CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-R346-8VRH-M3WR
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-20 03:32The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
{
"affected": [],
"aliases": [
"CVE-2016-10087"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-30T22:59:00Z",
"severity": "HIGH"
},
"details": "The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.",
"id": "GHSA-r346-8vrh-m3wr",
"modified": "2025-04-20T03:32:05Z",
"published": "2022-05-13T01:09:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10087"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-74"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3712-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3712-2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/29/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/30/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95157"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R35M-5R25-V2FX
Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-18 18:31In the Linux kernel, the following vulnerability has been resolved:
ceph: fix NULL pointer dereference in ceph_mds_auth_match()
The CephFS kernel client has regression starting from 6.18-rc1. We have issue in ceph_mds_auth_match() if fs_name == NULL:
const char fs_name = mdsc->fsc->mount_options->mds_namespace;
...
if (auth->match.fs_name && strcmp(auth->match.fs_name, fs_name)) {
/ fsname mismatch, try next one */
return 0;
}
Patrick Donnelly suggested that: In summary, we should definitely start
decoding fs_name from the MDSMap and do strict authorizations checks
against it. Note that the -o mds_namespace=foo should only be used for
selecting the file system to mount and nothing else. It's possible
no mds_namespace is specified but the kernel will mount the only
file system that exists which may have name "foo".
This patch reworks ceph_mdsmap_decode() and namespace_equals() with the goal of supporting the suggested concept. Now struct ceph_mdsmap contains m_fs_name field that receives copy of extracted FS name by ceph_extract_encoded_string(). For the case of "old" CephFS file systems, it is used "cephfs" name.
[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(), get rid of a series of strlen() calls in ceph_namespace_match(), drop changes to namespace_equals() body to avoid treating empty mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap() as namespace_equals() isn't an equivalent substitution there ]
{
"affected": [],
"aliases": [
"CVE-2026-23189"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-14T17:15:56Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix NULL pointer dereference in ceph_mds_auth_match()\n\nThe CephFS kernel client has regression starting from 6.18-rc1.\nWe have issue in ceph_mds_auth_match() if fs_name == NULL:\n\n const char fs_name = mdsc-\u003efsc-\u003emount_options-\u003emds_namespace;\n ...\n if (auth-\u003ematch.fs_name \u0026\u0026 strcmp(auth-\u003ematch.fs_name, fs_name)) {\n / fsname mismatch, try next one */\n return 0;\n }\n\nPatrick Donnelly suggested that: In summary, we should definitely start\ndecoding `fs_name` from the MDSMap and do strict authorizations checks\nagainst it. Note that the `-o mds_namespace=foo` should only be used for\nselecting the file system to mount and nothing else. It\u0027s possible\nno mds_namespace is specified but the kernel will mount the only\nfile system that exists which may have name \"foo\".\n\nThis patch reworks ceph_mdsmap_decode() and namespace_equals() with\nthe goal of supporting the suggested concept. Now struct ceph_mdsmap\ncontains m_fs_name field that receives copy of extracted FS name\nby ceph_extract_encoded_string(). For the case of \"old\" CephFS file\nsystems, it is used \"cephfs\" name.\n\n[ idryomov: replace redundant %*pE with %s in ceph_mdsmap_decode(),\n get rid of a series of strlen() calls in ceph_namespace_match(),\n drop changes to namespace_equals() body to avoid treating empty\n mds_namespace as equal, drop changes to ceph_mdsc_handle_fsmap()\n as namespace_equals() isn\u0027t an equivalent substitution there ]",
"id": "GHSA-r35m-5r25-v2fx",
"modified": "2026-03-18T18:31:11Z",
"published": "2026-02-14T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23189"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57b36ffc8881dd455d875f85c105901974af2130"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7987cce375ac8ce98e170a77aa2399f2cf6eb99f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6f8326f26bd20d648d9a55afd68148d1b6afe28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R35M-8JF8-G83G
Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: util: Avoid accessing a ringbuffer not initialized yet
If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below:
hv_utils: Registering HyperV Utility Driver hv_vmbus: registering driver hv_utils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Call Trace: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read
This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hv_kvp_init() -> hvutil_transport_init() creates /dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVP_OP_REGISTER1 to the file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and reading the file for the driver's response, which is handled by hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done().
2) the problem with kvp_register_done() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, util_probe()-> vmbus_open() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference.
To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbus_open(), just before the first hv_ringbuffer_init(), and then we unload and reload the driver hv_utils, and run the daemon manually within the 10 seconds.
Fix the panic by reordering the steps in util_probe() so the char dev entry used by the KVP or VSS daemon is not created until after vmbus_open() has completed. This reordering prevents the race condition from happening.
{
"affected": [],
"aliases": [
"CVE-2024-55916"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T13:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: util: Avoid accessing a ringbuffer not initialized yet\n\nIf the KVP (or VSS) daemon starts before the VMBus channel\u0027s ringbuffer is\nfully initialized, we can hit the panic below:\n\nhv_utils: Registering HyperV Utility Driver\nhv_vmbus: registering driver hv_utils\n...\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1\nRIP: 0010:hv_pkt_iter_first+0x12/0xd0\nCall Trace:\n...\n vmbus_recvpacket\n hv_kvp_onchannelcallback\n vmbus_on_event\n tasklet_action_common\n tasklet_action\n handle_softirqs\n irq_exit_rcu\n sysvec_hyperv_stimer0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_hyperv_stimer0\n...\n kvp_register_done\n hvt_op_read\n vfs_read\n ksys_read\n __x64_sys_read\n\nThis can happen because the KVP/VSS channel callback can be invoked\neven before the channel is fully opened:\n1) as soon as hv_kvp_init() -\u003e hvutil_transport_init() creates\n/dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and\nregister itself to the driver by writing a message KVP_OP_REGISTER1 to the\nfile (which is handled by kvp_on_msg() -\u003ekvp_handle_handshake()) and\nreading the file for the driver\u0027s response, which is handled by\nhvt_op_read(), which calls hvt-\u003eon_read(), i.e. kvp_register_done().\n\n2) the problem with kvp_register_done() is that it can cause the\nchannel callback to be called even before the channel is fully opened,\nand when the channel callback is starting to run, util_probe()-\u003e\nvmbus_open() may have not initialized the ringbuffer yet, so the\ncallback can hit the panic of NULL pointer dereference.\n\nTo reproduce the panic consistently, we can add a \"ssleep(10)\" for KVP in\n__vmbus_open(), just before the first hv_ringbuffer_init(), and then we\nunload and reload the driver hv_utils, and run the daemon manually within\nthe 10 seconds.\n\nFix the panic by reordering the steps in util_probe() so the char dev\nentry used by the KVP or VSS daemon is not created until after\nvmbus_open() has completed. This reordering prevents the race condition\nfrom happening.",
"id": "GHSA-r35m-8jf8-g83g",
"modified": "2025-11-03T21:32:07Z",
"published": "2025-01-11T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55916"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/042253c57be901bfd19f15b68267442b70f510d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07a756a49f4b4290b49ea46e089cbe6f79ff8d26"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3dd7a30c6d7f90afcf19e9b072f572ba524d7ec6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/718fe694a334be9d1a89eed22602369ac18d6583"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89fcec5e466b3ac9b376e0d621c71effa1a7983f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d81f4e73aff9b861671df60e5100ad25cc16fbf8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f091a224a2c82f1e302b1768d73bb6332f687321"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R393-F8X7-5C8C
Vulnerability from github – Published: 2025-10-03 21:30 – Updated: 2025-10-08 21:30A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
{
"affected": [],
"aliases": [
"CVE-2025-47213"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-03T19:15:44Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.6.3195 build 20250715 and later\nQuTS hero h5.2.6.3195 build 20250715 and later",
"id": "GHSA-r393-f8x7-5c8c",
"modified": "2025-10-08T21:30:23Z",
"published": "2025-10-03T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47213"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R3CF-G6C5-J789
Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-20 21:30In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference.
Prevent null pointer dereference in mt7915_mmio_wed_init().
{
"affected": [],
"aliases": [
"CVE-2025-38155"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7915_mmio_wed_init().",
"id": "GHSA-r3cf-g6c5-j789",
"modified": "2025-11-20T21:30:30Z",
"published": "2025-07-03T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38155"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/790d05cde359356feea8915094a51166af1629f5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d825ed9fd768be10d52beba6f57a4b50c0c154aa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9f9cef1877ac32285dbc1f31b86c8955b712fc2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/efb95439c1477bbc955cacd0179c35e7861b437c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3CX-WCP6-7G33
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-17 21:31In the Linux kernel, the following vulnerability has been resolved:
kernfs: fix potential NULL dereference in __kernfs_remove
When lockdep is enabled, lockdep_assert_held_write would cause potential NULL pointer dereference.
Fix the following smatch warnings:
fs/kernfs/dir.c:1353 __kernfs_remove() warn: variable dereferenced before check 'kn' (see line 1346)
{
"affected": [],
"aliases": [
"CVE-2022-50148"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernfs: fix potential NULL dereference in __kernfs_remove\n\nWhen lockdep is enabled, lockdep_assert_held_write would\ncause potential NULL pointer dereference.\n\nFix the following smatch warnings:\n\nfs/kernfs/dir.c:1353 __kernfs_remove() warn: variable dereferenced before check \u0027kn\u0027 (see line 1346)",
"id": "GHSA-r3cx-wcp6-7g33",
"modified": "2025-11-17T21:31:18Z",
"published": "2025-06-18T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50148"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4a9f35b8729c5bf13ea671c908c17ed74c48fc50"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72b5d5aef246a0387cefa23121dd90901c7a691a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b871986d9d3071f5082664ac274d93f08db257cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3FR-8Q6V-C82H
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:21In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
{
"affected": [],
"aliases": [
"CVE-2019-14248"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-24T04:15:00Z",
"severity": "MODERATE"
},
"details": "In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when \"%pragma limit\" is mishandled.",
"id": "GHSA-r3fr-8q6v-c82h",
"modified": "2024-04-04T01:21:56Z",
"published": "2022-05-24T16:51:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14248"
},
{
"type": "WEB",
"url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392576"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3FV-4XWJ-9XF2
Vulnerability from github – Published: 2022-01-15 00:00 – Updated: 2022-05-05 00:01An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.
{
"affected": [],
"aliases": [
"CVE-2021-46019"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GNU Recutils v1.8.90 can lead to a segmentation fault or application crash.",
"id": "GHSA-r3fv-4xwj-9xf2",
"modified": "2022-05-05T00:01:01Z",
"published": "2022-01-15T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46019"
},
{
"type": "WEB",
"url": "https://github.com/gnu-mirror-unofficial/recutils/commit/34b75ed7ad492c8e38b669ebafe0176f1f9992d2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDVOFC3HTBG7DF2PZTEXRMG4CV2F55UF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRSXSN2XF6PX74WDYVV26TQMYIFAEQ3T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDVOFC3HTBG7DF2PZTEXRMG4CV2F55UF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRSXSN2XF6PX74WDYVV26TQMYIFAEQ3T"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-recutils/2021-12/msg00009.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3GG-V2QJ-WCMP
Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-04-15 21:31In the Linux kernel, the following vulnerability has been resolved:
HID: betop: check shape of output reports
betopff_init() only checks the total sum of the report counts for each report field to be at least 4, but hid_betopff_play() expects 4 report fields. A device advertising an output report with one field and 4 report counts would pass the check but crash the kernel with a NULL pointer dereference in hid_betopff_play().
{
"affected": [],
"aliases": [
"CVE-2023-53015"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T17:15:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: betop: check shape of output reports\n\nbetopff_init() only checks the total sum of the report counts for each\nreport field to be at least 4, but hid_betopff_play() expects 4 report\nfields.\nA device advertising an output report with one field and 4 report counts\nwould pass the check but crash the kernel with a NULL pointer dereference\nin hid_betopff_play().",
"id": "GHSA-r3gg-v2qj-wcmp",
"modified": "2025-04-15T21:31:29Z",
"published": "2025-03-27T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53015"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07bc32e53c7bd5c91472cc485231ef6274db9b76"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a2a47b85cab50a3c146731bfeaf2d860f5344ee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28fc6095da22dc88433d79578ae1c495ebe8ca43"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3782c0d6edf658b71354a64d60aa7a296188fc90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7317326f685824c7c29bd80841fd18041af6bb73"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3065cc56221d1a5eda237e94eaf2a627b88ab79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbab4dba400d6ea9a9697fbbd287adbf7db1dac4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3H6-H7MC-HVH5
Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-10-29 21:30Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp.
{
"affected": [],
"aliases": [
"CVE-2024-25197"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T14:15:09Z",
"severity": "MODERATE"
},
"details": "Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp.",
"id": "GHSA-r3h6-h7mc-hvh5",
"modified": "2024-10-29T21:30:44Z",
"published": "2024-02-20T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25197"
},
{
"type": "WEB",
"url": "https://github.com/ros-planning/navigation2/issues/3940"
},
{
"type": "WEB",
"url": "https://github.com/ros-planning/navigation2/issues/3958"
},
{
"type": "WEB",
"url": "https://github.com/ros-planning/navigation2/issues/3971"
},
{
"type": "WEB",
"url": "https://github.com/ros-planning/navigation2/issues/3972"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.