Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-V2QV-379G-FMVW

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()

In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to ctx->active_fmt and there is a dereference of it after that, which could lead to NULL pointer dereference on failure of devm_kzalloc().

Fix this bug by adding a NULL check of ctx->active_fmt.

This bug was found by a static analyzer.

Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:02Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()\n\nIn cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to\nctx-\u003eactive_fmt and there is a dereference of it after that, which could\nlead to NULL pointer dereference on failure of devm_kzalloc().\n\nFix this bug by adding a NULL check of ctx-\u003eactive_fmt.\n\nThis bug was found by a static analyzer.\n\nBuilds with \u0027make allyesconfig\u0027 show no new warnings, and our static\nanalyzer no longer warns about this code.",
  "id": "GHSA-v2qv-379g-fmvw",
  "modified": "2025-09-22T21:30:16Z",
  "published": "2025-09-22T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49254"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1381f1a629a090c251965edb56f849ad648414a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91e2805579ab0783eed53acc2bf9fb553e939004"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa613ac270292e102503e9767882e39200efe608"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/abd77889851d2ead0d0c9c4d29f1808801477b00"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2QW-7M3M-R9QX

Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2024-04-04 06:53
VLAI
Details

vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-11T14:15:12Z",
    "severity": "MODERATE"
  },
  "details": "vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.",
  "id": "GHSA-v2qw-7m3m-r9qx",
  "modified": "2024-04-04T06:53:29Z",
  "published": "2023-08-11T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/issues/7674"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230915-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V32F-G8J8-65F7

Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2024-03-13 18:31
VLAI
Details

A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition.

This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a crash of the dhcpd process. While the dhcpd process is restarting, which may take approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period and rely on the DHCPv4 server of the affected device.

Notes:

Only the dhcpd process crashes and eventually restarts automatically. The router does not reload. This vulnerability only applies to DHCPv4. DHCP version 6 (DHCPv6) is not affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-13T17:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition.\n\n This vulnerability exists because certain DHCPv4 messages are improperly validated when they are processed by an affected device. An attacker could exploit this vulnerability by sending a malformed DHCPv4 message to an affected device. A successful exploit could allow the attacker to cause a crash of the dhcpd process. While the dhcpd process is restarting, which may take approximately two minutes, DHCPv4 server services are unavailable on the affected device. This could temporarily prevent network access to clients that join the network during that time period and rely on the DHCPv4 server of the affected device.\n\n Notes: \n\n \n Only the dhcpd process crashes and eventually restarts automatically. The router does not reload.\n This vulnerability only applies to DHCPv4. DHCP version 6 (DHCPv6) is not affected.",
  "id": "GHSA-v32f-g8j8-65f7",
  "modified": "2024-03-13T18:31:35Z",
  "published": "2024-03-13T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20266"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dhcp-dos-3tgPKRdm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V32F-P355-M49P

Vulnerability from github – Published: 2022-05-17 00:27 – Updated: 2022-05-17 00:27
VLAI
Details

Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) or possibly obtain sensitive information, aka XSA-221.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-05T01:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) or possibly obtain sensitive information, aka XSA-221.",
  "id": "GHSA-v32f-p355-m49p",
  "modified": "2022-05-17T00:27:17Z",
  "published": "2022-05-17T00:27:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10917"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201708-03"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-221.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3969"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99157"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038731"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V32H-8F7R-3543

Vulnerability from github – Published: 2025-08-27 21:31 – Updated: 2025-11-05 00:31
VLAI
Details

If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the kea-dhcp4 process will abort with an assertion failure. This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem. This issue affects Kea versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-27T21:15:54Z",
    "severity": "HIGH"
  },
  "details": "If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the `kea-dhcp4` process will abort with an assertion failure.  This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem.\nThis issue affects Kea versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0.",
  "id": "GHSA-v32h-8f7r-3543",
  "modified": "2025-11-05T00:31:25Z",
  "published": "2025-08-27T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40779"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/docs/cve-2025-40779"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/27/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V32R-M6J9-4VHW

Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-11-26 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Revert "drm/prime: Use dma_buf from GEM object instance"

This reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8.

The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref.

Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated.

Hence, this revert to going back to using .import_attach->dmabuf.

v3: - cc stable

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T16:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/prime: Use dma_buf from GEM object instance\"\n\nThis reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8.\n\nThe dma_buf field in struct drm_gem_object is not stable over the\nobject instance\u0027s lifetime. The field becomes NULL when user space\nreleases the final GEM handle on the buffer object. This resulted\nin a NULL-pointer deref.\n\nWorkarounds in commit 5307dce878d4 (\"drm/gem: Acquire references on\nGEM handles for framebuffers\") and commit f6bfc9afc751 (\"drm/framebuffer:\nAcquire internal references on GEM handles\") only solved the problem\npartially. They especially don\u0027t work for buffer objects without a DRM\nframebuffer associated.\n\nHence, this revert to going back to using .import_attach-\u003edmabuf.\n\nv3:\n- cc stable",
  "id": "GHSA-v32r-m6j9-4vhw",
  "modified": "2025-11-26T00:30:15Z",
  "published": "2025-08-22T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38674"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f05d83ce689a8930a70dfa73f879604aef8cc03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb4ef4a52b79a22ad382bfe77332642d02aef773"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V33C-VR3G-MWH2

Vulnerability from github – Published: 2022-05-17 00:12 – Updated: 2022-05-17 00:12
VLAI
Details

In HDF5 1.10.1, there is a NULL pointer dereference in the function H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-11T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In HDF5 1.10.1, there is a NULL pointer dereference in the function H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file.",
  "id": "GHSA-v33c-vr3g-mwh2",
  "modified": "2022-05-17T00:12:51Z",
  "published": "2022-05-17T00:12:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiaoqx/pocs/tree/master/hdf5/readme.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V352-44GF-8R9H

Vulnerability from github – Published: 2025-12-11 00:30 – Updated: 2025-12-11 18:30
VLAI
Details

NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T22:16:27Z",
    "severity": "MODERATE"
  },
  "details": "NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs.",
  "id": "GHSA-v352-44gf-8r9h",
  "modified": "2025-12-11T18:30:43Z",
  "published": "2025-12-11T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/JSON-NULL-Dereference.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3CW-88QX-CF5C

Vulnerability from github – Published: 2024-01-02 06:30 – Updated: 2024-01-02 06:30
VLAI
Details

Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-02T06:15:09Z",
    "severity": "HIGH"
  },
  "details": "Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.",
  "id": "GHSA-v3cw-88qx-cf5c",
  "modified": "2024-01-02T06:30:30Z",
  "published": "2024-01-02T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33036"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3P7-5H4W-XRJG

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in expand_smacro() in modules/preprocs/nasm/nasm-pp.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in expand_smacro() in modules/preprocs/nasm/nasm-pp.c.",
  "id": "GHSA-v3p7-5h4w-xrjg",
  "modified": "2022-07-29T00:00:33Z",
  "published": "2022-07-27T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yasm/yasm/issues/172"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.