Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-R346-8VRH-M3WR

Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-20 03:32
VLAI
Details

The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-30T22:59:00Z",
    "severity": "HIGH"
  },
  "details": "The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.",
  "id": "GHSA-r346-8vrh-m3wr",
  "modified": "2025-04-20T03:32:05Z",
  "published": "2022-05-13T01:09:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10087"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-74"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3712-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3712-2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/12/29/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/12/30/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95157"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R35M-5R25-V2FX

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-18 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix NULL pointer dereference in ceph_mds_auth_match()

The CephFS kernel client has regression starting from 6.18-rc1. We have issue in ceph_mds_auth_match() if fs_name == NULL:

const char fs_name = mdsc->fsc->mount_options->mds_namespace;
...
if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
        / fsname mismatch, try next one */
        return 0;
}

Patrick Donnelly suggested that: In summary, we should definitely start decoding fs_name from the MDSMap and do strict authorizations checks against it. Note that the -o mds_namespace=foo should only be used for selecting the file system to mount and nothing else. It's possible no mds_namespace is specified but the kernel will mount the only file system that exists which may have name "foo".

This patch reworks ceph_mdsmap_decode() and namespace_equals() with the goal of supporting the suggested concept. Now struct ceph_mdsmap contains m_fs_name field that receives copy of extracted FS name by ceph_extract_encoded_string(). For the case of "old" CephFS file systems, it is used "cephfs" name.

[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(), get rid of a series of strlen() calls in ceph_namespace_match(), drop changes to namespace_equals() body to avoid treating empty mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap() as namespace_equals() isn't an equivalent substitution there ]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T17:15:56Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n    const char fs_name = mdsc-\u003efsc-\u003emount_options-\u003emds_namespace;\n    ...\n    if (auth-\u003ematch.fs_name \u0026\u0026 strcmp(auth-\u003ematch.fs_name, fs_name)) {\n            / fsname mismatch, try next one */\n            return 0;\n    }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It\u0027s possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n  get rid of a series of strlen() calls in ceph_namespace_match(),\n  drop changes to namespace_equals() body to avoid treating empty\n  mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n  as namespace_equals() isn\u0027t an equivalent substitution there ]",
  "id": "GHSA-r35m-5r25-v2fx",
  "modified": "2026-03-18T18:31:11Z",
  "published": "2026-02-14T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23189"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R35M-8JF8-G83G

Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet

If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below:

hv_utils: Registering HyperV Utility Driver hv_vmbus: registering driver hv_utils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Call Trace: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read

This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hv_kvp_init() -> hvutil_transport_init() creates /dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVP_OP_REGISTER1 to the file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and reading the file for the driver's response, which is handled by hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().

2) the problem with kvp_register_done() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, util_probe()-> vmbus_open() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference.

To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbus_open(), just before the first hv_ringbuffer_init(), and then we unload and reload the driver hv_utils, and run the daemon manually within the 10 seconds.

Fix the panic by reordering the steps in util_probe() so the char dev entry used by the KVP or VSS daemon is not created until after vmbus_open() has completed. This reordering prevents the race condition from happening.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T13:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: util: Avoid accessing a ringbuffer not initialized yet\n\nIf the KVP (or VSS) daemon starts before the VMBus channel\u0027s ringbuffer is\nfully initialized, we can hit the panic below:\n\nhv_utils: Registering HyperV Utility Driver\nhv_vmbus: registering driver hv_utils\n...\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1\nRIP: 0010:hv_pkt_iter_first+0x12/0xd0\nCall Trace:\n...\n vmbus_recvpacket\n hv_kvp_onchannelcallback\n vmbus_on_event\n tasklet_action_common\n tasklet_action\n handle_softirqs\n irq_exit_rcu\n sysvec_hyperv_stimer0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_hyperv_stimer0\n...\n kvp_register_done\n hvt_op_read\n vfs_read\n ksys_read\n __x64_sys_read\n\nThis can happen because the KVP/VSS channel callback can be invoked\neven before the channel is fully opened:\n1) as soon as hv_kvp_init() -\u003e hvutil_transport_init() creates\n/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and\nregister itself to the driver by writing a message KVP_OP_REGISTER1 to the\nfile (which is handled by kvp_on_msg() -\u003ekvp_handle_handshake()) and\nreading the file for the driver\u0027s response, which is handled by\nhvt_op_read(), which calls hvt-\u003eon_read(), i.e. kvp_register_done().\n\n2) the problem with kvp_register_done() is that it can cause the\nchannel callback to be called even before the channel is fully opened,\nand when the channel callback is starting to run, util_probe()-\u003e\nvmbus_open() may have not initialized the ringbuffer yet, so the\ncallback can hit the panic of NULL pointer dereference.\n\nTo reproduce the panic consistently, we can add a \"ssleep(10)\" for KVP in\n__vmbus_open(), just before the first hv_ringbuffer_init(), and then we\nunload and reload the driver hv_utils, and run the daemon manually within\nthe 10 seconds.\n\nFix the panic by reordering the steps in util_probe() so the char dev\nentry used by the KVP or VSS daemon is not created until after\nvmbus_open() has completed. This reordering prevents the race condition\nfrom happening.",
  "id": "GHSA-r35m-8jf8-g83g",
  "modified": "2025-11-03T21:32:07Z",
  "published": "2025-01-11T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55916"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R393-F8X7-5C8C

Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-10-08 21:30
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T19:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.6.3195 build 20250715 and later\nQuTS hero h5.2.6.3195 build 20250715 and later",
  "id": "GHSA-r393-f8x7-5c8c",
  "modified": "2025-10-08T21:30:23Z",
  "published": "2025-10-03T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47213"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R3CF-G6C5-J789

Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-20 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()

devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference.

Prevent null pointer dereference in mt7915_mmio_wed_init().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7915_mmio_wed_init().",
  "id": "GHSA-r3cf-g6c5-j789",
  "modified": "2025-11-20T21:30:30Z",
  "published": "2025-07-03T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38155"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/790d05cde359356feea8915094a51166af1629f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d825ed9fd768be10d52beba6f57a4b50c0c154aa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9f9cef1877ac32285dbc1f31b86c8955b712fc2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/efb95439c1477bbc955cacd0179c35e7861b437c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3CX-WCP6-7G33

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-17 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

kernfs: fix potential NULL dereference in __kernfs_remove

When lockdep is enabled, lockdep_assert_held_write would cause potential NULL pointer dereference.

Fix the following smatch warnings:

fs/kernfs/dir.c:1353 __kernfs_remove() warn: variable dereferenced before check 'kn' (see line 1346)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix potential NULL dereference in __kernfs_remove\n\nWhen lockdep is enabled, lockdep_assert_held_write would\ncause potential NULL pointer dereference.\n\nFix the following smatch warnings:\n\nfs/kernfs/dir.c:1353 __kernfs_remove() warn: variable dereferenced before check \u0027kn\u0027 (see line 1346)",
  "id": "GHSA-r3cx-wcp6-7g33",
  "modified": "2025-11-17T21:31:18Z",
  "published": "2025-06-18T12:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50148"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a9f35b8729c5bf13ea671c908c17ed74c48fc50"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72b5d5aef246a0387cefa23121dd90901c7a691a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b871986d9d3071f5082664ac274d93f08db257cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3FR-8Q6V-C82H

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:21
VLAI
Details

In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-24T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when \"%pragma limit\" is mishandled.",
  "id": "GHSA-r3fr-8q6v-c82h",
  "modified": "2024-04-04T01:21:56Z",
  "published": "2022-05-24T16:51:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14248"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392576"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3FV-4XWJ-9XF2

Vulnerability from github – Published: 2022-01-15 00:00 – Updated: 2022-05-05 00:01
VLAI
Details

An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.",
  "id": "GHSA-r3fv-4xwj-9xf2",
  "modified": "2022-05-05T00:01:01Z",
  "published": "2022-01-15T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gnu-mirror-unofficial/recutils/commit/34b75ed7ad492c8e38b669ebafe0176f1f9992d2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDVOFC3HTBG7DF2PZTEXRMG4CV2F55UF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRSXSN2XF6PX74WDYVV26TQMYIFAEQ3T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDVOFC3HTBG7DF2PZTEXRMG4CV2F55UF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRSXSN2XF6PX74WDYVV26TQMYIFAEQ3T"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/bug-recutils/2021-12/msg00009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3GG-V2QJ-WCMP

Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-04-15 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: betop: check shape of output reports

betopff_init() only checks the total sum of the report counts for each report field to be at least 4, but hid_betopff_play() expects 4 report fields. A device advertising an output report with one field and 4 report counts would pass the check but crash the kernel with a NULL pointer dereference in hid_betopff_play().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T17:15:50Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: betop: check shape of output reports\n\nbetopff_init() only checks the total sum of the report counts for each\nreport field to be at least 4, but hid_betopff_play() expects 4 report\nfields.\nA device advertising an output report with one field and 4 report counts\nwould pass the check but crash the kernel with a NULL pointer dereference\nin hid_betopff_play().",
  "id": "GHSA-r3gg-v2qj-wcmp",
  "modified": "2025-04-15T21:31:29Z",
  "published": "2025-03-27T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53015"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07bc32e53c7bd5c91472cc485231ef6274db9b76"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a2a47b85cab50a3c146731bfeaf2d860f5344ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28fc6095da22dc88433d79578ae1c495ebe8ca43"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3782c0d6edf658b71354a64d60aa7a296188fc90"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7317326f685824c7c29bd80841fd18041af6bb73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3065cc56221d1a5eda237e94eaf2a627b88ab79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dbab4dba400d6ea9a9697fbbd287adbf7db1dac4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3H6-H7MC-HVH5

Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-10-29 21:30
VLAI
Details

Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp.",
  "id": "GHSA-r3h6-h7mc-hvh5",
  "modified": "2024-10-29T21:30:44Z",
  "published": "2024-02-20T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ros-planning/navigation2/issues/3940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ros-planning/navigation2/issues/3958"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ros-planning/navigation2/issues/3971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ros-planning/navigation2/issues/3972"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.