2. Splitting dump packet detection into separate functions for ACL and event packets for better structure and readability.

This ensures dump packets are properly identified and consumed, avoiding double handling and preventing NULL pointer access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()\n\nA NULL pointer dereference can occur in skb_dequeue() when processing a\nQCA firmware crash dump on WCN7851 (0489:e0f3).\n\n[ 93.672166] Bluetooth: hci0: ACL memdump size(589824)\n\n[ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth]\n[ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80\n\nThe issue stems from handle_dump_pkt_qca() returning 0 even when a dump\npacket is successfully processed. This is because it incorrectly\nforwards the return value of hci_devcd_init() (which returns 0 on\nsuccess). As a result, the caller (btusb_recv_acl_qca() or\nbtusb_recv_evt_qca()) assumes the packet was not handled and passes it\nto hci_recv_frame(), leading to premature kfree() of the skb.\n\nLater, hci_devcd_rx() attempts to dequeue the same skb from the dump\nqueue, resulting in a NULL pointer dereference.\n\nFix this by:\n1. Making handle_dump_pkt_qca() return 0 on success and negative errno\n   on failure, consistent with kernel conventions.\n2. Splitting dump packet detection into separate functions for ACL\n   and event packets for better structure and readability.\n\nThis ensures dump packets are properly identified and consumed, avoiding\ndouble handling and preventing NULL pointer access.",
  "id": "GHSA-qjmq-chg2-32xr",
  "modified": "2025-11-17T18:30:23Z",
  "published": "2025-05-20T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37918"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0317b033abcd1d8dd2798f0e2de5e84543d0bd22"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e8d44ebaa7babdd5c5ab50ca275826e241920d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8563d9fabd8a4b726ba7acab4737c438bf11a059"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b70b41591ec48c78ec6a885e1f57bfc4029e5e13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJQC-VQCF-5QVJ

Vulnerability from github – Published: 2023-03-24 21:58 – Updated: 2023-03-27 21:27
VLAI
Summary
TensorFlow vulnerable to seg fault in `tf.raw_ops.Print`
Details

Impact

When the parameter summarize of tf.raw_ops.Print is zero, the new method SummarizeArray<bool> will reference to a nullptr, leading to a seg fault.

import tensorflow as tf

tf.raw_ops.Print(input =  tf.constant([1, 1, 1, 1],dtype=tf.int32),
                            data =  [[False, False, False, False], [False], [False, False, False]],
                            message =  'tmp/I',
                            first_n = 100,
                            summarize = 0)

Patches

We have patched the issue in GitHub commit 6d423b8bcc9aa9f5554dc988c1c16d038b508df1.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-24T21:58:44Z",
    "nvd_published_at": "2023-03-25T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray\u003cbool\u003e` will reference to a nullptr, leading to a seg fault.\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.Print(input =  tf.constant([1, 1, 1, 1],dtype=tf.int32),\n                            data =  [[False, False, False, False], [False], [False, False, False]],\n                            message =  \u0027tmp/I\u0027,\n                            first_n = 100,\n                            summarize = 0)\n```\n\n### Patches\nWe have patched the issue in GitHub commit [6d423b8bcc9aa9f5554dc988c1c16d038b508df1](https://github.com/tensorflow/tensorflow/commit/6d423b8bcc9aa9f5554dc988c1c16d038b508df1).\n\nThe fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team\n",
  "id": "GHSA-qjqc-vqcf-5qvj",
  "modified": "2023-03-27T21:27:23Z",
  "published": "2023-03-24T21:58:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-qjqc-vqcf-5qvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25660"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/6d423b8bcc9aa9f5554dc988c1c16d038b508df1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TensorFlow vulnerable to seg fault in `tf.raw_ops.Print`"
}

GHSA-QJX9-WJX4-9M8J

Vulnerability from github – Published: 2026-04-30 06:30 – Updated: 2026-04-30 06:30
VLAI
Details

Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T06:16:17Z",
    "severity": "MODERATE"
  },
  "details": "Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
  "id": "GHSA-qjx9-wjx4-9m8j",
  "modified": "2026-04-30T06:30:30Z",
  "published": "2026-04-30T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7376"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/work_items/21206"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-48.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.