Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-WC6R-37R6-6C7Q

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in json_printf() in mjs.c.",
  "id": "GHSA-wc6r-37r6-6c7q",
  "modified": "2022-07-29T00:00:26Z",
  "published": "2022-07-27T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33442"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mjs/issues/161"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCG3-CVX6-7396

Vulnerability from github – Published: 2021-08-25 20:56 – Updated: 2024-06-10 18:40
VLAI
Summary
Segmentation fault in time
Details

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

The affected functions from time 0.2.7 through 0.2.22 are:

  • time::UtcOffset::local_offset_at
  • time::UtcOffset::try_local_offset_at
  • time::UtcOffset::current_local_offset
  • time::UtcOffset::try_current_local_offset
  • time::OffsetDateTime::now_local
  • time::OffsetDateTime::try_now_local

The affected functions in time 0.1 (all versions) are:

  • at
  • at_utc
  • now

Non-Unix targets (including Windows and wasm) are unaffected.

Patches

In some versions of time, the internal method that determines the local offset has been modified to always return None on the affected operating systems. This has the effect of returning an Err on the try_* methods and UTC on the non-try_* methods. In later versions, time will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.

Users and library authors with time in their dependency tree must perform cargo update, which will pull in the updated, unaffected code.

Users of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.

Workarounds

Library authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.

References

time-rs/time#293.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "time"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "0.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "time"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.7"
            },
            {
              "fixed": "0.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T21:06:21Z",
    "nvd_published_at": "2020-11-24T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user\u0027s knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).",
  "id": "GHSA-wcg3-cvx6-7396",
  "modified": "2024-06-10T18:40:10Z",
  "published": "2021-08-25T20:56:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/time-rs/time/issues/293"
    },
    {
      "type": "WEB",
      "url": "https://crates.io/crates/time/0.2.23"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/time-rs/time"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Segmentation fault in time"
}

GHSA-WCMH-FJ7M-GV6R

Vulnerability from github – Published: 2025-04-14 15:31 – Updated: 2026-06-26 00:32
VLAI
Details

A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-14T15:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash.",
  "id": "GHSA-wcmh-fj7m-gv6r",
  "modified": "2026-06-26T00:32:00Z",
  "published": "2025-04-14T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32909"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:8292"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-32909"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359353"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/431"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCP3-6XHG-H726

Vulnerability from github – Published: 2024-02-22 12:30 – Updated: 2024-02-22 12:30
VLAI
Details

A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.3, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to denial of service via specially crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-22T10:15:07Z",
    "severity": "HIGH"
  },
  "details": "A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.3, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to denial of service via specially crafted HTTP requests.",
  "id": "GHSA-wcp3-6xhg-h726",
  "modified": "2024-02-22T12:30:55Z",
  "published": "2024-02-22T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29180"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-111"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCQ2-H3FQ-C7CF

Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2024-04-04 06:53
VLAI
Details

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-11T14:15:11Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).",
  "id": "GHSA-wcq2-h3fq-c7cf",
  "modified": "2024-04-04T06:53:16Z",
  "published": "2023-08-11T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/292e41ce650a7b5ca5de4ae87fff0d6a90d9fc97"
    },
    {
      "type": "WEB",
      "url": "https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2020-November/272001.html"
    },
    {
      "type": "WEB",
      "url": "https://trac.ffmpeg.org/ticket/8960"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCR6-FH62-J9WM

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().

With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that has the link-local address as src and dst IP and will be forwarded to an external IP in the IPv6 Ext Hdr.

For example, the script below generates a packet whose src IP is the link-local address and dst is updated to 11::.

# for f in $(find /proc/sys/net/ -name seg6_enabled); do echo 1 > $f; done # python3

from socket import * from scapy.all import *

SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"

pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)

sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) sk.sendto(bytes(pkt), (DST_ADDR, 0))

For such a packet, we call ip6_route_input() to look up a route for the next destination in these three functions depending on the header type.

  • ipv6_rthdr_rcv()
  • ipv6_rpl_srh_rcv()
  • ipv6_srh_rcv()

If no route is found, ip6_null_entry is set to skb, and the following dst_input(skb) calls ip6_pkt_drop().

Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev as the input device is the loopback interface. Then, we have to check if skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref for ip6_null_entry.

BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: ip6_pkt_drop (net/ipv6/route.c:4513) ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) __netif_receive_skb_one_core (net/core/dev.c:5455) process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) __napi_poll (net/core/dev.c:6460) net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4231) ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) sock_sendmsg (net/socket.c:725 net/socket.c:748) __sys_sendto (net/socket.c:2134) __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x7f9dc751baea Code: d8 64 89 02 48 c7 c0 ff f ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp6: Fix null-ptr-deref of ip6_null_entry-\u003ert6i_idev in icmp6_dev().\n\nWith some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that\nhas the link-local address as src and dst IP and will be forwarded to\nan external IP in the IPv6 Ext Hdr.\n\nFor example, the script below generates a packet whose src IP is the\nlink-local address and dst is updated to 11::.\n\n  # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 \u003e $f; done\n  # python3\n  \u003e\u003e\u003e from socket import *\n  \u003e\u003e\u003e from scapy.all import *\n  \u003e\u003e\u003e\n  \u003e\u003e\u003e SRC_ADDR = DST_ADDR = \"fe80::5054:ff:fe12:3456\"\n  \u003e\u003e\u003e\n  \u003e\u003e\u003e pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)\n  \u003e\u003e\u003e pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=[\"11::\", \"22::\"], segleft=1)\n  \u003e\u003e\u003e\n  \u003e\u003e\u003e sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)\n  \u003e\u003e\u003e sk.sendto(bytes(pkt), (DST_ADDR, 0))\n\nFor such a packet, we call ip6_route_input() to look up a route for the\nnext destination in these three functions depending on the header type.\n\n  * ipv6_rthdr_rcv()\n  * ipv6_rpl_srh_rcv()\n  * ipv6_srh_rcv()\n\nIf no route is found, ip6_null_entry is set to skb, and the following\ndst_input(skb) calls ip6_pkt_drop().\n\nFinally, in icmp6_dev(), we dereference skb_rt6_info(skb)-\u003ert6i_idev-\u003edev\nas the input device is the loopback interface.  Then, we have to check if\nskb_rt6_info(skb)-\u003ert6i_idev is NULL or not to avoid NULL pointer deref\nfor ip6_null_entry.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)\nCode: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 \u003c48\u003e 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01\nRSP: 0018:ffffc90000003c70 EFLAGS: 00000286\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0\nRDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18\nRBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001\nR10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10\nR13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0\nFS:  00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n ip6_pkt_drop (net/ipv6/route.c:4513)\n ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)\n ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))\n ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)\n __netif_receive_skb_one_core (net/core/dev.c:5455)\n process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)\n __napi_poll (net/core/dev.c:6460)\n net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:381)\n __dev_queue_xmit (net/core/dev.c:4231)\n ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)\n rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)\n sock_sendmsg (net/socket.c:725 net/socket.c:748)\n __sys_sendto (net/socket.c:2134)\n __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nRIP: 0033:0x7f9dc751baea\nCode: d8 64 89 02 48 c7 c0 ff f\n---truncated---",
  "id": "GHSA-wcr6-fh62-j9wm",
  "modified": "2025-12-11T15:30:29Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53343"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1462e9d9aa52d14665eaca6d89d22c4af44ede04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2aaa8a15de73874847d62eb595c6683bface80fd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61b4c4659746959056450b92a5d7e6bc1243b31b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8803c59fde4dd370a627dfbf7183682fa0cabf70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa657d319e6c7502a4eb85cc0ee80cc81b8e5724"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d30ddd7ff15df9d91a793ce3f06f0190ff7afacc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCWJ-RGXV-C28P

Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-09-08 00:00
VLAI
Details

A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-31T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.",
  "id": "GHSA-wcwj-rgxv-c28p",
  "modified": "2022-09-08T00:00:34Z",
  "published": "2022-09-01T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/5593473a1e6c743764b08e3b6071cb43b5cfa6c4"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-1263"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072698"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2022/04/07/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WF32-JQ3G-RPP7

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:01
VLAI
Details

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a Null pointer dereference vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-wf32-jq3g-rpp7",
  "modified": "2022-01-22T00:01:55Z",
  "published": "2022-01-15T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44741"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WF38-7V3F-5MJP

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-11-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: fix various gadget panics on 10gbps cabling

usb_assign_descriptors() is called with 5 parameters, the last 4 of which are the usb_descriptor_header for: full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps), high-speed (USB2.0 - 480Mbps), super-speed (USB3.0 - 5Gbps), super-speed-plus (USB3.1 - 10Gbps).

The differences between full/high/super-speed descriptors are usually substantial (due to changes in the maximum usb block size from 64 to 512 to 1024 bytes and other differences in the specs), while the difference between 5 and 10Gbps descriptors may be as little as nothing (in many cases the same tuning is simply good enough).

However if a gadget driver calls usb_assign_descriptors() with a NULL descriptor for super-speed-plus and is then used on a max 10gbps configuration, the kernel will crash with a null pointer dereference, when a 10gbps capable device port + cable + host port combination shows up. (This wouldn't happen if the gadget max-speed was set to 5gbps, but it of course defaults to the maximum, and there's no real reason to artificially limit it)

The fix is to simply use the 5gbps descriptor as the 10gbps descriptor, if a 10gbps descriptor wasn't provided.

Obviously this won't fix the problem if the 5gbps descriptor is also NULL, but such cases can't be so trivially solved (and any such gadgets are unlikely to be used with USB3 ports any way).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadget panics on 10gbps cabling\n\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n  high-speed (USB2.0 - 480Mbps),\n  super-speed (USB3.0 - 5Gbps),\n  super-speed-plus (USB3.1 - 10Gbps).\n\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\n\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn\u0027t happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there\u0027s no real reason to\nartificially limit it)\n\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn\u0027t provided.\n\nObviously this won\u0027t fix the problem if the 5gbps descriptor is also\nNULL, but such cases can\u0027t be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way).",
  "id": "GHSA-wf38-7v3f-5mjp",
  "modified": "2024-11-01T18:31:25Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47267"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WF5P-C75W-W3WH

Vulnerability from github – Published: 2021-08-25 14:39 – Updated: 2024-11-13 21:23
VLAI
Summary
Null pointer dereference in TFLite MLIR optimizations
Details

Impact

An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service:

This is caused by the MLIR optimization of L2NormalizeReduceAxis operator. The implementation unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements:

bool L2NormalizeReduceAxis(Value sq_op, DenseElementsAttr axis) {
  if (sq_op.getType().cast<ShapedType>().getRank() - 1 ==
          *axis.getValues<int>().begin() ||
      *axis.getValues<int>().begin() == -1) {
      // ...
  }
  // ...
}

Patches

We have patched the issue in GitHub commit d6b57f461b39fd1aa8c1b870f1b974aac3554955.

The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang of Baidu Security.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-24T17:58:35Z",
    "nvd_published_at": "2021-08-12T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service:\n\nThis is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70) unconditionally dereferences a pointer to an iterator to a vector without checking that the vector has elements:\n\n```cc\nbool L2NormalizeReduceAxis(Value sq_op, DenseElementsAttr axis) {\n  if (sq_op.getType().cast\u003cShapedType\u003e().getRank() - 1 ==\n          *axis.getValues\u003cint\u003e().begin() ||\n      *axis.getValues\u003cint\u003e().begin() == -1) {\n      // ...\n  }\n  // ...\n}\n```\n\n### Patches\nWe have patched the issue in GitHub commit [d6b57f461b39fd1aa8c1b870f1b974aac3554955](https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.\n  \n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n          \n### Attribution              \nThis vulnerability has been reported by Yakun Zhang of Baidu Security.",
  "id": "GHSA-wf5p-c75w-w3wh",
  "modified": "2024-11-13T21:23:11Z",
  "published": "2021-08-25T14:39:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wf5p-c75w-w3wh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/d6b57f461b39fd1aa8c1b870f1b974aac3554955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-602.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-800.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-311.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/lite/transforms/optimize.cc#L67-L70"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Null pointer dereference in TFLite MLIR optimizations"
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.