CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-W3PH-7HX8-WXG6
Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2024-08-27 18:31In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel-vbtn: Protect ACPI notify handler against recursion
Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") ACPI notify handlers like the intel-vbtn notify_handler() may run on multiple CPU cores racing with themselves.
This race gets hit on Dell Venue 7140 tablets when undocking from the keyboard, causing the handler to try and register priv->switches_dev twice, as can be seen from the dev_info() message getting logged twice:
[ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event [ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17 [ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event
After which things go seriously wrong: [ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17' ... [ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory. [ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018 ...
Protect intel-vbtn notify_handler() from racing with itself with a mutex to fix this.
{
"affected": [],
"aliases": [
"CVE-2024-44937"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T11:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel-vbtn: Protect ACPI notify handler against recursion\n\nSince commit e2ffcda16290 (\"ACPI: OSL: Allow Notify () handlers to run on\nall CPUs\") ACPI notify handlers like the intel-vbtn notify_handler() may\nrun on multiple CPU cores racing with themselves.\n\nThis race gets hit on Dell Venue 7140 tablets when undocking from\nthe keyboard, causing the handler to try and register priv-\u003eswitches_dev\ntwice, as can be seen from the dev_info() message getting logged twice:\n\n[ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event\n[ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17\n[ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event\n\nAfter which things go seriously wrong:\n[ 83.861872] sysfs: cannot create duplicate filename \u0027/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17\u0027\n...\n[ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don\u0027t try to register things with the same name in the same directory.\n[ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018\n...\n\nProtect intel-vbtn notify_handler() from racing with itself with a mutex\nto fix this.",
"id": "GHSA-w3ph-7hx8-wxg6",
"modified": "2024-08-27T18:31:37Z",
"published": "2024-08-26T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44937"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c9618a3b6ea94cf7bdff7702aca8bf2d777d97b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e075c3b13a0a142dcd3151b25d29a24f31b7b640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W3VX-37CC-JXMM
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix cleanup null-ptr deref on encap lock
During module is unloaded while a peer tc flow is still offloaded, first the peer uplink rep profile is changed to a nic profile, and so neigh encap lock is destroyed. Next during unload, the VF reps netdevs are unregistered which causes the original non-peer tc flow to be deleted, which deletes the peer flow. The peer flow deletion detaches the encap entry and try to take the already destroyed encap lock, causing the below trace.
Fix this by clearing peer flows during tc eswitch cleanup (mlx5e_tc_esw_cleanup()).
Relevant trace: [ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8 [ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40 [ 4316.851897] Call Trace: [ 4316.852481] [ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core] [ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core] [ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core] [ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core] [ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core] [ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core] [ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core] [ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core] [ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core] [ 4316.865486] tc_setup_cb_reoffload+0x20/0x80 [ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower] [ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0 [ 4316.869649] tcf_block_unbind+0xe7/0x1b0 [ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270 [ 4316.879266] tcf_block_offload_unbind+0x61/0xa0 [ 4316.879711] __tcf_block_put+0xa4/0x310
{
"affected": [],
"aliases": [
"CVE-2023-53105"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:29Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix cleanup null-ptr deref on encap lock\n\nDuring module is unloaded while a peer tc flow is still offloaded,\nfirst the peer uplink rep profile is changed to a nic profile, and so\nneigh encap lock is destroyed. Next during unload, the VF reps netdevs\nare unregistered which causes the original non-peer tc flow to be deleted,\nwhich deletes the peer flow. The peer flow deletion detaches the encap\nentry and try to take the already destroyed encap lock, causing the\nbelow trace.\n\nFix this by clearing peer flows during tc eswitch cleanup\n(mlx5e_tc_esw_cleanup()).\n\nRelevant trace:\n[ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8\n[ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40\n[ 4316.851897] Call Trace:\n[ 4316.852481] \u003cTASK\u003e\n[ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core]\n[ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core]\n[ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core]\n[ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core]\n[ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core]\n[ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core]\n[ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core]\n[ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core]\n[ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core]\n[ 4316.865486] tc_setup_cb_reoffload+0x20/0x80\n[ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower]\n[ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0\n[ 4316.869649] tcf_block_unbind+0xe7/0x1b0\n[ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270\n[ 4316.879266] tcf_block_offload_unbind+0x61/0xa0\n[ 4316.879711] __tcf_block_put+0xa4/0x310",
"id": "GHSA-w3vx-37cc-jxmm",
"modified": "2025-11-10T18:30:29Z",
"published": "2025-05-02T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53105"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01fdaea410787fe372daeaeda93a29ed0606d334"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7350f8dbe0c2a1d4d3ad7c35b610abd3cb91750"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c9668f0b1d28570327dbba189f2c61f6f9e43ae7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W44G-4GMF-M2WW
Vulnerability from github – Published: 2026-07-03 00:31 – Updated: 2026-07-03 00:31A null pointer dereference vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to create a denial-of-service (DoS) condition by sending specially crafted IKEv2 messages. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.
This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2
{
"affected": [],
"aliases": [
"CVE-2026-13084"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T00:16:50Z",
"severity": "HIGH"
},
"details": "A null pointer dereference vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to create a denial-of-service (DoS) condition by sending specially crafted IKEv2 messages.\u00a0This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.\n\nThis vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2",
"id": "GHSA-w44g-4gmf-m2ww",
"modified": "2026-07-03T00:31:53Z",
"published": "2026-07-03T00:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13084"
},
{
"type": "WEB",
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W44H-2J78-HVFM
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-27 15:34A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later
{
"affected": [],
"aliases": [
"CVE-2025-47205"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:52Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.8.3332 build 20251128 and later\nQuTS hero h5.2.8.3321 build 20251117 and later",
"id": "GHSA-w44h-2j78-hvfm",
"modified": "2026-02-27T15:34:11Z",
"published": "2026-02-11T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47205"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W44H-95M4-Q297
Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only.
Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.
{
"affected": [],
"aliases": [
"CVE-2024-46739"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T08:15:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind\n\nFor primary VM Bus channels, primary_channel pointer is always NULL. This\npointer is valid only for the secondary channels. Also, rescind callback\nis meant for primary channels only.\n\nFix NULL pointer dereference by retrieving the device_obj from the parent\nfor the primary channel.",
"id": "GHSA-w44h-95m4-q297",
"modified": "2025-11-04T00:31:29Z",
"published": "2024-09-18T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46739"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1d8e020e51ab07e40f9dd00b52f1da7d96fec04c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2be373469be1774bbe03b0fa7e2854e65005b1cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3005091cd537ef8cdb7530dcb2ecfba8d2ef475c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3d414b64ecf6fd717d7510ffb893c6f23acbf50e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/928e399e84f4e80307dce44e89415115c473275b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de6946be9c8bc7d2279123433495af7c21011b99"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f38f46da80a2ab7d1b2f8fcb444c916034a2dac4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4C2-47FV-3G9C
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2025-01-31 18:31In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: pcie: handle randbuf allocation failure
The kzalloc() in brcmf_pcie_download_fw_nvram() will return null if the physical memory has run out. As a result, if we use get_random_bytes() to generate random bytes in the randbuf, the null pointer dereference bug will happen.
In order to prevent allocation failure, this patch adds a separate function using buffer on kernel stack to generate random bytes in the randbuf, which could prevent the kernel stack from overflow.
{
"affected": [],
"aliases": [
"CVE-2024-38575"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T14:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: pcie: handle randbuf allocation failure\n\nThe kzalloc() in brcmf_pcie_download_fw_nvram() will return null\nif the physical memory has run out. As a result, if we use\nget_random_bytes() to generate random bytes in the randbuf, the\nnull pointer dereference bug will happen.\n\nIn order to prevent allocation failure, this patch adds a separate\nfunction using buffer on kernel stack to generate random bytes in\nthe randbuf, which could prevent the kernel stack from overflow.",
"id": "GHSA-w4c2-47fv-3g9c",
"modified": "2025-01-31T18:31:03Z",
"published": "2024-06-19T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38575"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0eb2c0528e232b3c32cde9d5e1c9f80ba2996e49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/316f790ebcf94bdf59f794b7cdea4068dc676d4c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3729ca9e48d19a03ae049e2bde510e161c2f3720"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c15eb344b0d4d3468c9b2a7591ad2b859b29b88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c37466406f075476c2702ecc01917928af871f3b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4HX-FRHG-79JG
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix kernel crash during reboot when adapter is in recovery mode
If the driver detects during probe that firmware is in recovery mode then i40e_init_recovery_mode() is called and the rest of probe function is skipped including pci_set_drvdata(). Subsequent i40e_shutdown() called during shutdown/reboot dereferences NULL pointer as pci_get_drvdata() returns NULL.
To fix call pci_set_drvdata() also during entering to recovery mode.
Reproducer: 1) Lets have i40e NIC with firmware in recovery mode 2) Run reboot
Result: [ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver [ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation. [ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality. [ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. [ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] [ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0 [ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality. [ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode. [ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a] [ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0 ... [ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2 [ 156.318330] #PF: supervisor write access in kernel mode [ 156.323546] #PF: error_code(0x0002) - not-present page [ 156.328679] PGD 0 P4D 0 [ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1 [ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022 [ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e] [ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00 [ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282 [ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001 [ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000 [ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40 [ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000 [ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000 [ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000 [ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0 [ 156.438944] PKRU: 55555554 [ 156.441647] Call Trace: [ 156.444096] [ 156.446199] pci_device_shutdown+0x38/0x60 [ 156.450297] device_shutdown+0x163/0x210 [ 156.454215] kernel_restart+0x12/0x70 [ 156.457872] __do_sys_reboot+0x1ab/0x230 [ 156.461789] ? vfs_writev+0xa6/0x1a0 [ 156.465362] ? __pfx_file_free_rcu+0x10/0x10 [ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0 [ 156.475034] do_syscall_64+0x3e/0x90 [ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 156.483658] RIP: 0033:0x7fe7bff37ab7
{
"affected": [],
"aliases": [
"CVE-2023-53114"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during reboot when adapter is in recovery mode\n\nIf the driver detects during probe that firmware is in recovery\nmode then i40e_init_recovery_mode() is called and the rest of\nprobe function is skipped including pci_set_drvdata(). Subsequent\ni40e_shutdown() called during shutdown/reboot dereferences NULL\npointer as pci_get_drvdata() returns NULL.\n\nTo fix call pci_set_drvdata() also during entering to recovery mode.\n\nReproducer:\n1) Lets have i40e NIC with firmware in recovery mode\n2) Run reboot\n\nResult:\n[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver\n[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.\n[ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.\n[ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.\n[ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]\n[ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0\n[ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.\n[ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.\n[ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]\n[ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0\n...\n[ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2\n[ 156.318330] #PF: supervisor write access in kernel mode\n[ 156.323546] #PF: error_code(0x0002) - not-present page\n[ 156.328679] PGD 0 P4D 0\n[ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI\n[ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1\n[ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022\n[ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]\n[ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 \u003cf0\u003e 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00\n[ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282\n[ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001\n[ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000\n[ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40\n[ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000\n[ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000\n[ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000\n[ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0\n[ 156.438944] PKRU: 55555554\n[ 156.441647] Call Trace:\n[ 156.444096] \u003cTASK\u003e\n[ 156.446199] pci_device_shutdown+0x38/0x60\n[ 156.450297] device_shutdown+0x163/0x210\n[ 156.454215] kernel_restart+0x12/0x70\n[ 156.457872] __do_sys_reboot+0x1ab/0x230\n[ 156.461789] ? vfs_writev+0xa6/0x1a0\n[ 156.465362] ? __pfx_file_free_rcu+0x10/0x10\n[ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0\n[ 156.475034] do_syscall_64+0x3e/0x90\n[ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 156.483658] RIP: 0033:0x7fe7bff37ab7",
"id": "GHSA-w4hx-frhg-79jg",
"modified": "2025-11-10T18:30:29Z",
"published": "2025-05-02T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53114"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cbecb1c9085a00155639404f7addbcbfc987ba3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ff82695266576a0b4f1077a7100b2451e476df4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e18f66b704bd725196508c1db93bf7338cdc8de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e4f8a0c495413a50413e8c9f1032ce1bc633bae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3826fb3ea14646b3d4e6309bfc384b349f36eb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c703362a66ea971905b9dc153fc54d1b6ac05423"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4P9-F43V-6347
Vulnerability from github – Published: 2024-10-22 09:33 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
media: pci: cx23885: check cx23885_vdev_init() return
cx23885_vdev_init() can return a NULL pointer, but that pointer is used in the next line without a check.
Add a NULL pointer check and go to the error unwind if it is NULL.
{
"affected": [],
"aliases": [
"CVE-2023-52918"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-22T08:15:02Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: cx23885: check cx23885_vdev_init() return\n\ncx23885_vdev_init() can return a NULL pointer, but that pointer\nis used in the next line without a check.\n\nAdd a NULL pointer check and go to the error unwind if it is NULL.",
"id": "GHSA-w4p9-f43v-6347",
"modified": "2025-11-04T00:31:47Z",
"published": "2024-10-22T09:33:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52918"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06ee04a907d64ee3910fecedd05d7f1be4b1b70e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/15126b916e39b0cb67026b0af3c014bfeb1f76b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/199a42fc4c45e8b7f19efeb15dbc36889a599ac2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e31b096e2e1949bc8f0be019c9ae70d414404c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a5f1d30c51c485cec7a7de60205667c3ff86c303"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1397fb4a779fca560c43d2acf6702d41b4a495b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7385510e2550a9f8b6f3d5f33c5b894ab9ba976"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4PJ-2VVJ-F3VP
Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-07-06 21:30In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ps883x: Fix Oops at unbind
When trying to unbind a device in order to bind to it vfio-platform as:
echo bc0000.geniqup > /sys/bus/platform/devices/bc0000.geniqup/driver/unbind
I get the following Oops:
[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 436.487762] Mem abort info: [ 436.490716] ESR = 0x0000000096000004 [ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits [ 436.500071] SET = 0, FnV = 0 [ 436.503250] EA = 0, S1PTW = 0 [ 436.506505] FSC = 0x04: level 0 translation fault [ 436.511533] Data abort info: [ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000 [ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 [ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP [ 436.550374] Modules linked in: [ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT [ 436.564440] Tainted: [W]=WARN [ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025 [ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 436.581841] pc : ps883x_retimer_remove+0x14/0x94 [ 436.586605] lr : i2c_device_remove+0x28/0x84 [ 436.591017] sp : ffff8000847137c0
That's because the ps883x_retimer_remove() retrieves the driver data from i2c_get_clientdata() which was never set at probe. So, add i2c_set_clientdata() at the end of the probe.
{
"affected": [],
"aliases": [
"CVE-2026-53305"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T20:17:23Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ps883x: Fix Oops at unbind\n\nWhen trying to unbind a device in order to bind to it vfio-platform as:\n\n echo bc0000.geniqup \u003e /sys/bus/platform/devices/bc0000.geniqup/driver/unbind\n\nI get the following Oops:\n\n[ 436.478639] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[ 436.487762] Mem abort info:\n[ 436.490716] ESR = 0x0000000096000004\n[ 436.494595] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 436.500071] SET = 0, FnV = 0\n[ 436.503250] EA = 0, S1PTW = 0\n[ 436.506505] FSC = 0x04: level 0 translation fault\n[ 436.511533] Data abort info:\n[ 436.514558] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 436.520215] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 436.525436] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 436.530918] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008861a9000\n[ 436.537554] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000\n[ 436.544548] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 436.550374] Modules linked in:\n[ 436.553542] CPU: 2 UID: 0 PID: 671 Comm: bash Tainted: G W 7.0.0-rc3-g56fcdd0911a5-dirty #2 PREEMPT\n[ 436.564440] Tainted: [W]=WARN\n[ 436.567515] Hardware name: LENOVO 91B6CTO1WW/3796, BIOS O6NKT3BA 05/02/2025\n[ 436.574675] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 436.581841] pc : ps883x_retimer_remove+0x14/0x94\n[ 436.586605] lr : i2c_device_remove+0x28/0x84\n[ 436.591017] sp : ffff8000847137c0\n\nThat\u0027s because the ps883x_retimer_remove() retrieves the driver data\nfrom i2c_get_clientdata() which was never set at probe. So, add\ni2c_set_clientdata() at the end of the probe.",
"id": "GHSA-w4pj-2vvj-f3vp",
"modified": "2026-07-06T21:30:25Z",
"published": "2026-06-26T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53305"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/37a3d1b6827783f26d2f8e6c7683e253ba79ae93"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/381133848a033c2086cf9cafb226f425bd0414ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c404d0ac0cb085cb7077ba32c334cc4042feb81a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4QG-RH8M-6C8Q
Vulnerability from github – Published: 2026-03-26 12:30 – Updated: 2026-04-24 15:32In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL deref in mesh_matches_local()
mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference.
The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too
mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel.
The captured crash log:
Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.
{
"affected": [],
"aliases": [
"CVE-2026-23396"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T11:16:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie-\u003emesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie-\u003emesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems-\u003emesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems-\u003emesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n \u003cTASK\u003e\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nThis patch adds a NULL check for ie-\u003emesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent.",
"id": "GHSA-w4qg-rh8m-6c8q",
"modified": "2026-04-24T15:32:18Z",
"published": "2026-03-26T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23396"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.