Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-QPPW-2696-658W

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2024-06-26 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

serial: max310x: fix NULL pointer dereference in I2C instantiation

When trying to instantiate a max14830 device from userspace:

echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device

we get the following error:

Unable to handle kernel NULL pointer dereference at virtual address...
...
Call trace:
    max310x_i2c_probe+0x48/0x170 [max310x]
    i2c_device_probe+0x150/0x2a0
...

Add check for validity of devtype to prevent the error, and abort probe with a meaningful error message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max310x: fix NULL pointer dereference in I2C instantiation\n\nWhen trying to instantiate a max14830 device from userspace:\n\n    echo max14830 0x60 \u003e /sys/bus/i2c/devices/i2c-2/new_device\n\nwe get the following error:\n\n    Unable to handle kernel NULL pointer dereference at virtual address...\n    ...\n    Call trace:\n        max310x_i2c_probe+0x48/0x170 [max310x]\n        i2c_device_probe+0x150/0x2a0\n    ...\n\nAdd check for validity of devtype to prevent the error, and abort probe\nwith a meaningful error message.",
  "id": "GHSA-qppw-2696-658w",
  "modified": "2024-06-26T00:31:39Z",
  "published": "2024-05-01T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26978"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d27056c24efd3d63a03f3edfbcfc4827086b110"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12609c76b755dbeb1645c0aacc0f0f4743b2eff3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2160ad6861c4a21d3fa553d7b2aaec6634a37f8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cd8af02b466e1beeae13e2de3dc58fcc7925e5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d271b798add90c6196539167c019d0817285cf0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aeca49661fd02fd56fb026768b580ce301b45733"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c45e53c27b78afd6c81fc25608003576f27b5735"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPPW-C37G-XWCC

Vulnerability from github – Published: 2024-01-03 09:30 – Updated: 2024-11-22 20:22
VLAI
Summary
PaddlePaddle nullptr dereference in paddle.crop
Details

Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "PaddlePaddle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-52312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-03T22:02:40Z",
    "nvd_published_at": "2024-01-03T09:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Nullptr dereference in paddle.crop\u00a0in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.\n\n\n\n",
  "id": "GHSA-qppw-c37g-xwcc",
  "modified": "2024-11-22T20:22:49Z",
  "published": "2024-01-03T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PaddlePaddle/Paddle/commit/488a0ddc322b24659b6b0067fea3030d2f013cf4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PaddlePaddle/Paddle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-021.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/paddlepaddle/PYSEC-2024-144.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PaddlePaddle nullptr dereference in paddle.crop"
}

GHSA-QPW7-WX2F-6GC3

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-04T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.",
  "id": "GHSA-qpw7-wx2f-6gc3",
  "modified": "2022-05-24T19:10:00Z",
  "published": "2022-05-24T19:10:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36764"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16804\u0026token=d8c89c887979b22fdfc9fd5c3aa3804bbb1ddbff\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QPWF-M697-V547

Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: drop secpath at the same time as we currently drop dst

Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns

The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free.

The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point.

We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T10:15:19Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free\u0027d by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU\u0027s\ndefer_list), and don\u0027t flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don\u0027t\nexpect at this point.\n\nWe already drop the skb\u0027s dst in the TCP receive path when it\u0027s no\nlonger needed, so let\u0027s also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions.",
  "id": "GHSA-qpwf-m697-v547",
  "modified": "2026-07-14T15:31:19Z",
  "published": "2025-03-12T12:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21864"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69cafd9413084cd5012cf5d7c7ec6f3d493726d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87858bbf21da239ace300d61dd209907995c0491"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b6412e6979f6f9e0632075f8f008937b5cd4efd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd34a07f744451e2ecf9005bb7d24d0b2fb83656"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1d5e6a5e468308af7759cf5276779d3155c5e98"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ34-M9W6-MVQP

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_uart: add missing NULL check in h5_enqueue

Syzbot hit general protection fault in __pm_runtime_resume(). The problem was in missing NULL check.

hu->serdev can be NULL and we should not blindly pass &serdev->dev somewhere, since it will cause GPF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:57Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: add missing NULL check in h5_enqueue\n\nSyzbot hit general protection fault in __pm_runtime_resume(). The problem\nwas in missing NULL check.\n\nhu-\u003eserdev can be NULL and we should not blindly pass \u0026serdev-\u003edev\nsomewhere, since it will cause GPF.",
  "id": "GHSA-qq34-m9w6-mvqp",
  "modified": "2025-09-22T21:30:15Z",
  "published": "2025-09-22T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49202"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32cb08e958696908a9aad5e49a78d74f7e32fffb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7235485433d290367d60ae22fcdfc565e61d42ab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a3896c30f542439d36303183dc96f65df8cc528"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6b6c904c0f88588b6a3ace20e4c0d61eab124f8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ4H-F4QP-WR7Q

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix a NULL pointer dereference

The LRU mechanism may look up a resource in the process of being removed from an object. The locking rules here are a bit unclear but it looks currently like res->bo assignment is protected by the LRU lock, whereas bo->resource is protected by the object lock, while clearing of bo->resource is also protected by the LRU lock. This means that if we check that bo->resource points to the LRU resource under the LRU lock we should be safe. So perform that check before deciding to swap out a bo. That avoids dereferencing a NULL bo->resource in ttm_bo_swapout().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix a NULL pointer dereference\n\nThe LRU mechanism may look up a resource in the process of being removed\nfrom an object. The locking rules here are a bit unclear but it looks\ncurrently like res-\u003ebo assignment is protected by the LRU lock, whereas\nbo-\u003eresource is protected by the object lock, while *clearing* of\nbo-\u003eresource is also protected by the LRU lock. This means that if\nwe check that bo-\u003eresource points to the LRU resource under the LRU\nlock we should be safe.\nSo perform that check before deciding to swap out a bo. That avoids\ndereferencing a NULL bo-\u003eresource in ttm_bo_swapout().",
  "id": "GHSA-qq4h-f4qp-wr7q",
  "modified": "2025-11-12T21:31:01Z",
  "published": "2025-05-02T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53095"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a9a8fe26751334b7739193a94eba741073b8a55"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ba1720f6c4a0f13c3f3cb5c28132ee75555d04f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d9b1f9f7a72d83ebf173534e76b246349f32374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ6X-P5C6-GQP6

Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-07-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

The return value of kzalloc_flex() is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally.

Guard the access to the allocated structure to avoid a potential NULL pointer dereference if the allocation fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T17:16:49Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc\n\nThe return value of kzalloc_flex() is used without\nensuring that the allocation succeeded, and the\npointer is dereferenced unconditionally.\n\nGuard the access to the allocated structure to\navoid a potential NULL pointer dereference if the\nallocation fails.",
  "id": "GHSA-qq6x-p5c6-gqp6",
  "modified": "2026-07-08T15:31:36Z",
  "published": "2026-06-08T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46305"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a5f411becfb7c57aa89827213d31ef23a03d75a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc851db06045a40c18233dd76ef0562d7f8bb6db"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ9J-C8R5-5XF6

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-10 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: clone zoned device info when cloning a device

When cloning a btrfs_device, we're not cloning the associated btrfs_zoned_device_info structure of the device in case of a zoned filesystem.

Later on this leads to a NULL pointer dereference when accessing the device's zone_info for instance when setting a zone as active.

This was uncovered by fstests' testcase btrfs/161.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: clone zoned device info when cloning a device\n\nWhen cloning a btrfs_device, we\u0027re not cloning the associated\nbtrfs_zoned_device_info structure of the device in case of a zoned\nfilesystem.\n\nLater on this leads to a NULL pointer dereference when accessing the\ndevice\u0027s zone_info for instance when setting a zone as active.\n\nThis was uncovered by fstests\u0027 testcase btrfs/161.",
  "id": "GHSA-qq9j-c8r5-5xf6",
  "modified": "2025-11-10T21:30:28Z",
  "published": "2025-05-01T15:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49833"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21e61ec6d0bb786818490e926aa9aeb4de95ad0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad88cabcec942c033f980cd1e28d56ecdaf5f3b8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQJJ-7XJV-R736

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13
VLAI
Details

The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-02T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.15.15 does not always initialize the crc32c checksum driver, which allows attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image.",
  "id": "GHSA-qqjj-7xjv-r736",
  "modified": "2022-05-13T01:13:44Z",
  "published": "2022-05-13T01:13:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1094"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2948"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3083"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3096"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-1094"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.kernel.org/show_bug.cgi?id=199183"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1560788"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=18db4b4e6fc31eda838dd1c1296d67dbcb3dc957"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=a45403b51582a87872927a3e0fc0a389c26867f1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3695-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3695-2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2018/03/29/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQRF-32Q3-9249

Vulnerability from github – Published: 2024-11-08 06:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iio: light: veml6030: fix IIO device retrieval from embedded device

The dev pointer that is received as an argument in the in_illuminance_period_available_show function references the device embedded in the IIO device, not in the i2c client.

dev_to_iio_dev() must be used to accessthe right data. The current implementation leads to a segmentation fault on every attempt to read the attribute because indio_dev gets a NULL assignment.

This bug has been present since the first appearance of the driver, apparently since the last version (V6) before getting applied. A constant attribute was used until then, and the last modifications might have not been tested again.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T06:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: veml6030: fix IIO device retrieval from embedded device\n\nThe dev pointer that is received as an argument in the\nin_illuminance_period_available_show function references the device\nembedded in the IIO device, not in the i2c client.\n\ndev_to_iio_dev() must be used to accessthe right data. The current\nimplementation leads to a segmentation fault on every attempt to read\nthe attribute because indio_dev gets a NULL assignment.\n\nThis bug has been present since the first appearance of the driver,\napparently since the last version (V6) before getting applied. A\nconstant attribute was used until then, and the last modifications might\nhave not been tested again.",
  "id": "GHSA-qqrf-32q3-9249",
  "modified": "2025-11-04T00:31:57Z",
  "published": "2024-11-08T06:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50198"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2cbb41abae65626736b8b52cf3b9339612c5a86a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50039aec43a82ad2495f2d0fb0c289c8717b4bb2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/905166531831beb067fffe2bdfc98031ffe89087"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcb90518ccd9e10bf6ab29e31994aab93e4a4361"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf3ab8e1c28f10df0823d4ff312f83c952b06a15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7c44e57750c31de43906d97813273fdffcf7d02"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.