Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-W6W2-C994-P5H3

Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19
VLAI
Details

tcmu-runner version 1.0.5 to 1.2.0 is vulnerable to a dbus triggered NULL pointer dereference in the tcmu-runner daemon's on_unregister_handler() function resulting in denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-17T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "tcmu-runner version 1.0.5 to 1.2.0 is vulnerable to a dbus triggered NULL pointer dereference in the tcmu-runner daemon\u0027s on_unregister_handler() function resulting in denial of service",
  "id": "GHSA-w6w2-c994-p5h3",
  "modified": "2022-05-17T00:19:05Z",
  "published": "2022-05-17T00:19:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-iscsi/tcmu-runner/pull/200/commits/bb80e9c7a798f035768260ebdadffb6eb0786178"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3277"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6WG-4287-F4WF

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Add netif_device_attach/detach into PF reset flow

Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below.

Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: # ethtool -c

BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27

Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message:

netlink error: No such device

instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add netif_device_attach/detach into PF reset flow\n\nEthtool callbacks can be executed while reset is in progress and try to\naccess deleted resources, e.g. getting coalesce settings can result in a\nNULL pointer dereference seen below.\n\nReproduction steps:\nOnce the driver is fully initialized, trigger reset:\n\t# echo 1 \u003e /sys/class/net/\u003cinterface\u003e/device/reset\nwhen reset is in progress try to get coalesce settings using ethtool:\n\t# ethtool -c \u003cinterface\u003e\n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] PREEMPT SMP PTI\nCPU: 11 PID: 19713 Comm: ethtool Tainted: G S                 6.10.0-rc7+ #7\nRIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice]\nRSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206\nRAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000\nR13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40\nFS:  00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0\nCall Trace:\n\u003cTASK\u003e\nice_get_coalesce+0x17/0x30 [ice]\ncoalesce_prepare_data+0x61/0x80\nethnl_default_doit+0xde/0x340\ngenl_family_rcv_msg_doit+0xf2/0x150\ngenl_rcv_msg+0x1b3/0x2c0\nnetlink_rcv_skb+0x5b/0x110\ngenl_rcv+0x28/0x40\nnetlink_unicast+0x19c/0x290\nnetlink_sendmsg+0x222/0x490\n__sys_sendto+0x1df/0x1f0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x82/0x160\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7faee60d8e27\n\nCalling netif_device_detach() before reset makes the net core not call\nthe driver when ethtool command is issued, the attempt to execute an\nethtool command during reset will result in the following message:\n\n    netlink error: No such device\n\ninstead of NULL pointer dereference. Once reset is done and\nice_rebuild() is executing, the netif_device_attach() is called to allow\nfor ethtool operations to occur again in a safe manner.",
  "id": "GHSA-w6wg-4287-f4wf",
  "modified": "2026-06-01T18:31:18Z",
  "published": "2024-09-18T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46770"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36486c9e8e01b84faaee47203eac0b7e9cc7fa4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/721f27f489a47ed0d8690b73fc1f070c2eb180cf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e3ffb839249eca113062587659224f856fe14e5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d11a67634227f9f9da51938af085fb41a733848f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/efe8effe138044a4747d1112ebb8c454d1663723"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W72V-VG94-FWXX

Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-21 00:00
VLAI
Details

In reinit of HeifDecoderImpl.cpp, there is a possible crash due to a missing null check. This could lead to remote persistent denial of service in the file picker with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-215002587

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In reinit of HeifDecoderImpl.cpp, there is a possible crash due to a missing null check. This could lead to remote persistent denial of service in the file picker with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-215002587",
  "id": "GHSA-w72v-vg94-fwxx",
  "modified": "2022-04-21T00:00:59Z",
  "published": "2022-04-13T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39804"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W77G-4C35-PRWP

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-06-19 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: Fix net_device lifecycle with device_move

The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems.

A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression.

A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS.

Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding.

Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind.

[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/ [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:54Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix net_device lifecycle with device_move\n\nThe network device outlived its parent gadget device during\ndisconnection, resulting in dangling sysfs links and null pointer\ndereference problems.\n\nA prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]\nwas reverted due to power management ordering concerns and a NO-CARRIER\nregression.\n\nA subsequent attempt to defer net_device allocation to bind [2] broke\n1:1 mapping between function instance and network device, making it\nimpossible for configfs to report the resolved interface name. This\nresults in a regression where the DHCP server fails on pmOS.\n\nUse device_move to reparent the net_device between the gadget device and\n/sys/devices/virtual/ across bind/unbind cycles. This preserves the\nnetwork interface across USB reconnection, allowing the DHCP server to\nretain their binding.\n\nIntroduce gether_attach_gadget()/gether_detach_gadget() helpers and use\n__free(detach_gadget) macro to undo attachment on bind failure. The\nbind_count ensures device_move executes only on the first bind.\n\n[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/\n[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/",
  "id": "GHSA-w77g-4c35-prwp",
  "modified": "2026-06-19T15:33:10Z",
  "published": "2026-05-08T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43421"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36c41e9724c9a7a7cda37f5a4e9d94f25c8031c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c97366f5dac5255e60a317ffe3a5b18f3745547"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85acaba2f42b557499bab3608307f17bf13beb69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93f116c3393a22acab96ad1bef12b2572eb80ca4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec35c1969650e7cb6c8a91020e568ed46e3551b0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W78R-WPWH-49JC

Vulnerability from github – Published: 2022-05-14 02:18 – Updated: 2022-05-14 02:18
VLAI
Details

In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the GetMagickProperty function in MagickCore/property.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-01T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the GetMagickProperty function in MagickCore/property.c.",
  "id": "GHSA-w78r-wpwh-49jc",
  "modified": "2022-05-14T02:18:54Z",
  "published": "2022-05-14T02:18:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/1225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7CG-566V-RM5V

Vulnerability from github – Published: 2024-04-17 12:32 – Updated: 2025-01-14 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfs: fix panic when nfs4_ff_layout_prepare_ds() fails

We've been seeing the following panic in production

BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Inspecting the core with drgn I was able to pull this

prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed

This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have

if (IS_ERR_OR_NULL(mirror_ds))

to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix panic when nfs4_ff_layout_prepare_ds() fails\n\nWe\u0027ve been seeing the following panic in production\n\nBUG: kernel NULL pointer dereference, address: 0000000000000065\nPGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0\nRIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x78/0xc0\n ? page_fault_oops+0x286/0x380\n ? __rpc_execute+0x2c3/0x470 [sunrpc]\n ? rpc_new_task+0x42/0x1c0 [sunrpc]\n ? exc_page_fault+0x5d/0x110\n ? asm_exc_page_fault+0x22/0x30\n ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles]\n pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4]\n pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4]\n ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles]\n nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles]\n ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles]\n __nfs_pageio_add_request+0x154/0x6c0 [nfs]\n nfs_pageio_add_request+0x26b/0x380 [nfs]\n nfs_do_writepage+0x111/0x1e0 [nfs]\n nfs_writepages_callback+0xf/0x30 [nfs]\n write_cache_pages+0x17f/0x380\n ? nfs_pageio_init_write+0x50/0x50 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n nfs_writepages+0x125/0x210 [nfs]\n do_writepages+0x67/0x220\n ? generic_perform_write+0x14b/0x210\n filemap_fdatawrite_wbc+0x5b/0x80\n file_write_and_wait_range+0x6d/0xc0\n nfs_file_fsync+0x81/0x170 [nfs]\n ? nfs_file_mmap+0x60/0x60 [nfs]\n __x64_sys_fsync+0x53/0x90\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nInspecting the core with drgn I was able to pull this\n\n  \u003e\u003e\u003e prog.crashed_thread().stack_trace()[0]\n  #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27\n  \u003e\u003e\u003e prog.crashed_thread().stack_trace()[0][\u0027idx\u0027]\n  (u32)1\n  \u003e\u003e\u003e prog.crashed_thread().stack_trace()[0][\u0027flseg\u0027].mirror_array[1].mirror_ds\n  (struct nfs4_ff_layout_ds *)0xffffffffffffffed\n\nThis is clear from the stack trace, we call nfs4_ff_layout_prepare_ds()\nwhich could error out initializing the mirror_ds, and then we go to\nclean it all up and our check is only for if (!mirror-\u003emirror_ds).  This\nis inconsistent with the rest of the users of mirror_ds, which have\n\n  if (IS_ERR_OR_NULL(mirror_ds))\n\nto keep from tripping over this exact scenario.  Fix this up in\nff_layout_cancel_io() to make sure we don\u0027t panic when we get an error.\nI also spot checked all the other instances of checking mirror_ds and we\nappear to be doing the correct checks everywhere, only unconditionally\ndereferencing mirror_ds when we know it would be valid.",
  "id": "GHSA-w7cg-566v-rm5v",
  "modified": "2025-01-14T15:30:48Z",
  "published": "2024-04-17T12:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26868"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31db25e3141b20e2a76a9f219eeca52e3cab126c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ada9016b1217498fad876a3d5b07645cc955608"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/719fcafe07c12646691bd62d7f8d94d657fa0766"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dac068f164ad05b35e7c0be13f138c3f6adca58f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7FH-6798-HQC2

Vulnerability from github – Published: 2022-05-14 01:12 – Updated: 2022-05-14 01:12
VLAI
Details

w3m through 0.5.3 is prone to a NULL pointer dereference flaw in formUpdateBuffer in form.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-25T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "w3m through 0.5.3 is prone to a NULL pointer dereference flaw in formUpdateBuffer in form.c.",
  "id": "GHSA-w7fh-6798-hqc2",
  "modified": "2022-05-14T01:12:47Z",
  "published": "2022-05-14T01:12:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tats/w3m/issues/89"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3555-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3555-2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102846"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7PH-W892-Q2WC

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 15:30
VLAI
Details

A potential null pointer dereference vulnerability was reported in the Lenovo Power Management Driver that could allow a local authenticated user to cause a Windows blue screen error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T15:16:07Z",
    "severity": "MODERATE"
  },
  "details": "A potential null pointer dereference vulnerability was reported in the Lenovo Power Management Driver that could allow a local authenticated user to cause a Windows blue screen error.",
  "id": "GHSA-w7ph-w892-q2wc",
  "modified": "2025-10-15T15:30:29Z",
  "published": "2025-10-15T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9548"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-203293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W7RP-6Q39-G7QW

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

An issue was discovered in Exempi through 2.4.4. XMPFiles/source/FormatSupport/WEBP_Support.cpp does not check whether a bitstream has a NULL value, leading to a NULL pointer dereference in the WEBP::VP8XChunk class.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-06T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Exempi through 2.4.4. XMPFiles/source/FormatSupport/WEBP_Support.cpp does not check whether a bitstream has a NULL value, leading to a NULL pointer dereference in the WEBP::VP8XChunk class.",
  "id": "GHSA-w7rp-6q39-g7qw",
  "modified": "2022-05-13T01:14:05Z",
  "published": "2022-05-13T01:14:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7731"
    },
    {
      "type": "WEB",
      "url": "https://bugs.freedesktop.org/show_bug.cgi?id=105247"
    },
    {
      "type": "WEB",
      "url": "https://cgit.freedesktop.org/exempi/commit/?id=aabedb5e749dd59112a3fe1e8e08f2d934f56666"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCFXKOOATZ2B5G3G7EBXZWVZHEABN4ZV"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3668-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7W4-RX65-9VWW

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01
VLAI
Details

An exploitable NULL pointer dereference vulnerability exists in the tinysvcmdns library version 2017-11-05. A specially crafted packet can make the library dereference a NULL pointer leading to a server crash and denial of service. An attacker needs to send a DNS query to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-20T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable NULL pointer dereference vulnerability exists in the tinysvcmdns library version 2017-11-05. A specially crafted packet can make the library dereference a NULL pointer leading to a server crash and denial of service. An attacker needs to send a DNS query to trigger this vulnerability.",
  "id": "GHSA-w7w4-rx65-9vww",
  "modified": "2022-05-13T01:01:36Z",
  "published": "2022-05-13T01:01:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12130"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2017-0486"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102795"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.