Null Pointer Dereference
Monthly
Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.
Denial of service in the Matter SDK (connectedhomeip) before 1.4.0 lets a remote unauthenticated attacker crash a smart-home device by sending a crafted read request. The flaw lives in the ReadRevisionAttribute function, which is reused across multiple clusters (Channel, Account Login, TargetNavigator), so any device exposing those clusters is affected. No public exploit identified at time of analysis, and the issue is availability-only (no code execution or data exposure).
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker gain elevated (SYSTEM-level) privileges by triggering a NULL pointer dereference (CWE-476) in kernel-mode code. The flaw affects a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network.
Local privilege escalation in Windows Image Acquisition (WIA) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a NULL pointer dereference can be leveraged by an already-authenticated local user to elevate privileges. Microsoft rates it 7.8 (High) with full confidentiality, integrity, and availability impact despite the flaw class typically causing denial of service. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Null pointer dereference in Windows Active Directory Domain Services (AD DS) enables a low-privileged authenticated attacker to crash the service remotely, causing denial of service across the affected domain. The flaw spans a wide range of Windows client and server releases, from Windows 10 version 1607 through Windows 11 version 26H1 and Windows Server 2012 through 2025. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the network-accessible attack surface and low privilege requirement lower the bar for abuse in environments with broad domain user access.
NULL pointer dereference in Zephyr RTOS's syscall verifier allows an unprivileged user-mode thread to crash the kernel across the userspace security boundary. The z_vrfy_k_thread_name_copy() verification handler in kernel/thread.c incorrectly guards against the caller-supplied thread pointer being NULL rather than the ko pointer returned by k_object_find(), so any non-NULL but unregistered address bypasses the check and triggers a supervisor-mode NULL dereference that halts or reboots the system. Affecting Zephyr v2.0.0 through v4.4.0 when built with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled, no public exploit code and no CISA KEV listing have been identified at time of analysis, but the one-syscall reproducibility makes this straightforward to trigger in qualifying builds.
Null pointer dereference in open62541's client library (versions up to 1.5.5) allows a remote OPC UA server to crash a connecting client by returning a malformed Server_NamespaceArray during session establishment, causing denial of service. The flaw is client-side only - server deployments are unaffected - and exploitation requires the attacker to control or impersonate a server the vulnerable client connects to, making practical exploitation high-complexity. A proof-of-concept exists as a GitHub issue report; no public exploit is confirmed as weaponized and the vulnerability is not listed in CISA KEV.
Denial of service in the Crypt::OpenSSL::X509 Perl module before 2.1.3 lets a malformed X.509 certificate crash any Perl process that parses it. Four helper functions (basicC, ia5string, auth_att, keyid_data) dereference NULL pointers returned by OpenSSL's X509V3_EXT_d2i() on unparseable extensions - and keyid_data/auth_att additionally deref an akid->keyid field that is legitimately NULL for an empty Authority Key Identifier (DER 30 00). There is no public exploit identified at time of analysis, but the fix commit and a clear crash mechanism are published; CVSS is 7.5 (availability-only).
NULL pointer dereference in NanaZip's custom archive handlers crashes the application when a user tests or extracts archives of seven specific formats. All NanaZip versions prior to 6.5.1749.0 are affected; the seven vulnerable handlers cover WebAssembly, ElectronAsar, Zealfs, Romfs, Ufs, Littlefs, and DotNetSingleFile archive types. Impact is limited to a process crash (denial of service) with no confidentiality or integrity consequence; no public exploit or active exploitation has been identified at time of analysis.
NULL pointer dereference in the Juniper Networks Junos OS and Junos OS Evolved management daemon (mgd) allows a local, high-privileged attacker to crash the mgd process by manipulating a specific 'system services ssh' configuration parameter. Repeated execution of the offending configuration commands sustains the Denial of Service condition until the action ceases, as mgd will restart but crash again upon re-triggering. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; the attack barrier is high, requiring both local access and administrative-level credentials.
Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial single-packet trigger and passive-monitoring exposure make it operationally significant for security teams running Zeek inline or on tapped traffic.
Null pointer dereference in GNU LibreDWG up to 0.13.4 allows a local low-privileged attacker to crash any application that processes a maliciously crafted DWG file via the `dwg_next_entity` function in `src/dwg.c`, resulting in denial of service. A proof-of-concept exploit file is publicly available (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV. The issue is fully resolved by upgrading to version 0.14, which includes a committed upstream patch.
GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting in denial of service. Improper handling of consecutive end-of-file newline markers corrupts internal hunk data structures, causing a NULL pointer to be passed to fwrite() during processing. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is constrained by the requirement for user interaction with a malicious file.
Wireshark's SSH protocol dissector crashes via a null pointer dereference (CWE-476) in versions 4.4.0-4.4.16 and 4.6.0-4.6.6, enabling denial of service against any analyst or engineer running an affected build. The flaw is triggered locally when Wireshark processes malformed SSH protocol data, whether from a live capture or a crafted packet capture file, causing the application to crash and disrupting network analysis workflows. No active exploitation has been confirmed in CISA KEV, and no public exploit code is known at time of analysis.
Denial of service in Wazuh wazuh-modulesd (all releases before 5.0.0-beta3) lets an enrolled agent crash the manager's inventory synchronization module by sending a verifier-valid FlatBuffer DataValue message that omits the optional id field, triggering a null pointer dereference (CWE-476). Exploitation requires only a valid enrolled agent (PR:L) over the network with no user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is availability-only - no data confidentiality or integrity loss - but it can repeatedly take down central inventory sync, blinding a security monitoring deployment.
NULL pointer dereference in SQLite's Session Extension crashes any application that passes attacker-controlled changeset blobs to sqlite3changeset_apply_v3(). Affected releases include SQLite 3.53.1 and all trunk builds prior to check-in e807d4e3798efd53. Impact is limited to availability - the process crashes - but because SQLite is embedded ubiquitously, the blast radius depends entirely on how widely consuming applications expose this code path to untrusted input. A public proof-of-concept gist is referenced in the CVE record; no public exploit identified at time of analysis beyond that demonstrator, and the vulnerability is not listed in CISA KEV.
Null pointer dereference in the ONNX Python library's version converter crashes any application that calls `onnx.version_converter.convert_version()` on a crafted model containing an Upsample node with zero inputs, producing an unrecoverable SIGSEGV. Affected versions include at minimum onnx 1.21.0 and 1.22.0, confirmed by a 107-byte public proof-of-concept; the vulnerability is part of a systemic pattern spanning eight adapters. No public active exploitation is confirmed in CISA KEV, but the trivially small PoC eliminates any meaningful exploitation barrier for threat actors targeting ML model conversion pipelines.
Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. No public exploit code has been identified and this CVE is absent from the CISA KEV catalog; exploitation is gated on specific flash media conditions (uncorrectable ECC, bad block, or induced fault) occurring on a checkpoint page at mount time, constraining real-world risk to physical or supply-chain threat models.
NULL pointer dereference in GPAC's smooth_parse_stream_index() function crashes the application when processing a maliciously crafted MPEG-DASH or Smooth Streaming media file, resulting in denial of service. Affected versions are all GPAC master HEAD builds prior to commit b35c61f104b85fbb16520ac2838d5d2ef70845b5. Exploitation requires local access and user interaction to open a crafted file; a proof-of-concept is publicly available via GitHub Gist, though EPSS sits at 0.17% (7th percentile) and no active exploitation has been confirmed by CISA KEV.
Null Pointer Dereference in Adobe DNG SDK versions 1.7.1 build 2536 and earlier allows an attacker to crash any application embedding the SDK by supplying a specially crafted DNG file. The flaw is strictly a denial-of-service with no confidentiality or integrity impact, and requires a victim to open the malicious file, constraining realistic exposure to imaging pipelines or end-user applications that ingest untrusted DNG content. No public exploit code and no active exploitation have been identified at time of analysis.
Null pointer dereference in GPAC 26.02.0's nhmldump_send_frame function (src/filters/write_nhml.c) allows a local, low-privileged attacker to crash the application by supplying crafted media input to the NHML write filter. Impact is strictly limited to availability - a process-level denial of service with no confidentiality or integrity implications. A publicly available proof-of-concept exploit exists (GitHub issue #3596), though the vendor itself characterizes this class of issue as 'more bugs than vulns,' contextualizing it as a robustness fix rather than an urgent security incident.
Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to crash the entire server by sending a second INFO protocol message before CONNECT on the leafnode port, triggering a nil-pointer dereference (c.acc == nil) that panics the process. All server instances exposing a leafnode listener prior to v2.11.17 (2.11.x) and v2.12.8 (2.12.x) are affected. No public exploit has been identified, but the vendor's own regression test (TestLeafNodeSecondInfoBeforeConnectDoesNotPanic) demonstrates the exact crash payload, and the CVSS availability-only vector (7.5) reflects a single-packet, no-auth crash.
Denial of service in the mruby/c lightweight Ruby VM (all releases through 3.4.1) arises from a NULL pointer dereference in op_super()/OP_SUPER within src/vm.c, where a runtime guard for a top-level 'super' call is missing. When the interpreter executes a script that invokes 'super' outside of any method context, the VM dereferences a NULL pointer and crashes. There is no public exploit identified at time of analysis, and the low EPSS score (0.15%, 5th percentile) reflects limited exploitation interest; impact is confined to availability (CWE-476).
NULL pointer dereference in the Zephyr RTOS MAX32xxx USB device controller driver (udc_max32.c) crashes devices running Zephyr v4.4.0 when a physically connected USB host aborts an in-flight EP0 control transfer by sending a new SETUP packet - a completely legal USB protocol action. The race condition between interrupt-queued transfer-completion events and asynchronous FIFO draining by the driver thread causes net_buf_add(NULL, ...) when udc_buf_get() returns NULL on an empty FIFO, producing a near-NULL pointer dereference and device fault. No active exploitation has been confirmed (not in CISA KEV), and no public proof-of-concept code has been identified at time of analysis; real-world risk is constrained by the physical access prerequisite and the specific MAX32xxx hardware dependency.
Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.
Denial-of-service via NULL pointer dereference in PipeWire's RAOP (Remote Audio Output Protocol) module affects Red Hat Enterprise Linux 8, 9, and 10. The RAOP module fails to enforce an upper bound on Content-Length values in incoming requests and does not validate the return value of pw_array_add(); when a sufficiently large Content-Length triggers an allocation failure, the unchecked NULL return causes a crash of the PipeWire daemon, resulting in complete loss of audio services. No special authentication is required from the adjacent network, and no public exploit or CISA KEV listing has been identified at time of analysis.
Remote denial of service in the MediaTek Modem firmware component affects approximately 60 chipset models via a null pointer dereference triggered when a target device connects to a rogue cellular base station. An attacker controlling a fake eNodeB or gNodeB can transmit crafted modem protocol messages that cause improper input validation to fail, crashing the modem and stripping affected devices of cellular connectivity. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation status as none, indicating this remains a theoretical but technically feasible threat for well-resourced actors.
Denial of service in Aleksoid1978 MPC-BE (Media Player Classic - Black Edition) prior to commit 4341cb3 lets an attacker crash the player by supplying a crafted MP4 file that triggers a NULL pointer dereference in the bundled Bento4 AP4_AtomSampleTable::GetSample() routine. A proof-of-concept is referenced (SSVC exploitation: poc), but there is no public exploit identified as weaponized and it is not in CISA KEV; impact is limited to availability with no code execution, data disclosure, or integrity loss. EPSS is low at 0.15% (5th percentile), consistent with a crash-only bug that requires a victim to open a malicious file.
A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. No active exploitation is confirmed in CISA KEV, but the zero-prerequisite attack surface - no credentials, no special configuration, no user interaction - makes low-bandwidth log-flooding trivially achievable by any unauthenticated network attacker.
Denial of service in Zephyr RTOS v4.4.0 allows an attacker with access to a serial, UART, or shell-console interface to crash an affected embedded device by exhausting the MCUmgr shared buffer pool and triggering a NULL pointer dereference. The defect in mcumgr_serial_process_frag() (CWE-476) was introduced during the MCUmgr rework and manifests in default builds where assertion checks are compiled out, making the write-through-NULL a hard fault rather than a caught assertion. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but exploitation is straightforward for any attacker with interface access.
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
NULL pointer dereference in the Linux kernel's AMD64 AGP driver crashes systems running in virtualized environments without physical AMD northbridge hardware. Broken error propagation in `agp_amd64_probe()` - comparing `cache_nbs()` return value against exactly `-1` rather than `< 0` - masks the `-ENODEV` error code, allowing the driver to proceed with initialization, ultimately causing a General Protection Fault in `amd64_fetch_size()` when `node_to_amd_nb(0)` returns NULL. No public exploit has been identified at time of analysis, EPSS is 0.18% (7th percentile), and impact is confined to local denial of service via kernel crash; patches are confirmed available across multiple stable branches.
NULL pointer dereference in the Zephyr Bluetooth LE Audio Basic Audio Profile unicast client crashes devices running Zephyr v4.3.0 and v4.4.0 (and earlier) when connected to a malicious or buggy remote ASCS server. The handler unicast_client_ep_qos_state() writes attacker-controlled QoS fields through stream->qos without verifying the pointer is non-NULL - a condition that legitimately exists during the window between bt_bap_stream_config() and unicast_group_add_stream(). No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but CVSS adjacency (AV:A) and no-auth (PR:N) make it exploitable by any device within Bluetooth LE radio range acting as a rogue ASCS server.
NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver crashes the host kernel when initializing Virtual Function (VF) devices in VFIO passthrough or nested KVM environments where `pdev->slot` is unpopulated. Systems running affected kernel versions in Azure-style or nested virtualization deployments face deterministic kernel panics and total availability loss on the host. No public exploit code has been identified, and EPSS probability is 0.16% (5th percentile), indicating low opportunistic exploitation risk - though in targeted Azure or nested KVM environments, the crash is straightforwardly reproducible.
NULL pointer dereference in the Linux kernel's mt76/mt7925 WiFi driver crashes the kernel when the 'sta' pointer is dereferenced before a NULL check in mt7925_tx_check_aggr(). Systems with MediaTek mt7925 WiFi hardware running affected kernel versions are exposed to a local denial-of-service via kernel panic. No public exploit exists and EPSS is at the 5th percentile (0.16%), indicating no observed widespread exploitation; patches have been applied across multiple stable kernel branches.
NULL pointer dereference in the Linux kernel's AMD RAS subsystem crashes systems with AMD GPU hardware. The function `ras_core_ras_interrupt_detected()` in `drm/amd/ras` fails to validate the `ras_core` pointer before dereferencing `ras_core->dev` in an error path, enabling a local low-privilege user to trigger a kernel panic and denial of service. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS at 0.14% (4th percentile) confirms negligible current exploitation probability. Upstream fix commits are available in stable kernel trees.
NULL pointer dereference in the Linux kernel's drm/amd/ras subsystem allows a local low-privileged user to crash the kernel on systems with AMD GPUs. The flaw in ras_core_get_utc_second_timestamp() occurs when a NULL ras_core pointer passes a conditional check but is then dereferenced in the subsequent error-printing path, producing a kernel panic. No public exploit exists and EPSS sits at 0.15% (4th percentile), placing this firmly as a low-urgency local denial-of-service hardening issue despite the Availability:High CVSS rating.
NULL pointer dereference in the Linux kernel AMD display driver (drm/amd/display) can cause a kernel panic on systems running AMD GPUs, resulting in a complete denial of service. The flaw resides in dc_dmub_srv_log_diagnostic_data() and dc_dmub_srv_enable_dpia_trace() in dc_dmub_srv.c, where a combined NULL guard incorrectly permits DC_LOG_ERROR() - which internally dereferences dc_dmub_srv->ctx - to execute when dc_dmub_srv itself is NULL. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating very low exploitation probability in the wild.
Null pointer dereference in the Linux kernel's pinctrl subsystem allows a local low-privileged attacker to crash the kernel, causing a denial of service. The flaw exists in pinconf_generic_parse_dt_pinmux(), which fails to validate that a 'pinmux' Device Tree property is non-empty before use - an empty property causes the allocator to return an invalid non-NULL pointer, and subsequent memory access triggers a kernel panic. No public exploit code exists and EPSS is 0.15% (5th percentile), reflecting low real-world exploitation probability; exploitation is further constrained to systems with specific pinctrl hardware and Device Tree configurations.
NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. Systems with ps883x retimer hardware running affected kernel versions are vulnerable when a privileged local user unbinds the driver via sysfs. No active exploitation is confirmed (no CISA KEV listing), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's EIP93 hardware crypto driver triggers a kernel panic during AEAD crypto operations on affected embedded systems. The root cause is a self-contradictory algorithm lookup mask in eip93_hmac_setkey() - CRYPTO_ALG_ASYNC is passed as an exclusion mask, yet EIP93 algorithms are inherently async, so the lookup always returns -ENOENT. This leaves the AEAD security association record with zeroed digest fields; any subsequent crypto operation then dereferences a NULL context pointer, crashing the kernel. No public exploit is identified at time of analysis, and EPSS is very low (0.17%, 6th percentile), reflecting the narrow hardware-specific attack surface.
Null pointer dereference in the Amlogic T7 SoC reset driver crashes the Linux kernel when uninitialized reset operation callbacks are invoked, causing a full system denial of service. Local low-privilege users on systems physically equipped with an Amlogic T7 SoC are affected across kernel versions from the introduction commit through the patched releases 6.18.33, 7.0.10, and 7.1. No public exploit has been identified and EPSS of 0.17% (6th percentile) reflects negligible real-world exploitation interest; this is a hardware-specific stability fix rather than an actively exploited security threat.
NULL pointer dereference in the Linux kernel's Airoha QDMA network driver causes a kernel panic (denial of service) when queue entry list allocation fails during TX queue initialization. Systems running Airoha-based network hardware on affected kernel versions - including Linux 6.19 - are vulnerable when the driver's cleanup path dereferences an uninitialized descriptor array pointer. No public exploit exists and EPSS sits at 0.17% (6th percentile), indicating minimal real-world exploitation activity; no CISA KEV listing.
NULL pointer dereference in the Linux kernel's airoha QDMA network driver crashes the kernel when RX queue initialization fails mid-way through allocation. The flaw exists in airoha_qdma_init_rx_queue() where early ndesc initialization causes the cleanup routine to call netif_napi_del() on NAPI structures never registered via netif_napi_add(), dereferencing a null pointer and causing a local denial of service. No public exploit identified and EPSS at 0.17% (6th percentile) reflects minimal real-world exploitation probability; impact is constrained to systems running Airoha QDMA-based network hardware.
Kernel panic via NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver allows a local low-privileged user to crash the host when a power management resume failure leaves the driver in a torn-down state. The mana_remove() function is invoked twice - first during a failed mana_probe() recovery path that nullifies gdma_context and driver_data, and again when the driver is subsequently unbound - dereferencing a NULL gc pointer. No public exploit exists and EPSS is 0.17% (6th percentile), indicating minimal real-world exploitation activity; however, the impact on Azure Linux VM availability is complete (kernel panic).
Kernel crash via NULL pointer dereference in the ALSA HDA Conexant audio driver affects Linux kernel stable branches from 5.15 through 7.0, exploitable by a local low-privileged user on systems with Conexant HDA audio hardware. The cx_probe() function ignores the error pointer returned by snd_hda_jack_detect_enable_callback() on memory allocation failure, leaving the jack detection callback unregistered and an internal structure uninitialized; a subsequent audio jack event then triggers a kernel panic. No public exploit exists and no CISA KEV listing is present; EPSS is 0.17% (7th percentile), confirming very low real-world exploitation probability.
NULL pointer dereference in the Linux kernel ice driver's ice_reset_all_vfs() function crashes the host kernel when a Virtual Function VSI rebuild fails during concurrent NVM firmware updates on Intel E800-series NICs. Systems with SR-IOV enabled on Intel E800-series adapters running kernel versions from 5.8 through the patched stable releases are affected. An attacker or privileged local process can trigger a kernel panic by initiating a VF reset while nvmupdate64e has placed Admin Queue commands in a transitional failure state, resulting in complete host denial of service. No public exploit exists and EPSS is negligible at 0.17% (7th percentile); CISA KEV listing is absent.
Improper error handling in the btrfs filesystem's transaction commit path (btrfs_write_and_wait_transaction) lets a failed metadata writeout leave dirty extent buffers uncleaned, forcing the filesystem read-only and triggering kernel warnings at unmount. The flaw affects Linux kernels prior to 6.18.33, 7.0.10, and 7.1 and is an availability/data-integrity issue on btrfs volumes, with no confidentiality impact despite an 'Information Disclosure' tag in the source data. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 6th percentile).
Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.
Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).
NULL pointer dereference in the Linux kernel IOMMU subsystem crashes affected systems during PCI device reset when a default domain allocation has previously failed. Local users with low-privilege access on Linux kernel versions in the 7.0 branch (prior to 7.0.10) and before 7.1 can trigger a kernel panic through the `pci_dev_reset_iommu_done()` function, resulting in a denial of service. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.15% (5th percentile) reflects the low real-world exploitation likelihood given the edge-case hardware precondition and local-only attack vector.
NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. No public exploit code exists and the EPSS score of 0.15% (5th percentile) confirms negligible real-world exploitation activity; vendor-supplied patches are available via upstream stable commits.
Nil pointer dereference in the Incus daemon (incusd) `CreateCustomVolumeFromBackup` function crashes the entire daemon process when a crafted backup tarball omits the `expires_at` field on any volume snapshot entry. Any authenticated user holding the `can_create_storage_volumes` entitlement on any project - below the admin tier - can trigger this with a single POST to the storage backup import endpoint, making it a persistent denial-of-service against all container, VM, and storage operations on the affected host or cluster member. A proof-of-concept exploit (479-byte tarball, confirmed against Incus 7.0.0) was bundled with the advisory; no public exploit identified at time of analysis beyond the reporter-supplied PoC. Fix is available in 7.1.0.
Nil-pointer dereference in Incus daemon (incusd) v7.0.0 allows any authenticated user holding the low-privilege `can_create_instances` permission to crash the entire incusd process with a single crafted HTTP request. The flaw resides in `createDependentVolumesFromBackup` (backend.go:9352-9412), where a prior partial fix (commit d768f81c) guarded only the outer loop variable but left three inner sub-fields - `disk.Volume`, `disk.Pool`, and `disk.VolumeSnapshots[i]` - unguarded against nil; an uploaded backup tarball with a null snapshot entry or omitted volume/pool block triggers a Go panic, taking down all container and VM operations on the host. No public exploit identified at time of analysis per CISA KEV, though a working 666-byte proof-of-concept tarball is publicly bundled with the report and was confirmed against the production 7.0.0 release.
Denial of service in Envoy proxy versions 1.37.0 through 1.37.4 and 1.38.x before 1.38.3 lets remote attackers crash the proxy by sending a request that omits the Host header when access logging is configured with the %REQUESTED_SERVER_NAME(X:Y)% operator using host-related options (e.g. HOST_FIRST, SNI_FIRST). The missing header triggers a null pointer dereference (CWE-476), taking down the data-plane proxy and any traffic flowing through it. No public exploit identified at time of analysis and the issue is not in CISA KEV.
The envoy.filters.http.grpc_stats HTTP filter in Envoy versions 1.26.0 through the pre-fix releases crashes with a null pointer dereference when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) is routed to a direct_response route, terminating the Envoy process entirely. The vendor description states a single unauthenticated HTTP request is sufficient to trigger the crash, giving any network-reachable attacker a trivial one-packet denial of service against affected deployments. No confirmed active exploitation (absent from CISA KEV) and no public exploit code has been identified at time of analysis, but the trivial trigger condition makes this high practical risk for any deployment with both preconditions present.
Null pointer dereference in Envoy's router filter crashes the entire proxy process, terminating all active connections, when body-less non-GET/HEAD requests (POST, PUT, DELETE, PATCH) encounter an upstream HTTP 303 response on a route configured with internal redirect policy. Affected versions span 1.18.0 through the fixes released in branches 1.35.13, 1.36.9, 1.37.5, and 1.38.3. An unauthenticated remote attacker who can influence upstream response codes or reach a vulnerable route configuration can cause complete denial of service; no public exploit identified at time of analysis and no CISA KEV listing.
Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. No public exploit or CISA KEV listing exists at time of analysis, but upstream fix commits are available from Canonical.
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate capture devices (firmware V1.12 and earlier) lets a remote, unauthenticated attacker crash the device by sending a single malformed HTTP request to its CGI interface. The flaw is a NULL pointer dereference in HTTP request-parsing logic shared across multiple CGI components, triggered when required request metadata is missing or malformed. No public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact - only availability.
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate cameras (firmware V1.12 and earlier) lets remote unauthenticated attackers crash the IEEE8021x_upload.cgi process by sending a malformed multipart upload request, triggering a NULL pointer dereference (CWE-476). The high availability impact (CVSS 7.5, A:H) means the device's 802.1x certificate-upload functionality - and potentially the management interface - becomes unavailable until the process or device restarts. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Denial-of-service in Schneider Electric PowerLogic P7 power metering devices allows remote, unauthenticated attackers to crash the device's HMI and configuration functionality by sending malformed requests to exposed network interfaces. The flaw stems from a NULL pointer dereference (CWE-476) that renders local management and configuration unavailable until recovery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 4.0 base score of 8.7 reflects a high availability impact with no confidentiality or integrity exposure.
Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.allocate` directly on a native-backed class inheriting from `Nokogiri::XML::Node` and then invokes methods on the resulting uninitialized object. Only CRuby is affected - JRuby is explicitly not vulnerable. No public exploit has been identified; the CVSS 4.0 base score of 1.7 with E:U accurately reflects that this defect requires a developer programming error rather than any crafted external input, placing it firmly in the low-priority category.
NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). No public exploit identified at time of analysis; EPSS is very low at 0.16% (6th percentile), and CISA KEV listing is absent.
Kernel panic (denial of service) in the Linux kernel ALSA PCM subsystem occurs when snd_pcm_drain() is called on linked (grouped) audio streams that are concurrently unlinked, corrupting wait queue lists and ultimately dereferencing a NULL function pointer. The flaw stems from init_waitqueue_entry/add_wait_queue not clearing list pointers combined with a conditional remove_wait_queue that is skipped after a concurrent UNLINK, leaving an orphaned wait entry that gets added to two queues at once. It is a local-privilege issue requiring access to ALSA PCM devices; no public exploit has been identified at time of analysis and the EPSS score is very low (0.18%).
NULL pointer dereference in the Linux kernel's Marvell EBU GPIO driver (gpio/mvebu) causes a kernel oops and system crash during suspend/resume operations on Marvell Armada ARM platforms. The flaw affects all stable kernel branches from 4.12 onward where mvebu_pwm_suspend() and mvebu_pwm_resume() are unconditionally invoked for every GPIO bank, including those where mvchip->mvpwm is NULL due to absent PWM hardware. A local authenticated user with sufficient privileges to trigger system suspend can crash the kernel with no recovery, resulting in full availability loss. No public exploit exists and EPSS is 0.18% (7th percentile), reflecting a niche hardware dependency that sharply limits real-world exposure.
NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. This flaw has existed since commit f350a0a87374418635689471606454abc7beaa3a (kernel 2.6.36), making it a long-standing latent bug. No public exploit identified at time of analysis; EPSS at 0.18% (7th percentile) signals negligible automated exploitation risk.
Null pointer dereference in the Linux kernel's IPv6 address configuration subsystem crashes the kernel when cleanup_prefix_route() receives the fib6_null_entry sentinel from addrconf_get_prefix_route() and attempts to access its NULL fib6_table pointer without validation. An authenticated local user holding CAP_NET_ADMIN can trigger this by sending a crafted IPv6 DELADDR netlink message, causing a general protection fault and system-wide denial of service. No public exploit or CISA KEV listing exists; EPSS is 0.17% (6th percentile), consistent with a privilege-gated local DoS affecting an extremely widely deployed target.
NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. The vulnerability is a local denial-of-service with no public exploit identified at time of analysis, and EPSS places exploitation probability at only 0.15%.
NULL pointer dereference in the Linux kernel bnxt_en Broadcom NetXtreme Ethernet driver crashes the kernel when PCIe error recovery fires against a closed NIC, causing a denial of service. Affected kernel versions span from 4.17 through multiple LTS and mainline branches up to 7.1-rc4, with patches released across all active stable series. No public exploit exists and EPSS sits at 0.17% (7th percentile), marking this as a reliability and stability concern rather than an actively targeted attack vector.
NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. Impact is a kernel panic (system-wide denial of service). No public exploit identified at time of analysis and EPSS is at the 7th percentile, but the attack surface is any unprivileged local process on an affected kernel version.
Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. CVSS 7.5 reflects availability-only impact (A:H); EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis.
Null pointer dereference in the Linux kernel's real-time mutex (rtmutex) subsystem allows a local low-privileged user to crash the kernel via FUTEX_CMP_REQUEUE_PI, causing a denial of service. Affected stable branches span Linux 6.1 through 7.1-rc5; vendor patches are available via kernel.org stable commits. No public exploit has been identified and EPSS is 0.17% (7th percentile), indicating negligible observed exploitation activity.
NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. No public exploit exists and EPSS is 0.17% (6th percentile), consistent with a hardware-timing race condition requiring specific Qualcomm DSP hardware rather than generic remote exploitation.
NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. No active exploitation is confirmed (absent from CISA KEV), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability; the primary risk is an accidental reliability failure on embedded systems running these legacy SoCs.
NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. No public exploit has been identified and the EPSS score of 0.17% (6th percentile) confirms low observed exploitation probability, though the trigger path is mechanically simple for any user with /dev/kfd access.
NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. No public exploit or CISA KEV listing exists; EPSS is 0.18% (7th percentile), consistent with a localized, hardware-dependent DoS.
NULL pointer dereference in GPAC MP4Box's filter pipeline traversal function crashes the application when processing a specially crafted media file. Affected versions prior to 26.02.0 fail to validate the `pidi->pid` pointer before dereferencing it inside `gf_filter_in_parent_chain` (filter_pid.c:2176), enabling a local attacker to cause a Denial of Service by supplying a malicious input file. No public exploit identification as KEV, but a publicly available proof-of-concept exists on GitHub; EPSS of 0.17% (6th percentile) reflects low observed exploitation probability consistent with the local-only, user-interaction-required attack vector.
Null pointer dereference in the Linux kernel's BPF sockmap subsystem allows a local low-privileged user to crash the system via a race condition between AF_UNIX socket connection and sockmap proto update. The flaw exists because unix_stream_connect() sets sk_state to TCP_ESTABLISHED before assigning the peer pointer, creating a window where unix_stream_bpf_update_proto() dereferences unix_peer(sk) while it is still NULL. No public exploit exists and EPSS sits at the 8th percentile; this is not in CISA KEV, and the narrow race window constrains practical exploitation.
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL. Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.
Error pointer dereference in the Linux kernel USB Type-C TI Power Delivery (tipd) driver allows a local low-privileged user to crash the kernel (denial of service) on systems with TI CD321x or TPS6598x USB Type-C controller hardware. The flaw in `cd321x_update_work()` at `drivers/usb/typec/tipd/core.c:827` logs a warning when `typec_register_partner()` fails but omits an early return, causing a subsequent unconditional dereference of the error pointer via `typec_partner_set_identity()`. No public exploit code has been identified at time of analysis, EPSS probability is 0.17% (6th percentile), and the vulnerability is not listed in CISA KEV.
In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic [1] [2]. When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups containing this nexthop is not updated. This is because nh_group_v4_update is only called when replacing AF_INET to AF_INET6, but the reverse direction (AF_INET6 to AF_INET) is missed. This allows a stale has_v4=false to bypass fib6_check_nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF_INET members. Subsequent route lookups then call nexthop_fib6_nh() which returns NULL for the AF_INET member, leading to a NULL pointer dereference. Fix by calling nh_group_v4_update whenever the family changes, not just AF_INET to AF_INET6. Reproducer: ip -6 nexthop add id 1 blackhole ip nexthop add id 100 group 1 ip nexthop replace id 1 blackhole ip -6 route add 2001:db8::/64 nhid 100 ping -6 2001:db8::1 [1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.
Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and it is not in CISA KEV; the fix has been merged across multiple stable trees.
NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.
Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.
Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.
Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.
Denial of service in the Matter SDK (connectedhomeip) before 1.4.0 lets a remote unauthenticated attacker crash a smart-home device by sending a crafted read request. The flaw lives in the ReadRevisionAttribute function, which is reused across multiple clusters (Channel, Account Login, TargetNavigator), so any device exposing those clusters is affected. No public exploit identified at time of analysis, and the issue is availability-only (no code execution or data exposure).
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Local privilege escalation in the Microsoft Windows Kernel lets an authenticated attacker gain elevated (SYSTEM-level) privileges by triggering a NULL pointer dereference (CWE-476) in kernel-mode code. The flaw affects a broad range of client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Reported by Microsoft with a patch available; no public exploit identified at time of analysis.
Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network.
Local privilege escalation in Windows Image Acquisition (WIA) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a NULL pointer dereference can be leveraged by an already-authenticated local user to elevate privileges. Microsoft rates it 7.8 (High) with full confidentiality, integrity, and availability impact despite the flaw class typically causing denial of service. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Null pointer dereference in Windows Active Directory Domain Services (AD DS) enables a low-privileged authenticated attacker to crash the service remotely, causing denial of service across the affected domain. The flaw spans a wide range of Windows client and server releases, from Windows 10 version 1607 through Windows 11 version 26H1 and Windows Server 2012 through 2025. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the network-accessible attack surface and low privilege requirement lower the bar for abuse in environments with broad domain user access.
NULL pointer dereference in Zephyr RTOS's syscall verifier allows an unprivileged user-mode thread to crash the kernel across the userspace security boundary. The z_vrfy_k_thread_name_copy() verification handler in kernel/thread.c incorrectly guards against the caller-supplied thread pointer being NULL rather than the ko pointer returned by k_object_find(), so any non-NULL but unregistered address bypasses the check and triggers a supervisor-mode NULL dereference that halts or reboots the system. Affecting Zephyr v2.0.0 through v4.4.0 when built with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled, no public exploit code and no CISA KEV listing have been identified at time of analysis, but the one-syscall reproducibility makes this straightforward to trigger in qualifying builds.
Null pointer dereference in open62541's client library (versions up to 1.5.5) allows a remote OPC UA server to crash a connecting client by returning a malformed Server_NamespaceArray during session establishment, causing denial of service. The flaw is client-side only - server deployments are unaffected - and exploitation requires the attacker to control or impersonate a server the vulnerable client connects to, making practical exploitation high-complexity. A proof-of-concept exists as a GitHub issue report; no public exploit is confirmed as weaponized and the vulnerability is not listed in CISA KEV.
Denial of service in the Crypt::OpenSSL::X509 Perl module before 2.1.3 lets a malformed X.509 certificate crash any Perl process that parses it. Four helper functions (basicC, ia5string, auth_att, keyid_data) dereference NULL pointers returned by OpenSSL's X509V3_EXT_d2i() on unparseable extensions - and keyid_data/auth_att additionally deref an akid->keyid field that is legitimately NULL for an empty Authority Key Identifier (DER 30 00). There is no public exploit identified at time of analysis, but the fix commit and a clear crash mechanism are published; CVSS is 7.5 (availability-only).
NULL pointer dereference in NanaZip's custom archive handlers crashes the application when a user tests or extracts archives of seven specific formats. All NanaZip versions prior to 6.5.1749.0 are affected; the seven vulnerable handlers cover WebAssembly, ElectronAsar, Zealfs, Romfs, Ufs, Littlefs, and DotNetSingleFile archive types. Impact is limited to a process crash (denial of service) with no confidentiality or integrity consequence; no public exploit or active exploitation has been identified at time of analysis.
NULL pointer dereference in the Juniper Networks Junos OS and Junos OS Evolved management daemon (mgd) allows a local, high-privileged attacker to crash the mgd process by manipulating a specific 'system services ssh' configuration parameter. Repeated execution of the offending configuration commands sustains the Denial of Service condition until the action ceases, as mgd will restart but crash again upon re-triggering. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; the attack barrier is high, requiring both local access and administrative-level credentials.
Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial single-packet trigger and passive-monitoring exposure make it operationally significant for security teams running Zeek inline or on tapped traffic.
Null pointer dereference in GNU LibreDWG up to 0.13.4 allows a local low-privileged attacker to crash any application that processes a maliciously crafted DWG file via the `dwg_next_entity` function in `src/dwg.c`, resulting in denial of service. A proof-of-concept exploit file is publicly available (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV. The issue is fully resolved by upgrading to version 0.14, which includes a committed upstream patch.
GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting in denial of service. Improper handling of consecutive end-of-file newline markers corrupts internal hunk data structures, causing a NULL pointer to be passed to fwrite() during processing. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is constrained by the requirement for user interaction with a malicious file.
Wireshark's SSH protocol dissector crashes via a null pointer dereference (CWE-476) in versions 4.4.0-4.4.16 and 4.6.0-4.6.6, enabling denial of service against any analyst or engineer running an affected build. The flaw is triggered locally when Wireshark processes malformed SSH protocol data, whether from a live capture or a crafted packet capture file, causing the application to crash and disrupting network analysis workflows. No active exploitation has been confirmed in CISA KEV, and no public exploit code is known at time of analysis.
Denial of service in Wazuh wazuh-modulesd (all releases before 5.0.0-beta3) lets an enrolled agent crash the manager's inventory synchronization module by sending a verifier-valid FlatBuffer DataValue message that omits the optional id field, triggering a null pointer dereference (CWE-476). Exploitation requires only a valid enrolled agent (PR:L) over the network with no user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is availability-only - no data confidentiality or integrity loss - but it can repeatedly take down central inventory sync, blinding a security monitoring deployment.
NULL pointer dereference in SQLite's Session Extension crashes any application that passes attacker-controlled changeset blobs to sqlite3changeset_apply_v3(). Affected releases include SQLite 3.53.1 and all trunk builds prior to check-in e807d4e3798efd53. Impact is limited to availability - the process crashes - but because SQLite is embedded ubiquitously, the blast radius depends entirely on how widely consuming applications expose this code path to untrusted input. A public proof-of-concept gist is referenced in the CVE record; no public exploit identified at time of analysis beyond that demonstrator, and the vulnerability is not listed in CISA KEV.
Null pointer dereference in the ONNX Python library's version converter crashes any application that calls `onnx.version_converter.convert_version()` on a crafted model containing an Upsample node with zero inputs, producing an unrecoverable SIGSEGV. Affected versions include at minimum onnx 1.21.0 and 1.22.0, confirmed by a 107-byte public proof-of-concept; the vulnerability is part of a systemic pattern spanning eight adapters. No public active exploitation is confirmed in CISA KEV, but the trivially small PoC eliminates any meaningful exploitation barrier for threat actors targeting ML model conversion pipelines.
Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. No public exploit code has been identified and this CVE is absent from the CISA KEV catalog; exploitation is gated on specific flash media conditions (uncorrectable ECC, bad block, or induced fault) occurring on a checkpoint page at mount time, constraining real-world risk to physical or supply-chain threat models.
NULL pointer dereference in GPAC's smooth_parse_stream_index() function crashes the application when processing a maliciously crafted MPEG-DASH or Smooth Streaming media file, resulting in denial of service. Affected versions are all GPAC master HEAD builds prior to commit b35c61f104b85fbb16520ac2838d5d2ef70845b5. Exploitation requires local access and user interaction to open a crafted file; a proof-of-concept is publicly available via GitHub Gist, though EPSS sits at 0.17% (7th percentile) and no active exploitation has been confirmed by CISA KEV.
Null Pointer Dereference in Adobe DNG SDK versions 1.7.1 build 2536 and earlier allows an attacker to crash any application embedding the SDK by supplying a specially crafted DNG file. The flaw is strictly a denial-of-service with no confidentiality or integrity impact, and requires a victim to open the malicious file, constraining realistic exposure to imaging pipelines or end-user applications that ingest untrusted DNG content. No public exploit code and no active exploitation have been identified at time of analysis.
Null pointer dereference in GPAC 26.02.0's nhmldump_send_frame function (src/filters/write_nhml.c) allows a local, low-privileged attacker to crash the application by supplying crafted media input to the NHML write filter. Impact is strictly limited to availability - a process-level denial of service with no confidentiality or integrity implications. A publicly available proof-of-concept exploit exists (GitHub issue #3596), though the vendor itself characterizes this class of issue as 'more bugs than vulns,' contextualizing it as a robustness fix rather than an urgent security incident.
Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to crash the entire server by sending a second INFO protocol message before CONNECT on the leafnode port, triggering a nil-pointer dereference (c.acc == nil) that panics the process. All server instances exposing a leafnode listener prior to v2.11.17 (2.11.x) and v2.12.8 (2.12.x) are affected. No public exploit has been identified, but the vendor's own regression test (TestLeafNodeSecondInfoBeforeConnectDoesNotPanic) demonstrates the exact crash payload, and the CVSS availability-only vector (7.5) reflects a single-packet, no-auth crash.
Denial of service in the mruby/c lightweight Ruby VM (all releases through 3.4.1) arises from a NULL pointer dereference in op_super()/OP_SUPER within src/vm.c, where a runtime guard for a top-level 'super' call is missing. When the interpreter executes a script that invokes 'super' outside of any method context, the VM dereferences a NULL pointer and crashes. There is no public exploit identified at time of analysis, and the low EPSS score (0.15%, 5th percentile) reflects limited exploitation interest; impact is confined to availability (CWE-476).
NULL pointer dereference in the Zephyr RTOS MAX32xxx USB device controller driver (udc_max32.c) crashes devices running Zephyr v4.4.0 when a physically connected USB host aborts an in-flight EP0 control transfer by sending a new SETUP packet - a completely legal USB protocol action. The race condition between interrupt-queued transfer-completion events and asynchronous FIFO draining by the driver thread causes net_buf_add(NULL, ...) when udc_buf_get() returns NULL on an empty FIFO, producing a near-NULL pointer dereference and device fault. No active exploitation has been confirmed (not in CISA KEV), and no public proof-of-concept code has been identified at time of analysis; real-world risk is constrained by the physical access prerequisite and the specific MAX32xxx hardware dependency.
Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.
Denial-of-service via NULL pointer dereference in PipeWire's RAOP (Remote Audio Output Protocol) module affects Red Hat Enterprise Linux 8, 9, and 10. The RAOP module fails to enforce an upper bound on Content-Length values in incoming requests and does not validate the return value of pw_array_add(); when a sufficiently large Content-Length triggers an allocation failure, the unchecked NULL return causes a crash of the PipeWire daemon, resulting in complete loss of audio services. No special authentication is required from the adjacent network, and no public exploit or CISA KEV listing has been identified at time of analysis.
Remote denial of service in the MediaTek Modem firmware component affects approximately 60 chipset models via a null pointer dereference triggered when a target device connects to a rogue cellular base station. An attacker controlling a fake eNodeB or gNodeB can transmit crafted modem protocol messages that cause improper input validation to fail, crashing the modem and stripping affected devices of cellular connectivity. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation status as none, indicating this remains a theoretical but technically feasible threat for well-resourced actors.
Denial of service in Aleksoid1978 MPC-BE (Media Player Classic - Black Edition) prior to commit 4341cb3 lets an attacker crash the player by supplying a crafted MP4 file that triggers a NULL pointer dereference in the bundled Bento4 AP4_AtomSampleTable::GetSample() routine. A proof-of-concept is referenced (SSVC exploitation: poc), but there is no public exploit identified as weaponized and it is not in CISA KEV; impact is limited to availability with no code execution, data disclosure, or integrity loss. EPSS is low at 0.15% (5th percentile), consistent with a crash-only bug that requires a victim to open a malicious file.
A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. No active exploitation is confirmed in CISA KEV, but the zero-prerequisite attack surface - no credentials, no special configuration, no user interaction - makes low-bandwidth log-flooding trivially achievable by any unauthenticated network attacker.
Denial of service in Zephyr RTOS v4.4.0 allows an attacker with access to a serial, UART, or shell-console interface to crash an affected embedded device by exhausting the MCUmgr shared buffer pool and triggering a NULL pointer dereference. The defect in mcumgr_serial_process_frag() (CWE-476) was introduced during the MCUmgr rework and manifests in default builds where assertion checks are compiled out, making the write-through-NULL a hard fault rather than a caught assertion. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but exploitation is straightforward for any attacker with interface access.
JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
NULL pointer dereference in the Linux kernel's AMD64 AGP driver crashes systems running in virtualized environments without physical AMD northbridge hardware. Broken error propagation in `agp_amd64_probe()` - comparing `cache_nbs()` return value against exactly `-1` rather than `< 0` - masks the `-ENODEV` error code, allowing the driver to proceed with initialization, ultimately causing a General Protection Fault in `amd64_fetch_size()` when `node_to_amd_nb(0)` returns NULL. No public exploit has been identified at time of analysis, EPSS is 0.18% (7th percentile), and impact is confined to local denial of service via kernel crash; patches are confirmed available across multiple stable branches.
NULL pointer dereference in the Zephyr Bluetooth LE Audio Basic Audio Profile unicast client crashes devices running Zephyr v4.3.0 and v4.4.0 (and earlier) when connected to a malicious or buggy remote ASCS server. The handler unicast_client_ep_qos_state() writes attacker-controlled QoS fields through stream->qos without verifying the pointer is non-NULL - a condition that legitimately exists during the window between bt_bap_stream_config() and unicast_group_add_stream(). No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but CVSS adjacency (AV:A) and no-auth (PR:N) make it exploitable by any device within Bluetooth LE radio range acting as a rogue ASCS server.
NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver crashes the host kernel when initializing Virtual Function (VF) devices in VFIO passthrough or nested KVM environments where `pdev->slot` is unpopulated. Systems running affected kernel versions in Azure-style or nested virtualization deployments face deterministic kernel panics and total availability loss on the host. No public exploit code has been identified, and EPSS probability is 0.16% (5th percentile), indicating low opportunistic exploitation risk - though in targeted Azure or nested KVM environments, the crash is straightforwardly reproducible.
NULL pointer dereference in the Linux kernel's mt76/mt7925 WiFi driver crashes the kernel when the 'sta' pointer is dereferenced before a NULL check in mt7925_tx_check_aggr(). Systems with MediaTek mt7925 WiFi hardware running affected kernel versions are exposed to a local denial-of-service via kernel panic. No public exploit exists and EPSS is at the 5th percentile (0.16%), indicating no observed widespread exploitation; patches have been applied across multiple stable kernel branches.
NULL pointer dereference in the Linux kernel's AMD RAS subsystem crashes systems with AMD GPU hardware. The function `ras_core_ras_interrupt_detected()` in `drm/amd/ras` fails to validate the `ras_core` pointer before dereferencing `ras_core->dev` in an error path, enabling a local low-privilege user to trigger a kernel panic and denial of service. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS at 0.14% (4th percentile) confirms negligible current exploitation probability. Upstream fix commits are available in stable kernel trees.
NULL pointer dereference in the Linux kernel's drm/amd/ras subsystem allows a local low-privileged user to crash the kernel on systems with AMD GPUs. The flaw in ras_core_get_utc_second_timestamp() occurs when a NULL ras_core pointer passes a conditional check but is then dereferenced in the subsequent error-printing path, producing a kernel panic. No public exploit exists and EPSS sits at 0.15% (4th percentile), placing this firmly as a low-urgency local denial-of-service hardening issue despite the Availability:High CVSS rating.
NULL pointer dereference in the Linux kernel AMD display driver (drm/amd/display) can cause a kernel panic on systems running AMD GPUs, resulting in a complete denial of service. The flaw resides in dc_dmub_srv_log_diagnostic_data() and dc_dmub_srv_enable_dpia_trace() in dc_dmub_srv.c, where a combined NULL guard incorrectly permits DC_LOG_ERROR() - which internally dereferences dc_dmub_srv->ctx - to execute when dc_dmub_srv itself is NULL. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating very low exploitation probability in the wild.
Null pointer dereference in the Linux kernel's pinctrl subsystem allows a local low-privileged attacker to crash the kernel, causing a denial of service. The flaw exists in pinconf_generic_parse_dt_pinmux(), which fails to validate that a 'pinmux' Device Tree property is non-empty before use - an empty property causes the allocator to return an invalid non-NULL pointer, and subsequent memory access triggers a kernel panic. No public exploit code exists and EPSS is 0.15% (5th percentile), reflecting low real-world exploitation probability; exploitation is further constrained to systems with specific pinctrl hardware and Device Tree configurations.
NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. Systems with ps883x retimer hardware running affected kernel versions are vulnerable when a privileged local user unbinds the driver via sysfs. No active exploitation is confirmed (no CISA KEV listing), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's EIP93 hardware crypto driver triggers a kernel panic during AEAD crypto operations on affected embedded systems. The root cause is a self-contradictory algorithm lookup mask in eip93_hmac_setkey() - CRYPTO_ALG_ASYNC is passed as an exclusion mask, yet EIP93 algorithms are inherently async, so the lookup always returns -ENOENT. This leaves the AEAD security association record with zeroed digest fields; any subsequent crypto operation then dereferences a NULL context pointer, crashing the kernel. No public exploit is identified at time of analysis, and EPSS is very low (0.17%, 6th percentile), reflecting the narrow hardware-specific attack surface.
Null pointer dereference in the Amlogic T7 SoC reset driver crashes the Linux kernel when uninitialized reset operation callbacks are invoked, causing a full system denial of service. Local low-privilege users on systems physically equipped with an Amlogic T7 SoC are affected across kernel versions from the introduction commit through the patched releases 6.18.33, 7.0.10, and 7.1. No public exploit has been identified and EPSS of 0.17% (6th percentile) reflects negligible real-world exploitation interest; this is a hardware-specific stability fix rather than an actively exploited security threat.
NULL pointer dereference in the Linux kernel's Airoha QDMA network driver causes a kernel panic (denial of service) when queue entry list allocation fails during TX queue initialization. Systems running Airoha-based network hardware on affected kernel versions - including Linux 6.19 - are vulnerable when the driver's cleanup path dereferences an uninitialized descriptor array pointer. No public exploit exists and EPSS sits at 0.17% (6th percentile), indicating minimal real-world exploitation activity; no CISA KEV listing.
NULL pointer dereference in the Linux kernel's airoha QDMA network driver crashes the kernel when RX queue initialization fails mid-way through allocation. The flaw exists in airoha_qdma_init_rx_queue() where early ndesc initialization causes the cleanup routine to call netif_napi_del() on NAPI structures never registered via netif_napi_add(), dereferencing a null pointer and causing a local denial of service. No public exploit identified and EPSS at 0.17% (6th percentile) reflects minimal real-world exploitation probability; impact is constrained to systems running Airoha QDMA-based network hardware.
Kernel panic via NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver allows a local low-privileged user to crash the host when a power management resume failure leaves the driver in a torn-down state. The mana_remove() function is invoked twice - first during a failed mana_probe() recovery path that nullifies gdma_context and driver_data, and again when the driver is subsequently unbound - dereferencing a NULL gc pointer. No public exploit exists and EPSS is 0.17% (6th percentile), indicating minimal real-world exploitation activity; however, the impact on Azure Linux VM availability is complete (kernel panic).
Kernel crash via NULL pointer dereference in the ALSA HDA Conexant audio driver affects Linux kernel stable branches from 5.15 through 7.0, exploitable by a local low-privileged user on systems with Conexant HDA audio hardware. The cx_probe() function ignores the error pointer returned by snd_hda_jack_detect_enable_callback() on memory allocation failure, leaving the jack detection callback unregistered and an internal structure uninitialized; a subsequent audio jack event then triggers a kernel panic. No public exploit exists and no CISA KEV listing is present; EPSS is 0.17% (7th percentile), confirming very low real-world exploitation probability.
NULL pointer dereference in the Linux kernel ice driver's ice_reset_all_vfs() function crashes the host kernel when a Virtual Function VSI rebuild fails during concurrent NVM firmware updates on Intel E800-series NICs. Systems with SR-IOV enabled on Intel E800-series adapters running kernel versions from 5.8 through the patched stable releases are affected. An attacker or privileged local process can trigger a kernel panic by initiating a VF reset while nvmupdate64e has placed Admin Queue commands in a transitional failure state, resulting in complete host denial of service. No public exploit exists and EPSS is negligible at 0.17% (7th percentile); CISA KEV listing is absent.
Improper error handling in the btrfs filesystem's transaction commit path (btrfs_write_and_wait_transaction) lets a failed metadata writeout leave dirty extent buffers uncleaned, forcing the filesystem read-only and triggering kernel warnings at unmount. The flaw affects Linux kernels prior to 6.18.33, 7.0.10, and 7.1 and is an availability/data-integrity issue on btrfs volumes, with no confidentiality impact despite an 'Information Disclosure' tag in the source data. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 6th percentile).
Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.
Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).
NULL pointer dereference in the Linux kernel IOMMU subsystem crashes affected systems during PCI device reset when a default domain allocation has previously failed. Local users with low-privilege access on Linux kernel versions in the 7.0 branch (prior to 7.0.10) and before 7.1 can trigger a kernel panic through the `pci_dev_reset_iommu_done()` function, resulting in a denial of service. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.15% (5th percentile) reflects the low real-world exploitation likelihood given the edge-case hardware precondition and local-only attack vector.
NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. No public exploit code exists and the EPSS score of 0.15% (5th percentile) confirms negligible real-world exploitation activity; vendor-supplied patches are available via upstream stable commits.
Nil pointer dereference in the Incus daemon (incusd) `CreateCustomVolumeFromBackup` function crashes the entire daemon process when a crafted backup tarball omits the `expires_at` field on any volume snapshot entry. Any authenticated user holding the `can_create_storage_volumes` entitlement on any project - below the admin tier - can trigger this with a single POST to the storage backup import endpoint, making it a persistent denial-of-service against all container, VM, and storage operations on the affected host or cluster member. A proof-of-concept exploit (479-byte tarball, confirmed against Incus 7.0.0) was bundled with the advisory; no public exploit identified at time of analysis beyond the reporter-supplied PoC. Fix is available in 7.1.0.
Nil-pointer dereference in Incus daemon (incusd) v7.0.0 allows any authenticated user holding the low-privilege `can_create_instances` permission to crash the entire incusd process with a single crafted HTTP request. The flaw resides in `createDependentVolumesFromBackup` (backend.go:9352-9412), where a prior partial fix (commit d768f81c) guarded only the outer loop variable but left three inner sub-fields - `disk.Volume`, `disk.Pool`, and `disk.VolumeSnapshots[i]` - unguarded against nil; an uploaded backup tarball with a null snapshot entry or omitted volume/pool block triggers a Go panic, taking down all container and VM operations on the host. No public exploit identified at time of analysis per CISA KEV, though a working 666-byte proof-of-concept tarball is publicly bundled with the report and was confirmed against the production 7.0.0 release.
Denial of service in Envoy proxy versions 1.37.0 through 1.37.4 and 1.38.x before 1.38.3 lets remote attackers crash the proxy by sending a request that omits the Host header when access logging is configured with the %REQUESTED_SERVER_NAME(X:Y)% operator using host-related options (e.g. HOST_FIRST, SNI_FIRST). The missing header triggers a null pointer dereference (CWE-476), taking down the data-plane proxy and any traffic flowing through it. No public exploit identified at time of analysis and the issue is not in CISA KEV.
The envoy.filters.http.grpc_stats HTTP filter in Envoy versions 1.26.0 through the pre-fix releases crashes with a null pointer dereference when a Connect protocol request (Content-Type: application/connect+proto or application/connect+json) is routed to a direct_response route, terminating the Envoy process entirely. The vendor description states a single unauthenticated HTTP request is sufficient to trigger the crash, giving any network-reachable attacker a trivial one-packet denial of service against affected deployments. No confirmed active exploitation (absent from CISA KEV) and no public exploit code has been identified at time of analysis, but the trivial trigger condition makes this high practical risk for any deployment with both preconditions present.
Null pointer dereference in Envoy's router filter crashes the entire proxy process, terminating all active connections, when body-less non-GET/HEAD requests (POST, PUT, DELETE, PATCH) encounter an upstream HTTP 303 response on a route configured with internal redirect policy. Affected versions span 1.18.0 through the fixes released in branches 1.35.13, 1.36.9, 1.37.5, and 1.38.3. An unauthenticated remote attacker who can influence upstream response codes or reach a vulnerable route configuration can cause complete denial of service; no public exploit identified at time of analysis and no CISA KEV listing.
Nil-pointer dereference in LXD's CreateCustomVolumeFromBackup function allows an authenticated user with can_create_storage_volumes permissions to crash the LXD daemon via a crafted backup tarball, affecting all containers running on the host. Versions up to 6.8 (current branch) and 5.21 (LTS branch) on Linux are vulnerable. No public exploit or CISA KEV listing exists at time of analysis, but upstream fix commits are available from Canonical.
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate capture devices (firmware V1.12 and earlier) lets a remote, unauthenticated attacker crash the device by sending a single malformed HTTP request to its CGI interface. The flaw is a NULL pointer dereference in HTTP request-parsing logic shared across multiple CGI components, triggered when required request metadata is missing or malformed. No public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact - only availability.
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate cameras (firmware V1.12 and earlier) lets remote unauthenticated attackers crash the IEEE8021x_upload.cgi process by sending a malformed multipart upload request, triggering a NULL pointer dereference (CWE-476). The high availability impact (CVSS 7.5, A:H) means the device's 802.1x certificate-upload functionality - and potentially the management interface - becomes unavailable until the process or device restarts. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Denial-of-service in Schneider Electric PowerLogic P7 power metering devices allows remote, unauthenticated attackers to crash the device's HMI and configuration functionality by sending malformed requests to exposed network interfaces. The flaw stems from a NULL pointer dereference (CWE-476) that renders local management and configuration unavailable until recovery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 4.0 base score of 8.7 reflects a high availability impact with no confidentiality or integrity exposure.
Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.allocate` directly on a native-backed class inheriting from `Nokogiri::XML::Node` and then invokes methods on the resulting uninitialized object. Only CRuby is affected - JRuby is explicitly not vulnerable. No public exploit has been identified; the CVSS 4.0 base score of 1.7 with E:U accurately reflects that this defect requires a developer programming error rather than any crafted external input, placing it firmly in the low-priority category.
NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). No public exploit identified at time of analysis; EPSS is very low at 0.16% (6th percentile), and CISA KEV listing is absent.
Kernel panic (denial of service) in the Linux kernel ALSA PCM subsystem occurs when snd_pcm_drain() is called on linked (grouped) audio streams that are concurrently unlinked, corrupting wait queue lists and ultimately dereferencing a NULL function pointer. The flaw stems from init_waitqueue_entry/add_wait_queue not clearing list pointers combined with a conditional remove_wait_queue that is skipped after a concurrent UNLINK, leaving an orphaned wait entry that gets added to two queues at once. It is a local-privilege issue requiring access to ALSA PCM devices; no public exploit has been identified at time of analysis and the EPSS score is very low (0.18%).
NULL pointer dereference in the Linux kernel's Marvell EBU GPIO driver (gpio/mvebu) causes a kernel oops and system crash during suspend/resume operations on Marvell Armada ARM platforms. The flaw affects all stable kernel branches from 4.12 onward where mvebu_pwm_suspend() and mvebu_pwm_resume() are unconditionally invoked for every GPIO bank, including those where mvchip->mvpwm is NULL due to absent PWM hardware. A local authenticated user with sufficient privileges to trigger system suspend can crash the kernel with no recovery, resulting in full availability loss. No public exploit exists and EPSS is 0.18% (7th percentile), reflecting a niche hardware dependency that sharply limits real-world exposure.
NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. This flaw has existed since commit f350a0a87374418635689471606454abc7beaa3a (kernel 2.6.36), making it a long-standing latent bug. No public exploit identified at time of analysis; EPSS at 0.18% (7th percentile) signals negligible automated exploitation risk.
Null pointer dereference in the Linux kernel's IPv6 address configuration subsystem crashes the kernel when cleanup_prefix_route() receives the fib6_null_entry sentinel from addrconf_get_prefix_route() and attempts to access its NULL fib6_table pointer without validation. An authenticated local user holding CAP_NET_ADMIN can trigger this by sending a crafted IPv6 DELADDR netlink message, causing a general protection fault and system-wide denial of service. No public exploit or CISA KEV listing exists; EPSS is 0.17% (6th percentile), consistent with a privilege-gated local DoS affecting an extremely widely deployed target.
NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. The vulnerability is a local denial-of-service with no public exploit identified at time of analysis, and EPSS places exploitation probability at only 0.15%.
NULL pointer dereference in the Linux kernel bnxt_en Broadcom NetXtreme Ethernet driver crashes the kernel when PCIe error recovery fires against a closed NIC, causing a denial of service. Affected kernel versions span from 4.17 through multiple LTS and mainline branches up to 7.1-rc4, with patches released across all active stable series. No public exploit exists and EPSS sits at 0.17% (7th percentile), marking this as a reliability and stability concern rather than an actively targeted attack vector.
NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. Impact is a kernel panic (system-wide denial of service). No public exploit identified at time of analysis and EPSS is at the 7th percentile, but the attack surface is any unprivileged local process on an affected kernel version.
Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. CVSS 7.5 reflects availability-only impact (A:H); EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis.
Null pointer dereference in the Linux kernel's real-time mutex (rtmutex) subsystem allows a local low-privileged user to crash the kernel via FUTEX_CMP_REQUEUE_PI, causing a denial of service. Affected stable branches span Linux 6.1 through 7.1-rc5; vendor patches are available via kernel.org stable commits. No public exploit has been identified and EPSS is 0.17% (7th percentile), indicating negligible observed exploitation activity.
NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. No public exploit exists and EPSS is 0.17% (6th percentile), consistent with a hardware-timing race condition requiring specific Qualcomm DSP hardware rather than generic remote exploitation.
NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. No active exploitation is confirmed (absent from CISA KEV), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability; the primary risk is an accidental reliability failure on embedded systems running these legacy SoCs.
NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. No public exploit has been identified and the EPSS score of 0.17% (6th percentile) confirms low observed exploitation probability, though the trigger path is mechanically simple for any user with /dev/kfd access.
NULL pointer dereference and buffer over-read in the Linux kernel's AMD display driver (drm/amd/display) can be triggered by a local user writing to the sdp_message debugfs node, causing a kernel panic and denial of service. The dp_sdp_message_debugfs_write() function fails to check whether connector->base.state->crtc is NULL - a valid transient state after GPU hotplug before an atomic commit - and unconditionally passes 36 bytes to copy_from_user() regardless of the caller-provided size, enabling a second over-read path. No public exploit or CISA KEV listing exists; EPSS is 0.18% (7th percentile), consistent with a localized, hardware-dependent DoS.
NULL pointer dereference in GPAC MP4Box's filter pipeline traversal function crashes the application when processing a specially crafted media file. Affected versions prior to 26.02.0 fail to validate the `pidi->pid` pointer before dereferencing it inside `gf_filter_in_parent_chain` (filter_pid.c:2176), enabling a local attacker to cause a Denial of Service by supplying a malicious input file. No public exploit identification as KEV, but a publicly available proof-of-concept exists on GitHub; EPSS of 0.17% (6th percentile) reflects low observed exploitation probability consistent with the local-only, user-interaction-required attack vector.
Null pointer dereference in the Linux kernel's BPF sockmap subsystem allows a local low-privileged user to crash the system via a race condition between AF_UNIX socket connection and sockmap proto update. The flaw exists because unix_stream_connect() sets sk_state to TCP_ESTABLISHED before assigning the peer pointer, creating a window where unix_stream_bpf_update_proto() dereferences unix_peer(sk) while it is still NULL. No public exploit exists and EPSS sits at the 8th percentile; this is not in CISA KEV, and the narrow race window constrains practical exploitation.
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to branch on btf_is_kernel() before checking base_type(). A scalar register stored into a kptr slot has no btf, so the btf_is_kernel(reg->btf) call dereferences NULL. Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf access.
Error pointer dereference in the Linux kernel USB Type-C TI Power Delivery (tipd) driver allows a local low-privileged user to crash the kernel (denial of service) on systems with TI CD321x or TPS6598x USB Type-C controller hardware. The flaw in `cd321x_update_work()` at `drivers/usb/typec/tipd/core.c:827` logs a warning when `typec_register_partner()` fails but omits an early return, causing a subsequent unconditional dereference of the error pointer via `typec_partner_set_identity()`. No public exploit code has been identified at time of analysis, EPSS probability is 0.17% (6th percentile), and the vulnerability is not listed in CISA KEV.
In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic [1] [2]. When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups containing this nexthop is not updated. This is because nh_group_v4_update is only called when replacing AF_INET to AF_INET6, but the reverse direction (AF_INET6 to AF_INET) is missed. This allows a stale has_v4=false to bypass fib6_check_nexthop, causing IPv6 routes to be attached to groups that effectively contain only AF_INET members. Subsequent route lookups then call nexthop_fib6_nh() which returns NULL for the AF_INET member, leading to a NULL pointer dereference. Fix by calling nh_group_v4_update whenever the family changes, not just AF_INET to AF_INET6. Reproducer: ip -6 nexthop add id 1 blackhole ip nexthop add id 100 group 1 ip nexthop replace id 1 blackhole ip -6 route add 2001:db8::/64 nhid 100 ping -6 2001:db8::1 [1] https://syzkaller.appspot.com/bug?id=e17283eb2f8dcf3dd9b47fe6f67a95f71faadad0 [2] https://syzkaller.appspot.com/bug?id=8699b6ae54c9f35837d925686208402949e12ef3
In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FLAGS_TXTIME bit. When ICE_TX_RING_FLAGS_TXTIME is set and the subsequent ice_setup_tx_ring() call fails, a NULL pointer dereference could happen in the unwinding sequence: ice_clean_tx_ring() -> ice_is_txtime_cfg() == true (ICE_TX_RING_FLAGS_TXTIME is set) -> ice_free_tx_tstamp_ring() -> ice_free_tstamp_ring() -> tstamp_ring->desc (NULL deref) Clear ICE_TX_RING_FLAGS_TXTIME bit to avoid the potential issue. Note that this potential issue is found by manual code review. Compile test only since unfortunately I don't have E830 devices.
Kernel panic (denial of service) in the Linux kernel netfilter nfnetlink_osf module occurs because nf_osf_ttl() dereferences skb->dev during its TTL check without validating the device pointer, allowing a crafted packet to trigger a NULL pointer dereference on hosts using the OS-fingerprint (osf) match. The flaw affects systems with nftables/iptables rulesets that employ the osf TTL check, and is rated availability-only impact (CVSS 7.5, AV:N/A:H). There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and it is not in CISA KEV; the fix has been merged across multiple stable trees.
NULL pointer dereference in the Linux kernel's sch_dualpi2 queuing discipline (net/sched) allows a local attacker with low privileges to crash the kernel, causing a denial of service. The flaw exists in dualpi2_change(), which enforces updated queue limits after a qdisc reconfiguration: when traffic is exclusively queued in the L-queue and the C-queue is empty, the function unconditionally dereferences the NULL skb returned by the C-queue dequeue path, triggering a kernel panic. No public exploit code has been identified and EPSS sits at 0.17% (7th percentile), consistent with a locally-triggered, configuration-dependent kernel bug.
Out-of-bounds memory access in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip) stems from parsing port numbers in non-NUL-terminated socket-buffer data with simple_strtoul() and dereferencing pointers after sip_parse_addr() without bounds checks. Remote attackers sending crafted SIP messages through a host where the SIP conntrack/NAT helper is active could read past the packet buffer, risking information disclosure or instability (tagged Information Disclosure). Despite a CVSS of 9.8, EPSS is only 0.18% (8th percentile) and no public exploit is identified at time of analysis; a vendor fix is available across multiple stable trees.
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.
Denial of service in the Linux kernel's libceph client allows a malicious or corrupted Ceph cluster to crash the kernel via a null pointer dereference in decode_choose_args(). When processing a CEPH_MSG_OSD_MAP message, a crafted CRUSH map containing choose_args with a bucket_index that points to a NULL (unallocated) bucket triggers the crash, because the code validated only that the index stayed within max_buckets, not that the target bucket was non-NULL. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.18%, 8th percentile), and the issue is patched upstream.