Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-VP8V-GJJ6-F34X

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref.

Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T10:16:23Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: icmp: fix null-ptr-deref in icmp_build_probe()\n\nipv6_stub-\u003eipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the\nIPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing\nthis error pointer to dev_hold() will cause a kernel crash with\nnull-ptr-deref.\n\nInstead, silently discard the request. RFC 8335 does not appear to\ndefine a specific response for the case where an IPv6 interface\nidentifier is syntactically valid but the implementation cannot perform\nthe lookup at runtime, and silently dropping the request may safer than\nmisreporting \"No Such Interface\".",
  "id": "GHSA-vp8v-gjj6-f34x",
  "modified": "2026-06-01T18:31:29Z",
  "published": "2026-05-06T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43099"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f21bc261e60f0c696c58841c4873ff77ed83673"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47a8bf52156ac7e7a581eca31c1f964ba4258d4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b9911582d441f72fe6ccb15ffe3303bbc07f6f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6be325206850a0891896d38bcf83a09d8b54ec48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc5db4db19766a61ad65d81d1f55b1c1e51ba78d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f91b3ed9e7fa82a70511b5f6901c88379acf2964"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fde29fd9349327acc50d19a0b5f3d5a6c964dfd8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP9F-G82M-H958

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix bad hist from corrupting named_triggers list

The following commands causes a crash:

~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger

Because the following occurs:

event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() {

  data = event_trigger_alloc(..);

  event_trigger_register(.., data) {
    cmd_ops->reg(.., data, ..) [hist_register_trigger()] {
      data->ops->init() [event_hist_trigger_init()] {
        save_named_trigger(name, data) {
          list_add(&data->named_list, &named_triggers);
        }
      }
    }
  }

  ret = create_actions(); (return -EINVAL)
  if (ret)
    goto out_unreg;

[..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL

        test->ops->free(test) [event_hist_trigger_free()] {
          [..]
          if (data->name)
            del_named_trigger(data) {
              list_del(&data->named_list);  <<<<-- NEVER gets removed!
            }
          }
       }
     }

     [..]
     kfree(data); <<<-- frees item but it is still on list

The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash.

Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list.

A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:20Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix bad hist from corrupting named_triggers list\n\nThe following commands causes a crash:\n\n ~# cd /sys/kernel/tracing/events/rcu/rcu_callback\n ~# echo \u0027hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)\u0027 \u003e trigger\n bash: echo: write error: Invalid argument\n ~# echo \u0027hist:name=bad:keys=common_pid\u0027 \u003e trigger\n\nBecause the following occurs:\n\nevent_trigger_write() {\n  trigger_process_regex() {\n    event_hist_trigger_parse() {\n\n      data = event_trigger_alloc(..);\n\n      event_trigger_register(.., data) {\n        cmd_ops-\u003ereg(.., data, ..) [hist_register_trigger()] {\n          data-\u003eops-\u003einit() [event_hist_trigger_init()] {\n            save_named_trigger(name, data) {\n              list_add(\u0026data-\u003enamed_list, \u0026named_triggers);\n            }\n          }\n        }\n      }\n\n      ret = create_actions(); (return -EINVAL)\n      if (ret)\n        goto out_unreg;\n[..]\n      ret = hist_trigger_enable(data, ...) {\n        list_add_tail_rcu(\u0026data-\u003elist, \u0026file-\u003etriggers); \u003c\u003c\u003c---- SKIPPED!!! (this is important!)\n[..]\n out_unreg:\n      event_hist_unregister(.., data) {\n        cmd_ops-\u003eunreg(.., data, ..) [hist_unregister_trigger()] {\n          list_for_each_entry(iter, \u0026file-\u003etriggers, list) {\n            if (!hist_trigger_match(data, iter, named_data, false))   \u003c- never matches\n                continue;\n            [..]\n            test = iter;\n          }\n          if (test \u0026\u0026 test-\u003eops-\u003efree) \u003c\u003c\u003c-- test is NULL\n\n            test-\u003eops-\u003efree(test) [event_hist_trigger_free()] {\n              [..]\n              if (data-\u003ename)\n                del_named_trigger(data) {\n                  list_del(\u0026data-\u003enamed_list);  \u003c\u003c\u003c\u003c-- NEVER gets removed!\n                }\n              }\n           }\n         }\n\n         [..]\n         kfree(data); \u003c\u003c\u003c-- frees item but it is still on list\n\nThe next time a hist with name is registered, it causes an u-a-f bug and\nthe kernel can crash.\n\nMove the code around such that if event_trigger_register() succeeds, the\nnext thing called is hist_trigger_enable() which adds it to the list.\n\nA bunch of actions is called if get_named_trigger_data() returns false.\nBut that doesn\u0027t need to be called after event_trigger_register(), so it\ncan be moved up, allowing event_trigger_register() to be called just\nbefore hist_trigger_enable() keeping them together and allowing the\nfile-\u003etriggers to be properly populated.",
  "id": "GHSA-vp9f-g82m-h958",
  "modified": "2025-11-03T21:33:20Z",
  "published": "2025-04-01T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21899"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/435d2964af815aae456db554c62963b4515f19d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43b254d46c740bf9dbe65709afa021dd726dfa99"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ae1b18f05ee2b849dc03b6c15d7da0c1c6efa77"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f86bdeab633a56d5c6dccf1a2c5989b6a5e323e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1ae50cfb818ce1ac7a674406dfadb7653e2552d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPJP-WPJG-XV5M

Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

arch/arm64: Fix topology initialization for core scheduling

Arm64 systems rely on store_cpu_topology() to call update_siblings_masks() to transfer the toplogy to the various cpu masks. This needs to be done before the call to notify_cpu_starting() which tells the scheduler about each cpu found, otherwise the core scheduling data structures are setup in a way that does not match the actual topology.

With smt_mask not setup correctly we bail on cpumask_weight(smt_mask) == 1 for !leaders in:

notify_cpu_starting() cpuhp_invoke_callback_range() sched_cpu_starting() sched_core_cpu_starting()

which leads to rq->core not being correctly set for !leader-rq's.

Without this change stress-ng (which enables core scheduling in its prctl tests in newer versions -- i.e. with PR_SCHED_CORE support) causes a warning and then a crash (trimmed for legibility):

[ 1853.805168] ------------[ cut here ]------------ [ 1853.809784] task_rq(b)->core != rq->core [ 1853.809792] WARNING: CPU: 117 PID: 0 at kernel/sched/fair.c:11102 cfs_prio_less+0x1b4/0x1c4 ... [ 1854.015210] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... [ 1854.231256] Call trace: [ 1854.233689] pick_next_task+0x3dc/0x81c [ 1854.237512] __schedule+0x10c/0x4cc [ 1854.240988] schedule_idle+0x34/0x54

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:46Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\narch/arm64: Fix topology initialization for core scheduling\n\nArm64 systems rely on store_cpu_topology() to call update_siblings_masks()\nto transfer the toplogy to the various cpu masks. This needs to be done\nbefore the call to notify_cpu_starting() which tells the scheduler about\neach cpu found, otherwise the core scheduling data structures are setup\nin a way that does not match the actual topology.\n\nWith smt_mask not setup correctly we bail on `cpumask_weight(smt_mask) == 1`\nfor !leaders in:\n\n notify_cpu_starting()\n   cpuhp_invoke_callback_range()\n     sched_cpu_starting()\n       sched_core_cpu_starting()\n\nwhich leads to rq-\u003ecore not being correctly set for !leader-rq\u0027s.\n\nWithout this change stress-ng (which enables core scheduling in its prctl\ntests in newer versions -- i.e. with PR_SCHED_CORE support) causes a warning\nand then a crash (trimmed for legibility):\n\n[ 1853.805168] ------------[ cut here ]------------\n[ 1853.809784] task_rq(b)-\u003ecore != rq-\u003ecore\n[ 1853.809792] WARNING: CPU: 117 PID: 0 at kernel/sched/fair.c:11102 cfs_prio_less+0x1b4/0x1c4\n...\n[ 1854.015210] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n...\n[ 1854.231256] Call trace:\n[ 1854.233689]  pick_next_task+0x3dc/0x81c\n[ 1854.237512]  __schedule+0x10c/0x4cc\n[ 1854.240988]  schedule_idle+0x34/0x54",
  "id": "GHSA-vpjp-wpjg-xv5m",
  "modified": "2025-09-23T18:30:20Z",
  "published": "2025-09-23T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49090"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5524cbb1bfcdff0cad0aaa9f94e6092002a07259"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/790c1567582bda8f1153015436e3330a7c6eb278"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87f5d66daa5f457449bb95d6b8d18bb7596aa627"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c78a1b2d0bff678570c8dc9f14035606f5e5257d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPJQ-9V86-RQF3

Vulnerability from github – Published: 2022-05-17 02:52 – Updated: 2025-04-20 03:30
VLAI
Details

A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-06T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability.",
  "id": "GHSA-vpjq-9v86-rqf3",
  "modified": "2025-04-20T03:30:48Z",
  "published": "2022-05-17T02:52:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2369"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-38"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3620"
    },
    {
      "type": "WEB",
      "url": "http://www.pidgin.im/news/security/?id=102"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91335"
    },
    {
      "type": "WEB",
      "url": "http://www.talosintelligence.com/reports/TALOS-2016-0137"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3031-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPQ6-7984-6W49

Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03
VLAI
Details

The create_fullest_file_path function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted dwarf file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-17T17:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The create_fullest_file_path function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted dwarf file.",
  "id": "GHSA-vpq6-7984-6w49",
  "modified": "2022-05-13T01:03:26Z",
  "published": "2022-05-13T01:03:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5029"
    },
    {
      "type": "WEB",
      "url": "https://www.prevanders.net/dwarfbug.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/05/24/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/05/25/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPQC-5PHG-HJVG

Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: Don't null dereference ops->destroy

A KVM device cleanup happens in either of two callbacks: 1) destroy() which is called when the VM is being destroyed; 2) release() which is called when a device fd is closed.

Most KVM devices use 1) but Book3s's interrupt controller KVM devices (XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during the machine execution. The error handling in kvm_ioctl_create_device() assumes destroy() is always defined which leads to NULL dereference as discovered by Syzkaller.

This adds a checks for destroy!=NULL and adds a missing release().

This is not changing kvm_destroy_devices() as devices with defined release() should have been removed from the KVM devices list by then.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t null dereference ops-\u003edestroy\n\nA KVM device cleanup happens in either of two callbacks:\n1) destroy() which is called when the VM is being destroyed;\n2) release() which is called when a device fd is closed.\n\nMost KVM devices use 1) but Book3s\u0027s interrupt controller KVM devices\n(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during\nthe machine execution. The error handling in kvm_ioctl_create_device()\nassumes destroy() is always defined which leads to NULL dereference as\ndiscovered by Syzkaller.\n\nThis adds a checks for destroy!=NULL and adds a missing release().\n\nThis is not changing kvm_destroy_devices() as devices with defined\nrelease() should have been removed from the KVM devices list by then.",
  "id": "GHSA-vpqc-5phg-hjvg",
  "modified": "2025-03-10T21:31:10Z",
  "published": "2025-03-10T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49568"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/170465715a60cbb7876e6b961b21bd3225469da8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3616776bc51cd3262bb1be60cc01c72e0a1959cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8bc2427018826e02add7b0ed0fc625a60390ae5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e91665fbbf3ccb268b268a7d71a6513538d813ac"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPRR-5687-F565

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-07-17T20:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.",
  "id": "GHSA-vprr-5687-f565",
  "modified": "2022-05-13T01:24:25Z",
  "published": "2022-05-13T01:24:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2691"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=720608"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68537"
    },
    {
      "type": "WEB",
      "url": "http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng%3Ba=commit%3Bh=9dad5e37aef295b4ef8dea39392b652deebc9261"
    },
    {
      "type": "WEB",
      "url": "http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=9dad5e37aef295b4ef8dea39392b652deebc9261"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063118.html"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=133951357207000\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/45046"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/45405"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/45492"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/49660"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201206-15.xml"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT5002"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2287"
    },
    {
      "type": "WEB",
      "url": "http://www.libpng.org/pub/png/libpng.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:151"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/07/13/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/48660"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPWC-QJH8-Q22P

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-10-12 19:00
VLAI
Details

A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.34, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.34, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file.",
  "id": "GHSA-vpwc-qjh8-q22p",
  "modified": "2022-10-12T19:00:36Z",
  "published": "2022-05-24T17:35:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16593"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210122-0003"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25827"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ2F-JGXP-899C

Vulnerability from github – Published: 2025-08-16 12:30 – Updated: 2025-11-18 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()

devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init() does not check for this case, which results in a NULL pointer dereference.

Add NULL check after devm_kasprintf() to prevent this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-16T12:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()\n\ndevm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.",
  "id": "GHSA-vq2f-jgxp-899c",
  "modified": "2025-11-18T18:32:48Z",
  "published": "2025-08-16T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38541"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bbdf4213711bb6dc365e7628430a63dd3280794"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e99e9b34ece0b6d3e82cb757e9f60fa414da999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ42-379V-G652

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-16T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp service.",
  "id": "GHSA-vq42-379v-g652",
  "modified": "2022-05-13T01:31:55Z",
  "published": "2022-05-13T01:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7361"
    },
    {
      "type": "WEB",
      "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009383"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.