Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-V55M-3GV3-H8MM

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

libming 0.4.8 has a NULL pointer dereference in the getInt function of the decompile.c file, a different vulnerability than CVE-2018-9132.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-24T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "libming 0.4.8 has a NULL pointer dereference in the getInt function of the decompile.c file, a different vulnerability than CVE-2018-9132.",
  "id": "GHSA-v55m-3gv3-h8mm",
  "modified": "2022-05-14T01:42:54Z",
  "published": "2022-05-14T01:42:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20427"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libming/libming/issues/164"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V55P-34X8-PFVV

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function frame::FrameDecoder::process() located in frame_decoder.c. It allows an attacker to cause Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function frame::FrameDecoder::process() located in frame_decoder.c. It allows an attacker to cause Denial of Service.",
  "id": "GHSA-v55p-34x8-pfvv",
  "modified": "2022-05-24T19:15:08Z",
  "published": "2022-05-24T19:15:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39548"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sahaRatul/sela/issues/28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V579-RCH8-988W

Vulnerability from github – Published: 2025-03-12 00:31 – Updated: 2025-03-12 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tipc: move bc link creation back to tipc_node_create

Shuang Li reported a NULL pointer dereference crash:

[] BUG: kernel NULL pointer dereference, address: 0000000000000068 [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc] [] Call Trace: [] [] tipc_bcast_rcv+0xa2/0x190 [tipc] [] tipc_node_bc_rcv+0x8b/0x200 [tipc] [] tipc_rcv+0x3af/0x5b0 [tipc] [] tipc_udp_recv+0xc7/0x1e0 [tipc]

It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it creates a node in tipc_node_check_dest(), after inserting the new node into hashtable in tipc_node_create(), it creates the bc link. However, there is a gap between this insert and bc link creation, a bc packet may come in and get the node from the hashtable then try to dereference its bc link, which is NULL.

This patch is to fix it by moving the bc link creation before inserting into the hashtable.

Note that for a preliminary node becoming "real", the bc link creation should also be called before it's rehashed, as we don't create it for preliminary nodes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:41Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: move bc link creation back to tipc_node_create\n\nShuang Li reported a NULL pointer dereference crash:\n\n  [] BUG: kernel NULL pointer dereference, address: 0000000000000068\n  [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]\n  [] Call Trace:\n  []  \u003cIRQ\u003e\n  []  tipc_bcast_rcv+0xa2/0x190 [tipc]\n  []  tipc_node_bc_rcv+0x8b/0x200 [tipc]\n  []  tipc_rcv+0x3af/0x5b0 [tipc]\n  []  tipc_udp_recv+0xc7/0x1e0 [tipc]\n\nIt was caused by the \u0027l\u0027 passed into tipc_bcast_rcv() is NULL. When it\ncreates a node in tipc_node_check_dest(), after inserting the new node\ninto hashtable in tipc_node_create(), it creates the bc link. However,\nthere is a gap between this insert and bc link creation, a bc packet\nmay come in and get the node from the hashtable then try to dereference\nits bc link, which is NULL.\n\nThis patch is to fix it by moving the bc link creation before inserting\ninto the hashtable.\n\nNote that for a preliminary node becoming \"real\", the bc link creation\nshould also be called before it\u0027s rehashed, as we don\u0027t create it for\npreliminary nodes.",
  "id": "GHSA-v579-rch8-988w",
  "modified": "2025-03-12T00:31:48Z",
  "published": "2025-03-12T00:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49664"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35fcb2ba35b4d9b592b558c3bcc6e0d90e213588"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/456bc338871c4a52117dd5ef29cce3745456d248"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb8092d70a6f5f01ec1490fce4d35efed3ed996c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e52910e671f58c619e33dac476b11b35e2d3ab6f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V57W-FX8G-P4V2

Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2025-12-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling

If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows:

Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...]

Otherwise, the panics don't happen. This indicates that it's some sort of race condition.

Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T16:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/exynos: exynos7_drm_decon: add vblank check in IRQ handling\n\nIf there\u0027s support for another console device (such as a TTY serial),\nthe kernel occasionally panics during boot. The panic message and a\nrelevant snippet of the call stack is as follows:\n\n  Unable to handle kernel NULL pointer dereference at virtual address 000000000000000\n  Call trace:\n    drm_crtc_handle_vblank+0x10/0x30 (P)\n    decon_irq_handler+0x88/0xb4\n    [...]\n\nOtherwise, the panics don\u0027t happen. This indicates that it\u0027s some sort\nof race condition.\n\nAdd a check to validate if the drm device can handle vblanks before\ncalling drm_crtc_handle_vblank() to avoid this.",
  "id": "GHSA-v57w-fx8g-p4v2",
  "modified": "2025-12-22T21:30:30Z",
  "published": "2025-07-25T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38467"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/391e5ea5b877230b844c9bd8bbcd91b681b1ce2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87825fbd1e176cd5b896940f3959e7c9a916945d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/996740652e620ef8ee1e5c65832cf2ffa498577d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2130463fc9451005660b0eda7b61d5f746f7d74"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a40a35166f7e4f6dcd4b087d620c8228922dcb0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4e72c0bf878f02faa00a7dc7c9ffc4ff7c116a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b846350aa272de99bf6fecfa6b08e64ebfb13173"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9d9b25f376737b81f06de9c5aa422b488f47184"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V58C-VJ35-4Q53

Vulnerability from github – Published: 2022-05-14 01:20 – Updated: 2022-05-14 01:20
VLAI
Details

In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-22T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.",
  "id": "GHSA-v58c-vj35-4q53",
  "modified": "2022-05-14T01:20:34Z",
  "published": "2022-05-14T01:20:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15721"
    },
    {
      "type": "WEB",
      "url": "https://irssi.org/security/irssi_sa_2017_10.txt"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4016"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/10/22/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V58G-F5GQ-6G2R

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:01
VLAI
Details

Possible null-pointer dereference can occur while parsing avi clip during copy in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-10489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Possible null-pointer dereference can occur while parsing avi clip during copy in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20",
  "id": "GHSA-v58g-f5gq-6g2r",
  "modified": "2024-04-04T02:01:11Z",
  "published": "2022-05-24T16:57:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10489"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5C2-F543-4VHM

Vulnerability from github – Published: 2024-08-17 12:30 – Updated: 2024-12-09 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix null reference error when checking end of zone

This patch fixes a potentially null pointer being accessed by is_end_zone_blkaddr() that checks the last block of a zone when f2fs is mounted as a single device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T10:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix null reference error when checking end of zone\n\nThis patch fixes a potentially null pointer being accessed by\nis_end_zone_blkaddr() that checks the last block of a zone\nwhen f2fs is mounted as a single device.",
  "id": "GHSA-v5c2-f543-4vhm",
  "modified": "2024-12-09T15:31:33Z",
  "published": "2024-08-17T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43857"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/381cbe85592c78fbaeb3e770e3e9f3bfa3e67efb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b98777309756ebe15cc9ad4e8ab64bbfaf878a3f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c82bc1ab2a8a5e73d9728e80c4c2ed87e8921a38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5F8-GC5J-R8RV

Vulnerability from github – Published: 2021-11-19 00:00 – Updated: 2022-10-16 19:00
VLAI
Details

NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-18T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-v5f8-gc5j-r8rv",
  "modified": "2022-10-16T19:00:30Z",
  "published": "2021-11-19T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39920"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39920.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/17705"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-04"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5019"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2021-15.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5FM-W222-68GQ

Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix NULL pointer dereference in tipc_mon_reinit_self()

syzbot reported:

tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events tipc_net_finalize_work RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ... RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 ... RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

There is a racing condition between workqueue created when enabling bearer and another thread created when disabling bearer right after that as follow:

enabling_bearer disabling_bearer
tipc_disc_timeout()
{ bearer_disable()
... {
schedule_work(&tn->work); tipc_mon_delete()
... {
} ...
write_lock_bh(&mon->lock);
mon->self = NULL;
write_unlock_bh(&mon->lock);
...
}
tipc_net_finalize_work() }
{
...
tipc_net_finalize()
{
...
tipc_mon_reinit_self()
{
...
write_lock_bh(&mon->lock);
mon->self->addr = tipc_own_addr(net);
write_unlock_bh(&mon->lock);
...
---truncated---
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T07:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix NULL pointer dereference in tipc_mon_reinit_self()\n\nsyzbot reported:\n\ntipc: Node number set to 1055423674\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: events tipc_net_finalize_work\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS:  0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140\n process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n...\nRIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719\n...\nRSP: 0018:ffffc9000356fb68 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba\nRDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010\nRBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007\nR13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010\nFS:  0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\nThere is a racing condition between workqueue created when enabling\nbearer and another thread created when disabling bearer right after\nthat as follow:\n\nenabling_bearer                          | disabling_bearer\n---------------                          | ----------------\ntipc_disc_timeout()                      |\n{                                        | bearer_disable()\n ...                                     | {\n schedule_work(\u0026tn-\u003ework);               |  tipc_mon_delete()\n ...                                     |  {\n}                                        |   ...\n                                         |   write_lock_bh(\u0026mon-\u003elock);\n                                         |   mon-\u003eself = NULL;\n                                         |   write_unlock_bh(\u0026mon-\u003elock);\n                                         |   ...\n                                         |  }\ntipc_net_finalize_work()                 | }\n{                                        |\n ...                                     |\n tipc_net_finalize()                     |\n {                                       |\n  ...                                    |\n  tipc_mon_reinit_self()                 |\n  {                                      |\n   ...                                   |\n   write_lock_bh(\u0026mon-\u003elock);            |\n   mon-\u003eself-\u003eaddr = tipc_own_addr(net); |\n   write_unlock_bh(\u0026mon-\u003elock);          |\n   ...             \n---truncated---",
  "id": "GHSA-v5fm-w222-68gq",
  "modified": "2025-11-10T18:30:31Z",
  "published": "2025-05-08T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37824"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ceef62a328ce1288598c9242576292671f21e96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d5e1e2d3e9d70beff7beab44fd6ce91405a405e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fd464fd24de93d0eca377554bf0ff2548f76f30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3df56010403b2cd26388096ebccf959d23c4dcc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d63527e109e811ef11abb1c2985048fdb528b4cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd6cb0a8575b00fbd503e96903184125176f4fa3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6613b6d41f4010c4d484cbc7bfca690d8d522a2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e79e8e05aa46f90d21023f0ffe6f136ed6a20932"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V5J8-4G8Q-9Q2C

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2025-09-23 12:31
VLAI
Details

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions: QTS 5.2.1.2930 build 20241025 and later QuTS hero h5.2.1.2929 build 20241025 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T16:15:23Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.1.2930 build 20241025 and later\nQuTS hero h5.2.1.2929 build 20241025 and later",
  "id": "GHSA-v5j8-4g8q-9q2c",
  "modified": "2025-09-23T12:31:11Z",
  "published": "2024-11-22T21:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37042"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.