CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-QV4Q-MR5R-QPRJ
Vulnerability from github – Published: 2022-12-08 03:03 – Updated: 2022-12-08 03:03Summary
Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10.
Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @davidwilemski.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.8"
},
{
"fixed": "1.13.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23476"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-08T03:03:33Z",
"nvd_published_at": "2022-12-08T04:15:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nNokogiri `1.13.8, 1.13.9` fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. \n\nFor applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.13.10`.\n\nUsers may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-252: Unchecked Return Value (4.9)](https://cwe.mitre.org/data/definitions/252.html)\n- [CWE - CWE-476: NULL Pointer Dereference (4.9)](https://cwe.mitre.org/data/definitions/476.html)\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @davidwilemski.\n",
"id": "GHSA-qv4q-mr5r-qprj",
"modified": "2022-12-08T03:03:33Z",
"published": "2022-12-08T03:03:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23476"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unchecked return value from xmlTextReaderExpand"
}
GHSA-QVC3-RC3F-HXC2
Vulnerability from github – Published: 2025-08-29 18:30 – Updated: 2025-09-19 18:31A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later
{
"affected": [],
"aliases": [
"CVE-2025-29889"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T18:15:35Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.4907 and later",
"id": "GHSA-qvc3-rc3f-hxc2",
"modified": "2025-09-19T18:31:20Z",
"published": "2025-08-29T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29889"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QVF9-958H-6H8P
Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference.
Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space.
Simplest reproducer is a program:
r0 = 0
exit
With a single relocation record:
.insn_off = 0, /* patch first instruction */
.type_id = 100500, /* this type id does not exist */
.access_str_off = 6, /* offset of string "0" */
.kind = BPF_CORE_TYPE_ID_LOCAL,
See the link for original reproducer or next commit for a test case.
{
"affected": [],
"aliases": [
"CVE-2024-49850"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T13:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos\n\nIn case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL\nreferencing a non-existing BTF type, function bpf_core_calc_relo_insn\nwould cause a null pointer deference.\n\nFix this by adding a proper check upper in call stack, as malformed\nrelocation records could be passed from user space.\n\nSimplest reproducer is a program:\n\n r0 = 0\n exit\n\nWith a single relocation record:\n\n .insn_off = 0, /* patch first instruction */\n .type_id = 100500, /* this type id does not exist */\n .access_str_off = 6, /* offset of string \"0\" */\n .kind = BPF_CORE_TYPE_ID_LOCAL,\n\nSee the link for original reproducer or next commit for a test case.",
"id": "GHSA-qvf9-958h-6h8p",
"modified": "2025-11-04T00:31:39Z",
"published": "2024-10-21T15:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49850"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2288b54b96dcb55bedebcef3572bb8821fc5e708"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3d2786d65aaa954ebd3fcc033ada433e10da21c4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/584cd3ff792e1edbea20b2a7df55897159b0be3e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc7ce14f00bcd50641f2110b7a32aa6552e0780f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7e9c5b2dda29067332df2a85b0141a92b41f218"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVFC-HVWW-W263
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15An issue was discovered in swftools through 20200710. A NULL pointer dereference exists in the function swf_DumpABC() located in abc.c. It allows an attacker to cause Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2021-39587"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in swftools through 20200710. A NULL pointer dereference exists in the function swf_DumpABC() located in abc.c. It allows an attacker to cause Denial of Service.",
"id": "GHSA-qvfc-hvww-w263",
"modified": "2022-05-24T19:15:05Z",
"published": "2022-05-24T19:15:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39587"
},
{
"type": "WEB",
"url": "https://github.com/matthiaskramm/swftools/issues/129"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QVGP-3PF6-VXC6
Vulnerability from github – Published: 2022-05-14 01:39 – Updated: 2022-05-14 01:39drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.
{
"affected": [],
"aliases": [
"CVE-2017-18079"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-29T05:29:00Z",
"severity": "HIGH"
},
"details": "drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port-\u003eexists value can change after it is validated.",
"id": "GHSA-qvgp-3pf6-vxc6",
"modified": "2022-05-14T01:39:47Z",
"published": "2022-05-14T01:39:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18079"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/340d394a789518018f834ff70f7534fc463d3226"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3655-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3655-2"
},
{
"type": "WEB",
"url": "https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.4"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=340d394a789518018f834ff70f7534fc463d3226"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102895"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVHJ-42GP-XFMW
Vulnerability from github – Published: 2023-09-05 09:30 – Updated: 2023-11-15 06:30An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2023-41909"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-05T07:15:14Z",
"severity": "HIGH"
},
"details": "An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference.",
"id": "GHSA-qvhj-42gp-xfmw",
"modified": "2023-11-15T06:30:29Z",
"published": "2023-09-05T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41909"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JLG64IF3FU7V76K4TKCCXVNEE6P2VUDO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMJNX44SMJM25JZO7XWHDQCOB4SNJPIE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXR6PIVY4SWO7HDT4EY733H4X32SCPM4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVJ3-CMCH-PH88
Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2022-05-14 03:56drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation.
{
"affected": [],
"aliases": [
"CVE-2016-6327"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-16T21:59:00Z",
"severity": "MODERATE"
},
"details": "drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an ABORT_TASK command to abort a device write operation.",
"id": "GHSA-qvj3-cmch-ph88",
"modified": "2022-05-14T03:56:12Z",
"published": "2022-05-14T03:56:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6327"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/51093254bf879bc9ce96590400a87897c7498463"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:2574"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:2584"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-6327"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1354525"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=51093254bf879bc9ce96590400a87897c7498463"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2574.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2584.html"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/08/19/5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92549"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVJ7-HG6C-8G8H
Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-01-31 18:31In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: check return value of ieee80211_probereq_get() for RNR
The return value of ieee80211_probereq_get() might be NULL, so check it before using to avoid NULL pointer access.
Addresses-Coverity-ID: 1529805 ("Dereference null return value")
{
"affected": [],
"aliases": [
"CVE-2024-48873"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T13:15:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: check return value of ieee80211_probereq_get() for RNR\n\nThe return value of ieee80211_probereq_get() might be NULL, so check it\nbefore using to avoid NULL pointer access.\n\nAddresses-Coverity-ID: 1529805 (\"Dereference null return value\")",
"id": "GHSA-qvj7-hg6c-8g8h",
"modified": "2025-01-31T18:31:04Z",
"published": "2025-01-11T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48873"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a0f54cb3fea5d087440b2bae03202c445156a8d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/630d5d8f2bf6b340202b6bc2c05d794bbd8e4c1c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7296e5611adb2c619bd7bd3817ddde7ba865ef17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVJC-6J6M-P7GX
Vulnerability from github – Published: 2024-07-29 18:30 – Updated: 2024-07-30 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init
Add an explicit check to ensure that the mgr is not NULL.
{
"affected": [],
"aliases": [
"CVE-2024-42065"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T16:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Add a NULL check in xe_ttm_stolen_mgr_init\n\nAdd an explicit check to ensure that the mgr is not NULL.",
"id": "GHSA-qvjc-6j6m-p7gx",
"modified": "2024-07-30T21:31:25Z",
"published": "2024-07-29T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42065"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6eff8f9c7e844cb24ccb188ca24abcd59734e74"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc796a77985d6af75c9362cb2e73dce4ae3f97cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVJG-2VF7-962X
Vulnerability from github – Published: 2024-09-27 15:30 – Updated: 2024-10-02 15:30In the Linux kernel, the following vulnerability has been resolved:
iommufd: Require drivers to supply the cache_invalidate_user ops
If drivers don't do this then iommufd will oops invalidation ioctls with something like:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194
All existing drivers implement this op for nesting, this is mostly a bisection aid.
{
"affected": [],
"aliases": [
"CVE-2024-46824"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T13:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Require drivers to supply the cache_invalidate_user ops\n\nIf drivers don\u0027t do this then iommufd will oops invalidation ioctls with\nsomething like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n Modules linked in:\n CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9\n Hardware name: linux,dummy-virt (DT)\n pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c)\n pc : 0x0\n lr : iommufd_hwpt_invalidate+0xa4/0x204\n sp : ffff800080f3bcc0\n x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0\n x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000\n x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002\n x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80\n Call trace:\n 0x0\n iommufd_fops_ioctl+0x154/0x274\n __arm64_sys_ioctl+0xac/0xf0\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xb4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x190/0x194\n\nAll existing drivers implement this op for nesting, this is mostly a\nbisection aid.",
"id": "GHSA-qvjg-2vf7-962x",
"modified": "2024-10-02T15:30:37Z",
"published": "2024-09-27T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46824"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89827a4de802765b1ebb401fc1e73a90108c7520"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a11dda723c6493bb1853bbc61c093377f96e2d47"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.