Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-R633-2867-CRC8

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-04-17 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: hso: fix null-ptr-deref during tty device unregistration

Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref.

The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number.

Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:45Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hso: fix null-ptr-deref during tty device unregistration\n\nMultiple ttys try to claim the same the minor number causing a double\nunregistration of the same device. The first unregistration succeeds\nbut the next one results in a null-ptr-deref.\n\nThe get_free_serial_index() function returns an available minor number\nbut doesn\u0027t assign it immediately. The assignment is done by the caller\nlater. But before this assignment, calls to get_free_serial_index()\nwould return the same minor number.\n\nFix this by modifying get_free_serial_index to assign the minor number\nimmediately after one is found to be and rename it to obtain_minor()\nto better reflect what it does. Similary, rename set_serial_by_index()\nto release_minor() and modify it to free up the minor number of the\ngiven hso_serial. Every obtain_minor() should have corresponding\nrelease_minor() call.",
  "id": "GHSA-r633-2867-crc8",
  "modified": "2024-04-17T21:30:45Z",
  "published": "2024-02-26T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46904"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/145c89c441d27696961752bf51b323f347601bee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/388d05f70f1ee0cac4a2068fd295072f1a44152a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a2933c88399c0ebc738db39bbce3ae89786d723"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a12f8836145ffe37e9c8733dce18c22fb668b66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92028d7a31e55d53e41cff679156b9432cffcb36"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a462067d7c8e6953a733bf5ade8db947b1bb5449"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/caf5ac93b3b5d5fac032fc11fbea680e115421b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc195928d7e4ec7b5cfc6cd10dc4c8d87a7c72ac"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R659-6FH2-V3GV

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-25T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault.",
  "id": "GHSA-r659-6fh2-v3gv",
  "modified": "2022-05-24T17:45:35Z",
  "published": "2022-05-24T17:45:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3119"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sqlcipher/sqlcipher/commit/cb71f53e8cea4802509f182fa5bead0ac6ab0e7f#diff-9305215a9a0ea69300281fc4af90bc7f3437e34a0e1745d030213152993ddae4"
    },
    {
      "type": "WEB",
      "url": "https://www.telekom.com/resource/blob/621186/3fb50ca7a4a97728be18717ed7b0062c/dl-210308-critical-dos-vulnerability-in-sqlcipher-sql-command-processing-data.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R65M-837P-745W

Vulnerability from github – Published: 2022-05-14 03:24 – Updated: 2022-05-14 03:24
VLAI
Details

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, and SDX20, lack of input validation in NPA driver functions leads to null pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-9145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-18T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, and SDX20, lack of input validation in NPA driver functions leads to null pointer dereference.",
  "id": "GHSA-r65m-837p-745w",
  "modified": "2022-05-14T03:24:49Z",
  "published": "2022-05-14T03:24:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9145"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-04-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103671"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R65X-4XHJ-7G65

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2024-12-23 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

serial: core: Clearing the circular buffer before NULLifying it

The circular buffer is NULLified in uart_tty_port_shutdown() under the spin lock. However, the PM or other timer based callbacks may still trigger after this event without knowning that buffer pointer is not valid. Since the serial code is a bit inconsistent in checking the buffer state (some rely on the head-tail positions, some on the buffer pointer), it's better to have both aligned, i.e. buffer pointer to be NULL and head-tail possitions to be the same, meaning it's empty. This will prevent asynchronous calls to dereference NULL pointer as reported recently in 8250 case:

BUG: kernel NULL pointer dereference, address: 00000cf5 Workqueue: pm pm_runtime_work EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) ... ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) __start_tx (drivers/tty/serial/8250/8250_port.c:1551) serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654) serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63) __rpm_callback (drivers/base/power/runtime.c:393) ? serial_port_remove (drivers/tty/serial/serial_port.c:50) rpm_suspend (drivers/base/power/runtime.c:447)

The proposed change will prevent ->start_tx() to be called during suspend on shut down port.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: Clearing the circular buffer before NULLifying it\n\nThe circular buffer is NULLified in uart_tty_port_shutdown()\nunder the spin lock. However, the PM or other timer based callbacks\nmay still trigger after this event without knowning that buffer pointer\nis not valid. Since the serial code is a bit inconsistent in checking\nthe buffer state (some rely on the head-tail positions, some on the\nbuffer pointer), it\u0027s better to have both aligned, i.e. buffer pointer\nto be NULL and head-tail possitions to be the same, meaning it\u0027s empty.\nThis will prevent asynchronous calls to dereference NULL pointer as\nreported recently in 8250 case:\n\n  BUG: kernel NULL pointer dereference, address: 00000cf5\n  Workqueue: pm pm_runtime_work\n  EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)\n  ...\n  ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)\n  __start_tx (drivers/tty/serial/8250/8250_port.c:1551)\n  serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)\n  serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)\n  __rpm_callback (drivers/base/power/runtime.c:393)\n  ? serial_port_remove (drivers/tty/serial/serial_port.c:50)\n  rpm_suspend (drivers/base/power/runtime.c:447)\n\nThe proposed change will prevent -\u003estart_tx() to be called during\nsuspend on shut down port.",
  "id": "GHSA-r65x-4xhj-7g65",
  "modified": "2024-12-23T21:30:50Z",
  "published": "2024-05-01T06:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26998"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ae7104d54342433a3a73975f6569beefdd86350"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9cf7ea2eeb745213dc2a04103e426b960e807940"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bb1118905e875c111d7ccef9aee86ac5e4e7f985"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6FW-8V76-P9QQ

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30
VLAI
Details

Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:17:09Z",
    "severity": "MODERATE"
  },
  "details": "Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.",
  "id": "GHSA-r6fw-8v76-p9qq",
  "modified": "2026-06-09T18:30:44Z",
  "published": "2026-06-09T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42903"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42903"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6JQ-J675-MX68

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33
VLAI
Details

NULL pointer dereference in IP socket options processing of the Networking Stack in QNX Software Development Platform (SDP) version(s) 7.1 and 7.0 could allow an attacker with local access to cause a denial-of-service condition in the context of the Networking Stack process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T18:15:05Z",
    "severity": "MODERATE"
  },
  "details": "NULL pointer dereference in IP socket options processing of the Networking Stack in QNX Software Development Platform (SDP) version(s) 7.1 and 7.0 could allow an attacker with local access to cause a denial-of-service condition in the context of the Networking Stack process.",
  "id": "GHSA-r6jq-j675-mx68",
  "modified": "2024-10-08T18:33:14Z",
  "published": "2024-10-08T18:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35215"
    },
    {
      "type": "WEB",
      "url": "https://support.blackberry.com/pkb/s/article/140162"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6PG-PJWC-J585

Vulnerability from github – Published: 2021-05-21 14:25 – Updated: 2024-11-01 17:03
VLAI
Summary
Null pointer dereference in `SparseFillEmptyRows`
Details

Impact

An attacker can trigger a null pointer dereference in the implementation of tf.raw_ops.SparseFillEmptyRows:

import tensorflow as tf

indices = tf.constant([], shape=[0, 0], dtype=tf.int64)
values = tf.constant([], shape=[0], dtype=tf.int64)
dense_shape = tf.constant([], shape=[0], dtype=tf.int64)
default_value = 0

tf.raw_ops.SparseFillEmptyRows(
    indices=indices, values=values, dense_shape=dense_shape,
    default_value=default_value)

This is because of missing validation that was covered under a TODO. If the dense_shape tensor is empty, then dense_shape_t.vec<>() would cause a null pointer dereference in the implementation of the op:

template <typename T, typename Tindex>
struct SparseFillEmptyRows<CPUDevice, T, Tindex> {
  Status operator()(OpKernelContext* context, const Tensor& default_value_t,
                    const Tensor& indices_t, const Tensor& values_t,
                    const Tensor& dense_shape_t,
                    typename AsyncOpKernel::DoneCallback done) {
    ...
    const auto dense_shape = dense_shape_t.vec<Tindex>();
    ... 
  }
}

Patches

We have patched the issue in GitHub commit faa76f39014ed3b5e2c158593b1335522e573c7f.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T19:34:50Z",
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAn attacker can trigger a null pointer dereference in the implementation of `tf.raw_ops.SparseFillEmptyRows`:\n\n```python\nimport tensorflow as tf\n\nindices = tf.constant([], shape=[0, 0], dtype=tf.int64)\nvalues = tf.constant([], shape=[0], dtype=tf.int64)\ndense_shape = tf.constant([], shape=[0], dtype=tf.int64)\ndefault_value = 0\n    \ntf.raw_ops.SparseFillEmptyRows(\n    indices=indices, values=values, dense_shape=dense_shape,\n    default_value=default_value)\n```\n\nThis is because of missing [validation](https://github.com/tensorflow/tensorflow/blob/fdc82089d206e281c628a93771336bf87863d5e8/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L230-L231) that was covered under a `TODO`. If the `dense_shape` tensor is empty, then `dense_shape_t.vec\u003c\u003e()` would cause a null pointer dereference in the implementation of the op:\n\n```cc\ntemplate \u003ctypename T, typename Tindex\u003e\nstruct SparseFillEmptyRows\u003cCPUDevice, T, Tindex\u003e {\n  Status operator()(OpKernelContext* context, const Tensor\u0026 default_value_t,\n                    const Tensor\u0026 indices_t, const Tensor\u0026 values_t,\n                    const Tensor\u0026 dense_shape_t,\n                    typename AsyncOpKernel::DoneCallback done) {\n    ...\n    const auto dense_shape = dense_shape_t.vec\u003cTindex\u003e();\n    ... \n  }\n}\n``` \n\n### Patches\nWe have patched the issue in GitHub commit [faa76f39014ed3b5e2c158593b1335522e573c7f](https://github.com/tensorflow/tensorflow/commit/faa76f39014ed3b5e2c158593b1335522e573c7f).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
  "id": "GHSA-r6pg-pjwc-j585",
  "modified": "2024-11-01T17:03:07Z",
  "published": "2021-05-21T14:25:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6pg-pjwc-j585"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29565"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/faa76f39014ed3b5e2c158593b1335522e573c7f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-493.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-691.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-202.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Null pointer dereference in `SparseFillEmptyRows`"
}

GHSA-R6X3-RV9G-7PFH

Vulnerability from github – Published: 2022-05-13 01:54 – Updated: 2022-05-13 01:54
VLAI
Details

The iwbmp_read_info_header function in imagew-bmp.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-06T00:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The iwbmp_read_info_header function in imagew-bmp.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.",
  "id": "GHSA-r6x3-rv9g-7pfh",
  "modified": "2022-05-13T01:54:11Z",
  "published": "2022-05-13T01:54:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsummers/imageworsener/issues/8"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201706-06"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97496"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6XP-8QHF-G8WC

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2023-02-01 00:30
VLAI
Details

An issue was discovered in fig2dev through 20200520. A NULL pointer dereference exists in the function compute_closed_spline() located in trans_spline.c. It allows an attacker to cause Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in fig2dev through 20200520. A NULL pointer dereference exists in the function compute_closed_spline() located in trans_spline.c. It allows an attacker to cause Denial of Service.",
  "id": "GHSA-r6xp-8qhf-g8wc",
  "modified": "2023-02-01T00:30:29Z",
  "published": "2022-05-24T19:15:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32280"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00044.html"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/mcj/fig2dev/ci/f17a3b8a7d54c1bc56ab92512531772a0b3ec991"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/mcj/tickets/107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R744-R36F-363J

Vulnerability from github – Published: 2022-01-18 00:00 – Updated: 2022-01-25 00:02
VLAI
Details

mruby is vulnerable to NULL Pointer Dereference

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-17T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "mruby is vulnerable to NULL Pointer Dereference",
  "id": "GHSA-r744-r36f-363j",
  "modified": "2022-01-25T00:02:41Z",
  "published": "2022-01-18T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/5857eced-aad9-417d-864e-0bdf17226cbb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.