CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-W8VV-X828-GJPF
Vulnerability from github – Published: 2025-10-21 12:31 – Updated: 2025-10-21 12:31In the Linux kernel, the following vulnerability has been resolved:
exec: Force single empty string when argv is empty
Quoting[1] Ariadne Conill:
"In several other operating systems, it is a hard requirement that the second argument to execve(2) be the name of a program, thus prohibiting a scenario where argc < 1. POSIX 2017 also recommends this behaviour, but it is not an explicit requirement[2]:
The argument arg0 should point to a filename string that is
associated with the process being started by one of the exec
functions.
... Interestingly, Michael Kerrisk opened an issue about this in 2008[3], but there was no consensus to support fixing this issue then. Hopefully now that CVE-2021-4034 shows practical exploitative use[4] of this bug in a shellcode, we can reconsider.
This issue is being tracked in the KSPP issue tracker[5]."
While the initial code searches[6][7] turned up what appeared to be mostly corner case tests, trying to that just reject argv == NULL (or an immediately terminated pointer list) quickly started tripping[8] existing userspace programs.
The next best approach is forcing a single empty string into argv and adjusting argc to match. The number of programs depending on argc == 0 seems a smaller set than those calling execve with a NULL argv.
Account for the additional stack space in bprm_stack_limits(). Inject an empty string when argc == 0 (and set argc = 1). Warn about the case so userspace has some notice about the change:
process './argc0' launched './argc0' with NULL argv: empty string added
Additionally WARN() and reject NULL argv usage for kernel threads.
[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/ [2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html [3] https://bugzilla.kernel.org/show_bug.cgi?id=8408 [4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt [5] https://github.com/KSPP/linux/issues/176 [6] https://codesearch.debian.net/search?q=execve%5C+%5C%28%5B%5E%2C%5D%2B%2C+NULL&literal=0 [7] https://codesearch.debian.net/search?q=execlp%3F%5Cs%5C%28%5B%5E%2C%5D%2B%2C%5CsNULL&literal=0 [8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/
{
"affected": [],
"aliases": [
"CVE-2022-49264"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: Force single empty string when argv is empty\n\nQuoting[1] Ariadne Conill:\n\n\"In several other operating systems, it is a hard requirement that the\nsecond argument to execve(2) be the name of a program, thus prohibiting\na scenario where argc \u003c 1. POSIX 2017 also recommends this behaviour,\nbut it is not an explicit requirement[2]:\n\n The argument arg0 should point to a filename string that is\n associated with the process being started by one of the exec\n functions.\n...\nInterestingly, Michael Kerrisk opened an issue about this in 2008[3],\nbut there was no consensus to support fixing this issue then.\nHopefully now that CVE-2021-4034 shows practical exploitative use[4]\nof this bug in a shellcode, we can reconsider.\n\nThis issue is being tracked in the KSPP issue tracker[5].\"\n\nWhile the initial code searches[6][7] turned up what appeared to be\nmostly corner case tests, trying to that just reject argv == NULL\n(or an immediately terminated pointer list) quickly started tripping[8]\nexisting userspace programs.\n\nThe next best approach is forcing a single empty string into argv and\nadjusting argc to match. The number of programs depending on argc == 0\nseems a smaller set than those calling execve with a NULL argv.\n\nAccount for the additional stack space in bprm_stack_limits(). Inject an\nempty string when argc == 0 (and set argc = 1). Warn about the case so\nuserspace has some notice about the change:\n\n process \u0027./argc0\u0027 launched \u0027./argc0\u0027 with NULL argv: empty string added\n\nAdditionally WARN() and reject NULL argv usage for kernel threads.\n\n[1] https://lore.kernel.org/lkml/20220127000724.15106-1-ariadne@dereferenced.org/\n[2] https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html\n[3] https://bugzilla.kernel.org/show_bug.cgi?id=8408\n[4] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\n[5] https://github.com/KSPP/linux/issues/176\n[6] https://codesearch.debian.net/search?q=execve%5C+*%5C%28%5B%5E%2C%5D%2B%2C+*NULL\u0026literal=0\n[7] https://codesearch.debian.net/search?q=execlp%3F%5Cs*%5C%28%5B%5E%2C%5D%2B%2C%5Cs*NULL\u0026literal=0\n[8] https://lore.kernel.org/lkml/20220131144352.GE16385@xsang-OptiPlex-9020/",
"id": "GHSA-w8vv-x828-gjpf",
"modified": "2025-10-21T12:31:24Z",
"published": "2025-10-21T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49264"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1290eb4412aa0f0e9f3434b406dc8e255da85f9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fe82bfd9e4ce93399d815ca458b58505191c3e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/27a6f495b63a1804cc71be45911065db7757a98c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41f6ea5b9aaa28b740d47ffe995a5013211fdbb0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98e0c7c702894987732776736c99b85ade6fba45"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a8054d3fa5deb84b215d6be1b910a978f3cb840d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b50fb8dbc8b81aaa126387de428f4c42a7c72a73"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cfbfff8ce5e3d674947581f1eb9af0a1b1807950"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dcd46d897adb70d63e025f175a00a89797d31a43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8WP-W464-6XR8
Vulnerability from github – Published: 2026-01-14 15:33 – Updated: 2026-03-25 18:31In the Linux kernel, the following vulnerability has been resolved:
md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
The variable mddev->private is first assigned to conf and then checked:
conf = mddev->private; if (!conf) ...
If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce():
raid5_quiesce(mddev, true); raid5_quiesce(mddev, false);
since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example:
conf->quiesce = 0; wake_up(&conf->wait_for_quiescent);
To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy().
{
"affected": [],
"aliases": [
"CVE-2025-71135"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T15:16:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()\n\nThe variable mddev-\u003eprivate is first assigned to conf and then checked:\n\n conf = mddev-\u003eprivate;\n if (!conf) ...\n\nIf conf is NULL, then mddev-\u003eprivate is also NULL. In this case,\nnull-pointer dereferences can occur when calling raid5_quiesce():\n\n raid5_quiesce(mddev, true);\n raid5_quiesce(mddev, false);\n\nsince mddev-\u003eprivate is assigned to conf again in raid5_quiesce(), and conf\nis dereferenced in several places, for example:\n\n conf-\u003equiesce = 0;\n wake_up(\u0026conf-\u003ewait_for_quiescent);\n\nTo fix this issue, the function should unlock mddev and return before\ninvoking raid5_quiesce() when conf is NULL, following the existing pattern\nin raid5_change_consistency_policy().",
"id": "GHSA-w8wp-w464-6xr8",
"modified": "2026-03-25T18:31:34Z",
"published": "2026-01-14T15:33:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71135"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8WW-WC9C-WGJH
Vulnerability from github – Published: 2026-03-03 18:31 – Updated: 2026-03-04 18:31An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580, and 2500. A NULL pointer dereference of npu_proto_drv.ast.thread_ref in set_cpu_affinity() causes a denial of service.
{
"affected": [],
"aliases": [
"CVE-2025-62815"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T16:16:17Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580, and 2500. A NULL pointer dereference of npu_proto_drv.ast.thread_ref in set_cpu_affinity() causes a denial of service.",
"id": "GHSA-w8ww-wc9c-wgjh",
"modified": "2026-03-04T18:31:49Z",
"published": "2026-03-03T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62815"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62815"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8WX-3V4M-PWRR
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-26 18:31In the Linux kernel, the following vulnerability has been resolved:
hid: cp2112: Fix duplicate workqueue initialization
Previously the cp2112 driver called INIT_DELAYED_WORK within cp2112_gpio_irq_startup, resulting in duplicate initilizations of the workqueue on subsequent IRQ startups following an initial request. This resulted in a warning in set_work_data in workqueue.c, as well as a rare NULL dereference within process_one_work in workqueue.c.
Initialize the workqueue within _probe instead.
{
"affected": [],
"aliases": [
"CVE-2023-52853"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhid: cp2112: Fix duplicate workqueue initialization\n\nPreviously the cp2112 driver called INIT_DELAYED_WORK within\ncp2112_gpio_irq_startup, resulting in duplicate initilizations of the\nworkqueue on subsequent IRQ startups following an initial request. This\nresulted in a warning in set_work_data in workqueue.c, as well as a rare\nNULL dereference within process_one_work in workqueue.c.\n\nInitialize the workqueue within _probe instead.",
"id": "GHSA-w8wx-3v4m-pwrr",
"modified": "2025-09-26T18:31:17Z",
"published": "2024-05-21T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52853"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/012d0c66f9392a99232ac28217229f32dd3a70cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3d959406c8fff2334d83d0c352d54fd6f5b2e7cd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/727203e6e7e7020e1246fc1628cbdb8d90177819"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bafb12b629b7c3ad59812dd1ac1b0618062e0e38"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df0daac2709473531d6a3472997cc65301ac06d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3c2d2d144c082dd71596953193adf9891491f42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb1121fac7986b30915ba20c5a04cc01fdcf160c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb5718bc67337dde1528661f419ffcf275757592"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W922-JV62-78R5
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-11-19 18:31In the Linux kernel, the following vulnerability has been resolved:
riscv: fix runtime constant support for nommu kernels
the __runtime_fixup_32 function does not handle the case where val is
zero correctly (as might occur when patching a nommu kernel and referring
to a physical address below the 4GiB boundary whose upper 32 bits are all
zero) because nothing in the existing logic prevents the code from taking
the else branch of both nop-checks and emitting two nop instructions.
This leaves random garbage in the register that is supposed to receive the upper 32 bits of the pointer instead of zero that when combined with the value for the lower 32 bits yields an invalid pointer and causes a kernel panic when that pointer is eventually accessed.
The author clearly considered the fact that if the lui is converted into
a nop that the second instruction needs to be adjusted to become an li
instead of an addi, hence introducing the addi_insn_mask variable, but
didn't follow that logic through fully to the case where the else branch
executes. To fix it just adjust the logic to ensure that the second else
branch is not taken if the first instruction will be patched to a nop.
{
"affected": [],
"aliases": [
"CVE-2025-38433"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T15:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix runtime constant support for nommu kernels\n\nthe `__runtime_fixup_32` function does not handle the case where `val` is\nzero correctly (as might occur when patching a nommu kernel and referring\nto a physical address below the 4GiB boundary whose upper 32 bits are all\nzero) because nothing in the existing logic prevents the code from taking\nthe `else` branch of both nop-checks and emitting two `nop` instructions.\n\nThis leaves random garbage in the register that is supposed to receive the\nupper 32 bits of the pointer instead of zero that when combined with the\nvalue for the lower 32 bits yields an invalid pointer and causes a kernel\npanic when that pointer is eventually accessed.\n\nThe author clearly considered the fact that if the `lui` is converted into\na `nop` that the second instruction needs to be adjusted to become an `li`\ninstead of an `addi`, hence introducing the `addi_insn_mask` variable, but\ndidn\u0027t follow that logic through fully to the case where the `else` branch\nexecutes. To fix it just adjust the logic to ensure that the second `else`\nbranch is not taken if the first instruction will be patched to a `nop`.",
"id": "GHSA-w922-jv62-78r5",
"modified": "2025-11-19T18:31:16Z",
"published": "2025-07-25T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38433"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a24b00dcde83934a3cc13e4c6b775522903496b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d90d9872edae7e78c3a12b98e239bfaa66f3639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W96W-F34F-W457
Vulnerability from github – Published: 2022-04-06 00:01 – Updated: 2022-04-14 00:00A null pointer dereference in src/amf/namf-handler.c in Open5GS 2.3.6 and earlier allows remote attackers to Denial of Service via a crafted sbi request to amf.
{
"affected": [],
"aliases": [
"CVE-2021-44108"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-05T02:15:00Z",
"severity": "HIGH"
},
"details": "A null pointer dereference in src/amf/namf-handler.c in Open5GS 2.3.6 and earlier allows remote attackers to Denial of Service via a crafted sbi request to amf.",
"id": "GHSA-w96w-f34f-w457",
"modified": "2022-04-14T00:00:37Z",
"published": "2022-04-06T00:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44108"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/1247"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/commit/d919b2744cd05abae043490f0a3dd1946c1ccb8c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W983-R23J-MQC9
Vulnerability from github – Published: 2022-05-17 02:25 – Updated: 2022-05-17 02:25An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "AppleGraphicsPowerManagement" component. It allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2016-7609"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-20T08:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the \"AppleGraphicsPowerManagement\" component. It allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.",
"id": "GHSA-w983-r23j-mqc9",
"modified": "2022-05-17T02:25:26Z",
"published": "2022-05-17T02:25:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7609"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207423"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94903"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037469"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W993-3VV8-HXP8
Vulnerability from github – Published: 2025-01-08 18:30 – Updated: 2025-01-09 21:31In the Linux kernel, the following vulnerability has been resolved:
kunit: Fix potential null dereference in kunit_device_driver_test()
kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state.
{
"affected": [],
"aliases": [
"CVE-2024-56773"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T18:15:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: Fix potential null dereference in kunit_device_driver_test()\n\nkunit_kzalloc() may return a NULL pointer, dereferencing it without\nNULL check may lead to NULL dereference.\nAdd a NULL check for test_state.",
"id": "GHSA-w993-3vv8-hxp8",
"modified": "2025-01-09T21:31:29Z",
"published": "2025-01-08T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56773"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/435c20eed572a95709b1536ff78832836b2f91b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d28fac59369b5d3c48cdf09e50275a61ff91202"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9F3-JQRP-MW9R
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-12 18:30A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2026-28985"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T21:18:58Z",
"severity": "MODERATE"
},
"details": "A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.",
"id": "GHSA-w9f3-jqrp-mw9r",
"modified": "2026-05-12T18:30:36Z",
"published": "2026-05-11T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28985"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127118"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9FP-75MC-76FF
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-10-31 18:31In the Linux kernel, the following vulnerability has been resolved:
misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge
There is an issue with the ASPM(optional) capability checking function. A device might be attached to root complex directly, in this case, bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL. Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's ASPM capability and populate parent_cap_off, which will be used later by alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do here is to avoid checking the capability if we are on the root complex. This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply return when bring called, effectively disable ASPM for the device.
[ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40 [ 1.253998] Call Trace: [ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci] [ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci]
{
"affected": [],
"aliases": [
"CVE-2021-47333"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: alcor_pci: fix null-ptr-deref when there is no PCI bridge\n\nThere is an issue with the ASPM(optional) capability checking function.\nA device might be attached to root complex directly, in this case,\nbus-\u003eself(bridge) will be NULL, thus priv-\u003eparent_pdev is NULL.\nSince alcor_pci_init_check_aspm(priv-\u003eparent_pdev) checks the PCI link\u0027s\nASPM capability and populate parent_cap_off, which will be used later by\nalcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do\nhere is to avoid checking the capability if we are on the root complex.\nThis will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply\nreturn when bring called, effectively disable ASPM for the device.\n\n[ 1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40\n[ 1.253998] Call Trace:\n[ 1.254131] ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci]\n[ 1.254476] alcor_pci_probe+0x169/0x2d5 [alcor_pci]",
"id": "GHSA-w9fp-75mc-76ff",
"modified": "2024-10-31T18:31:16Z",
"published": "2024-05-21T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47333"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09d154990ca82d14aed2b72796f6c8845e2e605d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ce3e45cc333da707d4d6eb433574b990bcc26f5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58f69684ba03e5b0e0a3ae844a845280c0f06309"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/717cf5ae52322ddbdf3ac2c584b34c5970b0d174"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2639ffdcad463b358b6bef8645ff81715daffcb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.