Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-V8PQ-23QJ-Q7X7

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-12 00:00
VLAI
Details

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.",
  "id": "GHSA-v8pq-23qj-q7x7",
  "modified": "2022-06-12T00:00:47Z",
  "published": "2022-06-03T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1789"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1832397"
    },
    {
      "type": "WEB",
      "url": "https://francozappa.github.io/about-bias"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/647177"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H6JP355XFVAB33X4BNO3ERVTURFYEDB7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IBUOQTNTQ4ZCXHOCNKYIL2ZUIAZ675RD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KCEAPIVPRTJHKPF2A2HVF5XHD5XJT3MN"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5161"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8Q6-WC9P-P5FC

Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: pci: configure manual DAC mode via PCI config API only

To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA.

With NULL mmap address, kernel throws trace:

BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfxdeviceattach_driver+0x10/0x10 ? pfxdeviceattach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: configure manual DAC mode via PCI config API only\n\nTo support 36-bit DMA, configure chip proprietary bit via PCI config API\nor chip DBI interface. However, the PCI device mmap isn\u0027t set yet and\nthe DBI is also inaccessible via mmap, so only if the bit can be accessible\nvia PCI config API, chip can support 36-bit DMA. Otherwise, fallback to\n32-bit DMA.\n\nWith NULL mmap address, kernel throws trace:\n\n  BUG: unable to handle page fault for address: 0000000000001090\n  #PF: supervisor write access in kernel mode\n  #PF: error_code(0x0002) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0002 [#1] PREEMPT SMP PTI\n  CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G           OE      6.14.2-061402-generic #202504101348\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]\n  RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206\n  RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000\n  RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020\n  RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015\n  R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060\n  FS:  0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0\n  Call Trace:\n   \u003cTASK\u003e\n   rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]\n   rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]\n   rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]\n   ? __pfx___device_attach_driver+0x10/0x10\n   ? __pfx___device_attach_driver+0x10/0x10\n   local_pci_probe+0x47/0xa0\n   pci_call_probe+0x5d/0x190\n   pci_device_probe+0xa7/0x160\n   really_probe+0xf9/0x370\n   ? pm_runtime_barrier+0x55/0xa0\n   __driver_probe_device+0x8c/0x140\n   driver_probe_device+0x24/0xd0\n   __device_attach_driver+0xcd/0x170\n   bus_for_each_drv+0x99/0x100\n   __device_attach+0xb4/0x1d0\n   device_attach+0x10/0x20\n   pci_bus_add_device+0x59/0x90\n   pci_bus_add_devices+0x31/0x80\n   pciehp_configure_device+0xaa/0x170\n   pciehp_enable_slot+0xd6/0x240\n   pciehp_handle_presence_or_link_change+0xf1/0x180\n   pciehp_ist+0x162/0x1c0\n   irq_thread_fn+0x24/0x70\n   irq_thread+0xef/0x1c0\n   ? __pfx_irq_thread_fn+0x10/0x10\n   ? __pfx_irq_thread_dtor+0x10/0x10\n   ? __pfx_irq_thread+0x10/0x10\n   kthread+0xfc/0x230\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x47/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e",
  "id": "GHSA-v8q6-wc9p-p5fc",
  "modified": "2025-11-19T21:31:15Z",
  "published": "2025-07-10T09:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a70cf04b08f44f41bce14659aa7012674b15d9de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1e0f046041474004dc6ebce5ce1d3e86556291d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8XR-J3GP-FMXJ

Vulnerability from github – Published: 2024-02-07 21:30 – Updated: 2025-11-04 21:31
VLAI
Details

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-07T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Linux kernel\u0027s NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.",
  "id": "GHSA-v8xr-j3gp-fmxj",
  "modified": "2025-11-04T21:31:07Z",
  "published": "2024-02-07T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0723"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0724"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0725"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0881"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0897"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1248"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2094"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3810"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6535"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254053"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFYW6R64GPLUOXSQBJI3JBUX3HGLAYPP"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240415-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8XR-MC49-HFWW

Vulnerability from github – Published: 2022-05-24 21:59 – Updated: 2022-12-02 21:30
VLAI
Details

An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-07T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.",
  "id": "GHSA-v8xr-mc49-hfww",
  "modified": "2022-12-02T21:30:44Z",
  "published": "2022-05-24T21:59:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/bcf3b67d16a4c8ffae0aa79de5853435e683945c"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4118-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4115-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4008-3"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4008-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4005-1"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K50484570"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190719-0003"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bcf3b67d16a4c8ffae0aa79de5853435e683945c"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.7"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0036"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3217"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2837"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2736"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2043"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2029"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1971"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1959"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00055.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00056.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108286"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8XR-RGHJ-PVV9

Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-12-12 21:30
VLAI
Details

When BIG-IP AFM Device DoS or DoS profile is configured with NXDOMAIN attack vector and bad actor detection, undisclosed queries can cause the Traffic Management Microkernel (TMM) to terminate.  NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-14T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "\nWhen BIG-IP AFM Device DoS or DoS profile is configured with NXDOMAIN attack vector and bad actor detection, undisclosed queries can cause the Traffic Management Microkernel (TMM) to terminate.\u00a0\u00a0NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
  "id": "GHSA-v8xr-rghj-pvv9",
  "modified": "2024-12-12T21:30:45Z",
  "published": "2024-02-14T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21763"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000137521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V94G-GGP4-7F34

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

Softing edgeConnector Siemens OPC UA Server Null Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Softing edgeConnector Siemens. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of OPC client certificates. The issue results from dereferencing a NULL pointer. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20508.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T02:15:10Z",
    "severity": "HIGH"
  },
  "details": "Softing edgeConnector Siemens OPC UA Server Null Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Softing edgeConnector Siemens. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OPC client certificates. The issue results from dereferencing a NULL pointer. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20508.",
  "id": "GHSA-v94g-ggp4-7f34",
  "modified": "2024-05-03T03:30:48Z",
  "published": "2024-05-03T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27336"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1065"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V94M-PX3X-GG3C

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-08-25 00:00
VLAI
Details

A null pointer dereference vulnerability in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-13T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer dereference vulnerability in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.",
  "id": "GHSA-v94m-px3x-gg3c",
  "modified": "2022-08-25T00:00:26Z",
  "published": "2022-05-24T17:25:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16293"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=701795"
    },
    {
      "type": "WEB",
      "url": "https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7870f4951bcc6a153f317e3439e14d0e929fd231"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-20"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4469-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4748"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V95W-JFG2-CJ6W

Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2024-11-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: qcom: sdm845: add missing soundwire runtime stream alloc

During the migration of Soundwire runtime stream allocation from the Qualcomm Soundwire controller to SoC's soundcard drivers the sdm845 soundcard was forgotten.

At this point any playback attempt or audio daemon startup, for instance on sdm845-db845c (Qualcomm RB3 board), will result in stream pointer NULL dereference:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000 [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: ... CPU: 5 UID: 0 PID: 1198 Comm: aplay Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18 Hardware name: Thundercomm Dragonboard 845c (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus] lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus] sp : ffff80008a2035c0 x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000 x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800 x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003 x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000 x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003 x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8 Call trace: sdw_stream_add_slave+0x44/0x380 [soundwire_bus] wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x] snd_soc_dai_hw_params+0x3c/0xa4 __soc_pcm_hw_params+0x230/0x660 dpcm_be_dai_hw_params+0x1d0/0x3f8 dpcm_fe_dai_hw_params+0x98/0x268 snd_pcm_hw_params+0x124/0x460 snd_pcm_common_ioctl+0x998/0x16e8 snd_pcm_ioctl+0x34/0x58 __arm64_sys_ioctl+0xac/0xf8 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xe0 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: aa0403fb f9418400 9100e000 9400102f (f8420f22) ---[ end trace 0000000000000000 ]---

0000000000006108 : 6108: d503233f paciasp 610c: a9b97bfd stp x29, x30, [sp, #-112]! 6110: 910003fd mov x29, sp 6114: a90153f3 stp x19, x20, [sp, #16] 6118: a9025bf5 stp x21, x22, [sp, #32] 611c: aa0103f6 mov x22, x1 6120: 2a0303f5 mov w21, w3 6124: a90363f7 stp x23, x24, [sp, #48] 6128: aa0003f8 mov x24, x0 612c: aa0203f7 mov x23, x2 6130: a9046bf9 stp x25, x26, [sp, #64] 6134: aa0403f9 mov x25, x4 <-- x4 copied to x25 6138: a90573fb stp x27, x28, [sp, #80] 613c: aa0403fb mov x27, x4 6140: f9418400 ldr x0, [x0, #776] 6144: 9100e000 add x0, x0, #0x38 6148: 94000000 bl 0 614c: f8420f22 ldr x2, [x25, #32]! <-- offset 0x44 ^^^ This is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave() where data abort happens. wsa881x_hw_params() is called with stream = NULL and passes it further in register x4 (5th argu ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: sdm845: add missing soundwire runtime stream alloc\n\nDuring the migration of Soundwire runtime stream allocation from\nthe Qualcomm Soundwire controller to SoC\u0027s soundcard drivers the sdm845\nsoundcard was forgotten.\n\nAt this point any playback attempt or audio daemon startup, for instance\non sdm845-db845c (Qualcomm RB3 board), will result in stream pointer\nNULL dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000020\n Mem abort info:\n   ESR = 0x0000000096000004\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n   FSC = 0x04: level 0 translation fault\n Data abort info:\n   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101ecf000\n [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n Modules linked in: ...\n CPU: 5 UID: 0 PID: 1198 Comm: aplay\n Not tainted 6.12.0-rc2-qcomlt-arm64-00059-g9d78f315a362-dirty #18\n Hardware name: Thundercomm Dragonboard 845c (DT)\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n lr : sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n sp : ffff80008a2035c0\n x29: ffff80008a2035c0 x28: ffff80008a203978 x27: 0000000000000000\n x26: 00000000000000c0 x25: 0000000000000000 x24: ffff1676025f4800\n x23: ffff167600ff1cb8 x22: ffff167600ff1c98 x21: 0000000000000003\n x20: ffff167607316000 x19: ffff167604e64e80 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffcec265074160 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff167600ff1cec\n x5 : ffffcec22cfa2010 x4 : 0000000000000000 x3 : 0000000000000003\n x2 : ffff167613f836c0 x1 : 0000000000000000 x0 : ffff16761feb60b8\n Call trace:\n  sdw_stream_add_slave+0x44/0x380 [soundwire_bus]\n  wsa881x_hw_params+0x68/0x80 [snd_soc_wsa881x]\n  snd_soc_dai_hw_params+0x3c/0xa4\n  __soc_pcm_hw_params+0x230/0x660\n  dpcm_be_dai_hw_params+0x1d0/0x3f8\n  dpcm_fe_dai_hw_params+0x98/0x268\n  snd_pcm_hw_params+0x124/0x460\n  snd_pcm_common_ioctl+0x998/0x16e8\n  snd_pcm_ioctl+0x34/0x58\n  __arm64_sys_ioctl+0xac/0xf8\n  invoke_syscall+0x48/0x104\n  el0_svc_common.constprop.0+0x40/0xe0\n  do_el0_svc+0x1c/0x28\n  el0_svc+0x34/0xe0\n  el0t_64_sync_handler+0x120/0x12c\n  el0t_64_sync+0x190/0x194\n Code: aa0403fb f9418400 9100e000 9400102f (f8420f22)\n ---[ end trace 0000000000000000 ]---\n\n0000000000006108 \u003csdw_stream_add_slave\u003e:\n    6108:       d503233f        paciasp\n    610c:       a9b97bfd        stp     x29, x30, [sp, #-112]!\n    6110:       910003fd        mov     x29, sp\n    6114:       a90153f3        stp     x19, x20, [sp, #16]\n    6118:       a9025bf5        stp     x21, x22, [sp, #32]\n    611c:       aa0103f6        mov     x22, x1\n    6120:       2a0303f5        mov     w21, w3\n    6124:       a90363f7        stp     x23, x24, [sp, #48]\n    6128:       aa0003f8        mov     x24, x0\n    612c:       aa0203f7        mov     x23, x2\n    6130:       a9046bf9        stp     x25, x26, [sp, #64]\n    6134:       aa0403f9        mov     x25, x4        \u003c-- x4 copied to x25\n    6138:       a90573fb        stp     x27, x28, [sp, #80]\n    613c:       aa0403fb        mov     x27, x4\n    6140:       f9418400        ldr     x0, [x0, #776]\n    6144:       9100e000        add     x0, x0, #0x38\n    6148:       94000000        bl      0 \u003cmutex_lock\u003e\n    614c:       f8420f22        ldr     x2, [x25, #32]!  \u003c-- offset 0x44\n    ^^^\nThis is 0x6108 + offset 0x44 from the beginning of sdw_stream_add_slave()\nwhere data abort happens.\nwsa881x_hw_params() is called with stream = NULL and passes it further\nin register x4 (5th argu\n---truncated---",
  "id": "GHSA-v95w-jfg2-cj6w",
  "modified": "2024-11-12T15:30:32Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50104"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0e806b0cc6260b59c65e606034a63145169c04c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc34d36879f87e5a3813fb66655b8bdb90c7b0d8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V992-JPVQ-942P

Vulnerability from github – Published: 2022-05-17 00:47 – Updated: 2025-04-20 03:45
VLAI
Details

AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp in Bento4 version 1.5.0-617 has missing NULL checks, leading to a NULL pointer dereference, segmentation fault, and application crash in AP4_Atom::SetType in Core/Ap4Atom.h.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-21T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp in Bento4 version 1.5.0-617 has missing NULL checks, leading to a NULL pointer dereference, segmentation fault, and application crash in AP4_Atom::SetType in Core/Ap4Atom.h.",
  "id": "GHSA-v992-jpvq-942p",
  "modified": "2025-04-20T03:45:41Z",
  "published": "2022-05-17T00:47:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/commit/be7185faf7f52674028977dcf501c6039ff03aa5"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/09/14/bento4-null-pointer-dereference-in-ap4_atomsettype-ap4atom-h"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V99G-2HWC-34C3

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix sysfs interface lifetime

The current nilfs2 sysfs support has issues with the timing of creation and deletion of sysfs entries, potentially leading to null pointer dereferences, use-after-free, and lockdep warnings.

Some of the sysfs attributes for nilfs2 per-filesystem instance refer to metadata file "cpfile", "sufile", or "dat", but nilfs_sysfs_create_device_group that creates those attributes is executed before the inodes for these metadata files are loaded, and nilfs_sysfs_delete_device_group which deletes these sysfs entries is called after releasing their metadata file inodes.

Therefore, access to some of these sysfs attributes may occur outside of the lifetime of these metadata files, resulting in inode NULL pointer dereferences or use-after-free.

In addition, the call to nilfs_sysfs_create_device_group() is made during the locking period of the semaphore "ns_sem" of nilfs object, so the shrinker call caused by the memory allocation for the sysfs entries, may derive lock dependencies "ns_sem" -> (shrinker) -> "locks acquired in nilfs_evict_inode()".

Since nilfs2 may acquire "ns_sem" deep in the call stack holding other locks via its error handler __nilfs_error(), this causes lockdep to report circular locking. This is a false positive and no circular locking actually occurs as no inodes exist yet when nilfs_sysfs_create_device_group() is called. Fortunately, the lockdep warnings can be resolved by simply moving the call to nilfs_sysfs_create_device_group() out of "ns_sem".

This fixes these sysfs issues by revising where the device's sysfs interface is created/deleted and keeping its lifetime within the lifetime of the metadata files above.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix sysfs interface lifetime\n\nThe current nilfs2 sysfs support has issues with the timing of creation\nand deletion of sysfs entries, potentially leading to null pointer\ndereferences, use-after-free, and lockdep warnings.\n\nSome of the sysfs attributes for nilfs2 per-filesystem instance refer to\nmetadata file \"cpfile\", \"sufile\", or \"dat\", but\nnilfs_sysfs_create_device_group that creates those attributes is executed\nbefore the inodes for these metadata files are loaded, and\nnilfs_sysfs_delete_device_group which deletes these sysfs entries is\ncalled after releasing their metadata file inodes.\n\nTherefore, access to some of these sysfs attributes may occur outside of\nthe lifetime of these metadata files, resulting in inode NULL pointer\ndereferences or use-after-free.\n\nIn addition, the call to nilfs_sysfs_create_device_group() is made during\nthe locking period of the semaphore \"ns_sem\" of nilfs object, so the\nshrinker call caused by the memory allocation for the sysfs entries, may\nderive lock dependencies \"ns_sem\" -\u003e (shrinker) -\u003e \"locks acquired in\nnilfs_evict_inode()\".\n\nSince nilfs2 may acquire \"ns_sem\" deep in the call stack holding other\nlocks via its error handler __nilfs_error(), this causes lockdep to report\ncircular locking.  This is a false positive and no circular locking\nactually occurs as no inodes exist yet when\nnilfs_sysfs_create_device_group() is called.  Fortunately, the lockdep\nwarnings can be resolved by simply moving the call to\nnilfs_sysfs_create_device_group() out of \"ns_sem\".\n\nThis fixes these sysfs issues by revising where the device\u0027s sysfs\ninterface is created/deleted and keeping its lifetime within the lifetime\nof the metadata files above.",
  "id": "GHSA-v99g-2hwc-34c3",
  "modified": "2025-12-11T18:30:35Z",
  "published": "2025-09-18T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53440"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1942ccb7d95f287a312fcbabfa8bc9ba501b1953"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3dbee84bf9e3273c4bb9ca6fc18ff22fba23dd24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42560f9c92cc43dce75dbf06cc0d840dced39b12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fe0ea141fbb887d407f1bf572ebf24427480d5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83b16a60e413148685739635901937e2f16a7873"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d20dcec8f326deb77b6688f8441e014045dac457"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d540aea451ab5489777a8156560f1388449b3109"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/daf4eb3a908b108279b60172d2f176e70d2df875"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.