Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

GHSA-WF92-393R-9P92

Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-07-08 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix early boot crash on parameters without '=' separator

If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot.

Reject NULL values in hugetlb_add_param() and return -EINVAL instead.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T17:16:46Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix early boot crash on parameters without \u0027=\u0027 separator\n\nIf hugepages, hugepagesz, or default_hugepagesz are specified on the\nkernel command line without the \u0027=\u0027 separator, early parameter parsing\npasses NULL to hugetlb_add_param(), which dereferences it in strlen() and\ncan crash the system during early boot.\n\nReject NULL values in hugetlb_add_param() and return -EINVAL instead.",
  "id": "GHSA-wf92-393r-9p92",
  "modified": "2026-07-08T21:30:21Z",
  "published": "2026-06-08T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2774bcf714739cc6bb86f8812167bb9fbda70f6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/357c6d084b6137ae640209c5bfd01180f985c015"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c45b354911d01565156e38d7f6bc07edb51fc34c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFCC-QM3Q-FRP3

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations

On Adva boards, SMA sysfs store/get operations can call __handle_signal_outputs() or __handle_signal_inputs() while the irig and dcf pointers are uninitialized, leading to a NULL pointer dereference in __handle_signal() and causing a kernel crash. Adva boards don't use irig or dcf functionality, so add Adva-specific callbacks ptp_ocp_sma_adva_set_outputs() and ptp_ocp_sma_adva_set_inputs() that avoid invoking irig or dcf input/output routines.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations\n\nOn Adva boards, SMA sysfs store/get operations can call\n__handle_signal_outputs() or __handle_signal_inputs() while the `irig`\nand `dcf` pointers are uninitialized, leading to a NULL pointer\ndereference in __handle_signal() and causing a kernel crash. Adva boards\ndon\u0027t use `irig` or `dcf` functionality, so add Adva-specific callbacks\n`ptp_ocp_sma_adva_set_outputs()` and `ptp_ocp_sma_adva_set_inputs()` that\navoid invoking `irig` or `dcf` input/output routines.",
  "id": "GHSA-wfcc-qm3q-frp3",
  "modified": "2025-11-17T15:30:31Z",
  "published": "2025-05-20T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37910"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b349f9cdb4a9daa133bea267dfc0c383628387a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a543d825e78b8d680d8f891381b83fbffdb0bb6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e98386d79a23c57cf179fe4138322e277aa3aa74"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFCG-P9MH-53W7

Vulnerability from github – Published: 2024-04-03 15:30 – Updated: 2025-01-07 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super

When configuring a hugetlb filesystem via the fsconfig() syscall, there is a possible NULL dereference in hugetlbfs_fill_super() caused by assigning NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize is non valid.

E.g: Taking the following steps:

 fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC);
 fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0);
 fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);

Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced with NULL, losing its previous value, and we will print an error:

... ... case Opt_pagesize: ps = memparse(param->string, &rest); ctx->hstate = h; if (!ctx->hstate) { pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); return -EINVAL; } return 0; ... ...

This is a problem because later on, we will dereference ctxt->hstate in hugetlbfs_fill_super()

... ... sb->s_blocksize = huge_page_size(ctx->hstate); ... ...

Causing below Oops.

Fix this by replacing cxt->hstate value only when then pagesize is known to be valid.

kernel: hugetlbfs: Unsupported page size 0 MB kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028 kernel: #PF: supervisor read access in kernel mode kernel: #PF: error_code(0x0000) - not-present page kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0 kernel: Oops: 0000 [#1] PREEMPT SMP PTI kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017 kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004 kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000 kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004 kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000 kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400 kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0 kernel: Call Trace: kernel: kernel: ? __die_body+0x1a/0x60 kernel: ? page_fault_oops+0x16f/0x4a0 kernel: ? search_bpf_extables+0x65/0x70 kernel: ? fixup_exception+0x22/0x310 kernel: ? exc_page_fault+0x69/0x150 kernel: ? asm_exc_page_fault+0x22/0x30 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 kernel: ? hugetlbfs_fill_super+0x28/0x1a0 kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 kernel: vfs_get_super+0x40/0xa0 kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 kernel: vfs_get_tree+0x25/0xd0 kernel: vfs_cmd_create+0x64/0xe0 kernel: __x64_sys_fsconfig+0x395/0x410 kernel: do_syscall_64+0x80/0x160 kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160 kernel: ? syscall_exit_to_user_mode+0x82/0x240 kernel: ? do_syscall_64+0x8d/0x160 kernel: ? exc_page_fault+0x69/0x150 kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76 kernel: RIP: 0033:0x7ffbc0cb87c9 kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af kernel: RAX: fffffffffff ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T15:15:52Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx-\u003ehstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n     fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n     fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n     fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt-\u003ehstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param-\u003estring, \u0026rest);\n ctx-\u003ehstate = h;\n if (!ctx-\u003ehstate) {\n         pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n         return -EINVAL;\n }\n return 0;\n ...\n ...\n\nThis is a problem because later on, we will dereference ctxt-\u003ehstate in\nhugetlbfs_fill_super()\n\n ...\n ...\n sb-\u003es_blocksize = huge_page_size(ctx-\u003ehstate);\n ...\n ...\n\nCausing below Oops.\n\nFix this by replacing cxt-\u003ehstate value only when then pagesize is known\nto be valid.\n\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G            E      6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 \u003c8b\u003e 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS:  00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel:  \u003cTASK\u003e\n kernel:  ? __die_body+0x1a/0x60\n kernel:  ? page_fault_oops+0x16f/0x4a0\n kernel:  ? search_bpf_extables+0x65/0x70\n kernel:  ? fixup_exception+0x22/0x310\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  ? asm_exc_page_fault+0x22/0x30\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel:  ? hugetlbfs_fill_super+0x28/0x1a0\n kernel:  ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel:  vfs_get_super+0x40/0xa0\n kernel:  ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel:  vfs_get_tree+0x25/0xd0\n kernel:  vfs_cmd_create+0x64/0xe0\n kernel:  __x64_sys_fsconfig+0x395/0x410\n kernel:  do_syscall_64+0x80/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? syscall_exit_to_user_mode+0x82/0x240\n kernel:  ? do_syscall_64+0x8d/0x160\n kernel:  ? exc_page_fault+0x69/0x150\n kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---",
  "id": "GHSA-wfcg-p9mh-53w7",
  "modified": "2025-01-07T21:30:54Z",
  "published": "2024-04-03T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26688"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFG9-R8XH-VW3H

Vulnerability from github – Published: 2024-08-17 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

apparmor: Fix null pointer deref when receiving skb during sock creation

The panic below is observed when receiving ICMP packets with secmark set while an ICMP raw socket is being created. SK_CTX(sk)->label is updated in apparmor_socket_post_create(), but the packet is delivered to the socket before that, causing the null pointer dereference. Drop the packet if label context is not set.

BUG: kernel NULL pointer dereference, address: 000000000000004c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020
RIP: 0010:aa_label_next_confined+0xb/0x40
Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2
RSP: 0018:ffffa92940003b08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e
RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002
R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
FS:  00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0
PKRU: 55555554
Call Trace:
 <IRQ>
 ? __die+0x23/0x70
 ? page_fault_oops+0x171/0x4e0
 ? exc_page_fault+0x7f/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? aa_label_next_confined+0xb/0x40
 apparmor_secmark_check+0xec/0x330
 security_sock_rcv_skb+0x35/0x50
 sk_filter_trim_cap+0x47/0x250
 sock_queue_rcv_skb_reason+0x20/0x60
 raw_rcv+0x13c/0x210
 raw_local_deliver+0x1f3/0x250
 ip_protocol_deliver_rcu+0x4f/0x2f0
 ip_local_deliver_finish+0x76/0xa0
 __netif_receive_skb_one_core+0x89/0xa0
 netif_receive_skb+0x119/0x170
 ? __netdev_alloc_skb+0x3d/0x140
 vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
 vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
 __napi_poll+0x28/0x1b0
 net_rx_action+0x2a4/0x380
 __do_softirq+0xd1/0x2c8
 __irq_exit_rcu+0xbb/0xf0
 common_interrupt+0x86/0xa0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40
RIP: 0010:apparmor_socket_post_create+0xb/0x200
Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48
RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286
RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003
R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748
 ? __pfx_apparmor_socket_post_create+0x10/0x10
 security_socket_post_create+0x4b/0x80
 __sock_create+0x176/0x1f0
 __sys_socket+0x89/0x100
 __x64_sys_socket+0x17/0x20
 do_syscall_64+0x5d/0x90
 ? do_syscall_64+0x6c/0x90
 ? do_syscall_64+0x6c/0x90
 ? do_syscall_64+0x6c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T09:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix null pointer deref when receiving skb during sock creation\n\nThe panic below is observed when receiving ICMP packets with secmark set\nwhile an ICMP raw socket is being created. SK_CTX(sk)-\u003elabel is updated\nin apparmor_socket_post_create(), but the packet is delivered to the\nsocket before that, causing the null pointer dereference.\nDrop the packet if label context is not set.\n\n    BUG: kernel NULL pointer dereference, address: 000000000000004c\n    #PF: supervisor read access in kernel mode\n    #PF: error_code(0x0000) - not-present page\n    PGD 0 P4D 0\n    Oops: 0000 [#1] PREEMPT SMP NOPTI\n    CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df\n    Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020\n    RIP: 0010:aa_label_next_confined+0xb/0x40\n    Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 \u003c8b\u003e 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2\n    RSP: 0018:ffffa92940003b08 EFLAGS: 00010246\n    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e\n    RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000\n    RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002\n    R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400\n    R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000\n    FS:  00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0\n    PKRU: 55555554\n    Call Trace:\n     \u003cIRQ\u003e\n     ? __die+0x23/0x70\n     ? page_fault_oops+0x171/0x4e0\n     ? exc_page_fault+0x7f/0x180\n     ? asm_exc_page_fault+0x26/0x30\n     ? aa_label_next_confined+0xb/0x40\n     apparmor_secmark_check+0xec/0x330\n     security_sock_rcv_skb+0x35/0x50\n     sk_filter_trim_cap+0x47/0x250\n     sock_queue_rcv_skb_reason+0x20/0x60\n     raw_rcv+0x13c/0x210\n     raw_local_deliver+0x1f3/0x250\n     ip_protocol_deliver_rcu+0x4f/0x2f0\n     ip_local_deliver_finish+0x76/0xa0\n     __netif_receive_skb_one_core+0x89/0xa0\n     netif_receive_skb+0x119/0x170\n     ? __netdev_alloc_skb+0x3d/0x140\n     vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n     vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]\n     __napi_poll+0x28/0x1b0\n     net_rx_action+0x2a4/0x380\n     __do_softirq+0xd1/0x2c8\n     __irq_exit_rcu+0xbb/0xf0\n     common_interrupt+0x86/0xa0\n     \u003c/IRQ\u003e\n     \u003cTASK\u003e\n     asm_common_interrupt+0x26/0x40\n    RIP: 0010:apparmor_socket_post_create+0xb/0x200\n    Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 \u003c55\u003e 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48\n    RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286\n    RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001\n    RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740\n    RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\n    R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003\n    R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748\n     ? __pfx_apparmor_socket_post_create+0x10/0x10\n     security_socket_post_create+0x4b/0x80\n     __sock_create+0x176/0x1f0\n     __sys_socket+0x89/0x100\n     __x64_sys_socket+0x17/0x20\n     do_syscall_64+0x5d/0x90\n     ? do_syscall_64+0x6c/0x90\n     ? do_syscall_64+0x6c/0x90\n     ? do_syscall_64+0x6c/0x90\n     entry_SYSCALL_64_after_hwframe+0x72/0xdc",
  "id": "GHSA-wfg9-r8xh-vw3h",
  "modified": "2025-11-04T00:31:11Z",
  "published": "2024-08-17T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52889"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0abe35bc48d4ec80424b1f4b3560c0e082cbd5c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/290a6b88e8c19b6636ed1acc733d1458206f7697"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/347dcb84a4874b5fb375092c08d8cc4069b94f81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46c17ead5b7389e22e7dc9903fd0ba865d05bda2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c920754f62cefc63fccdc38a062c7c3452e2961"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ead2ad1d9f045f26fdce3ef1644913b3a6cd38f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fce09ea314505a52f2436397608fa0a5d0934fb1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFGH-48CF-2678

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmet-tcp: fix kernel crash if commands allocation fails

If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference.

nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008

Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fix kernel crash if commands allocation fails\n\nIf the commands allocation fails in nvmet_tcp_alloc_cmds()\nthe kernel crashes in nvmet_tcp_release_queue_work() because of\na NULL pointer dereference.\n\n  nvmet: failed to install queue 0 cntlid 1 ret 6\n  Unable to handle kernel NULL pointer dereference at\n         virtual address 0000000000000008\n\nFix the bug by setting queue-\u003enr_cmds to zero in case\nnvmet_tcp_alloc_cmd() fails.",
  "id": "GHSA-wfgh-48cf-2678",
  "modified": "2025-11-04T00:31:29Z",
  "published": "2024-09-18T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46737"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03e1fd0327fa5e2174567f5fe9290fe21d21b8f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/489f2913a63f528cfe3f21722583fb981967ecda"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50632b877ce55356f5d276b9add289b1e7ddc683"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5572a55a6f830ee3f3a994b6b962a5c327d28cb3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c04d1e3ab22cc5394ef656429638a5947f87244"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7957c731fc2b23312f8935812dee5a0b14b04e2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91dad30c5607e62864f888e735d0965567827bdf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFJJ-GQW7-Q2X8

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-06-29 00:00
VLAI
Details

A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-21834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-17T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.",
  "id": "GHSA-wfjj-gqw7-q2x8",
  "modified": "2022-06-29T00:00:30Z",
  "published": "2022-05-24T19:02:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21834"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibreDWG/libredwg/issues/188#issuecomment-574492468"
    },
    {
      "type": "WEB",
      "url": "http://gnu.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFMJ-Q8M4-96GM

Vulnerability from github – Published: 2024-06-20 12:31 – Updated: 2024-09-18 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc

The function performs a check on the "ctx" input parameter, however, it is used before the check.

Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference.

Addresses-Coverity-ID: 1493866 ("Null pointer dereference")

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc\n\nThe function performs a check on the \"ctx\" input parameter, however, it\nis used before the check.\n\nInitialize the \"base\" variable after the sanity check to avoid a\npossible NULL pointer dereference.\n\nAddresses-Coverity-ID: 1493866 (\"Null pointer dereference\")",
  "id": "GHSA-wfmj-q8m4-96gm",
  "modified": "2024-09-18T18:30:49Z",
  "published": "2024-06-20T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48749"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/170b22234d5495f5e0844246e23f004639ee89ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ebc18836d5df09061657f8c548e594cbb519476"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f069f6dde518dfebe86e848508c07e497bd9298"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93a6e920d8ccb4df846c03b6e72f7e08843d294c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFP2-GQ58-RF57

Vulnerability from github – Published: 2025-01-31 12:33 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Clear port select structure when fail to create

Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash:

mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T12:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clear port select structure when fail to create\n\nClear the port select structure on error so no stale values left after\ndefiners are destroyed. That\u0027s because the mlx5_lag_destroy_definers()\nalways try to destroy all lag definers in the tt_map, so in the flow\nbelow lag definers get double-destroyed and cause kernel crash:\n\n  mlx5_lag_port_sel_create()\n    mlx5_lag_create_definers()\n      mlx5_lag_create_definer()     \u003c- Failed on tt 1\n        mlx5_lag_destroy_definers() \u003c- definers[tt=0] gets destroyed\n  mlx5_lag_port_sel_create()\n    mlx5_lag_create_definers()\n      mlx5_lag_create_definer()     \u003c- Failed on tt 0\n        mlx5_lag_destroy_definers() \u003c- definers[tt=0] gets double-destroyed\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n Mem abort info:\n   ESR = 0x0000000096000005\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n   FSC = 0x05: level 1 translation fault\n Data abort info:\n   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00\n [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)]\n  CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G           OE      6.11.0+ #2\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n  Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\n  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n  lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n  sp : ffff800085fafb00\n  x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000\n  x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000\n  x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000\n  x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000\n  x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350\n  x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0\n  x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c\n  x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190\n  x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000\n  x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000\n  Call trace:\n   mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n   mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n   mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core]\n   mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core]\n   mlx5_activate_lag+0x60c/0x6f8 [mlx5_core]\n   mlx5_do_bond_work+0x284/0x5c8 [mlx5_core]\n   process_one_work+0x170/0x3e0\n   worker_thread+0x2d8/0x3e0\n   kthread+0x11c/0x128\n   ret_from_fork+0x10/0x20\n  Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400)\n  ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-wfp2-gq58-rf57",
  "modified": "2025-11-03T21:32:30Z",
  "published": "2025-01-31T12:33:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21675"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f6e619ef2a4def555b14ac2aeb4304bfccad59b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/473bc285378f49aa27e5b3e95a6d5ed12995d654"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5641e82cb55b4ecbc6366a499300917d2f3e6790"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/efc92a260e23cf9fafb0b6f6c9beb6f8df93fab4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFP6-C53G-9X25

Vulnerability from github – Published: 2022-05-14 00:54 – Updated: 2022-05-14 00:54
VLAI
Details

chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has '\0' as its first or second character (such as the "/\0" name).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-23T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has \u0027\\0\u0027 as its first or second character (such as the \"/\\0\" name).",
  "id": "GHSA-wfp6-c53g-9x25",
  "modified": "2022-05-14T00:54:46Z",
  "published": "2022-05-14T00:54:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18585"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2018-18585"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/911637"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201903-20"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/viewAlert.x?alertId=59134"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3814-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3814-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3814-3"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2018/10/22/1"
    },
    {
      "type": "WEB",
      "url": "https://www.starwindsoftware.com/security/sw-20181213-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.suse.com/security/cve/CVE-2018-18585"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFPP-99HH-HJ75

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix steering rules cleanup

vport's mc, uc and multicast rules are not deleted in teardown path when EEH happens. Since the vport's promisc settings(uc, mc and all) in firmware are reset after EEH, mlx5 driver will try to delete the above rules in the initialization path. This cause kernel crash because these software rules are no longer valid.

Fix by nullifying these rules right after delete to avoid accessing any dangling pointers.

Call Trace: __list_del_entry_valid+0xcc/0x100 (unreliable) tree_put_node+0xf4/0x1b0 [mlx5_core] tree_remove_node+0x30/0x70 [mlx5_core] mlx5_del_flow_rules+0x14c/0x1f0 [mlx5_core] esw_apply_vport_rx_mode+0x10c/0x200 [mlx5_core] esw_update_vport_rx_mode+0xb4/0x180 [mlx5_core] esw_vport_change_handle_locked+0x1ec/0x230 [mlx5_core] esw_enable_vport+0x130/0x260 [mlx5_core] mlx5_eswitch_enable_sriov+0x2a0/0x2f0 [mlx5_core] mlx5_device_enable_sriov+0x74/0x440 [mlx5_core] mlx5_load_one+0x114c/0x1550 [mlx5_core] mlx5_pci_resume+0x68/0xf0 [mlx5_core] eeh_report_resume+0x1a4/0x230 eeh_pe_dev_traverse+0x98/0x170 eeh_handle_normal_event+0x3e4/0x640 eeh_handle_event+0x4c/0x370 eeh_event_handler+0x14c/0x210 kthread+0x168/0x1b0 ret_from_kernel_thread+0x5c/0x84

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix steering rules cleanup\n\nvport\u0027s mc, uc and multicast rules are not deleted in teardown path when\nEEH happens. Since the vport\u0027s promisc settings(uc, mc and all) in\nfirmware are reset after EEH, mlx5 driver will try to delete the above\nrules in the initialization path. This cause kernel crash because these\nsoftware rules are no longer valid.\n\nFix by nullifying these rules right after delete to avoid accessing any dangling\npointers.\n\nCall Trace:\n__list_del_entry_valid+0xcc/0x100 (unreliable)\ntree_put_node+0xf4/0x1b0 [mlx5_core]\ntree_remove_node+0x30/0x70 [mlx5_core]\nmlx5_del_flow_rules+0x14c/0x1f0 [mlx5_core]\nesw_apply_vport_rx_mode+0x10c/0x200 [mlx5_core]\nesw_update_vport_rx_mode+0xb4/0x180 [mlx5_core]\nesw_vport_change_handle_locked+0x1ec/0x230 [mlx5_core]\nesw_enable_vport+0x130/0x260 [mlx5_core]\nmlx5_eswitch_enable_sriov+0x2a0/0x2f0 [mlx5_core]\nmlx5_device_enable_sriov+0x74/0x440 [mlx5_core]\nmlx5_load_one+0x114c/0x1550 [mlx5_core]\nmlx5_pci_resume+0x68/0xf0 [mlx5_core]\neeh_report_resume+0x1a4/0x230\neeh_pe_dev_traverse+0x98/0x170\neeh_handle_normal_event+0x3e4/0x640\neeh_handle_event+0x4c/0x370\neeh_event_handler+0x14c/0x210\nkthread+0x168/0x1b0\nret_from_kernel_thread+0x5c/0x84",
  "id": "GHSA-wfpp-99hh-hj75",
  "modified": "2025-11-12T21:31:00Z",
  "published": "2025-05-02T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53079"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18cead61e437f4c7898acca0a5f3df12f801d97f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4df1f2d36bdc9a368650bf14b9097c555e95f71d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/63546395a0e6ac264f78f65218086ce6014b4494"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f5780536181d1d0d09a11a1bc92f22e143447e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/922f56e9a795d6f3dd72d3428ebdd7ee040fa855"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.