Null Pointer Dereference
Monthly
An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, and 2400. A NULL pointer dereference of ft_handle in load_fw_utc_vector() causes a denial of service. [CVSS 7.5 HIGH]
Open Babel versions up to 3.1.1 contain a null pointer dereference in the CDXML file handler's OBAtom::GetExplicitValence function, allowing remote attackers to crash the application through maliciously crafted files. Public exploit code exists for this vulnerability, making it a practical attack vector for denial of service. A patch is available and should be applied to all affected installations.
A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. [CVSS 3.3 LOW]
A vulnerability was determined in Squirrel up to 3.2. This vulnerability affects the function sqstd_rex_newnode in the library sqstdlib/sqstdrex.cpp. [CVSS 3.3 LOW]
A vulnerability has been found in wren-lang wren up to 0.4.0. Affected by this issue is the function getByteCountForArguments of the file src/vm/wren_compiler.c. [CVSS 3.3 LOW]
Null pointer dereference in Windows allows authenticated local users to cause a denial of service condition with potential system instability. An attacker with valid user credentials can trigger this memory safety issue to crash affected processes or degrade system availability. No patch is currently available for this vulnerability.
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. [CVSS 3.3 LOW]
SonicOS firewalls are vulnerable to denial-of-service attacks when an authenticated remote attacker triggers a null pointer dereference, causing the device to crash. This post-authentication flaw affects firewall availability but requires valid credentials to exploit. No patch is currently available.
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]
ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 have a NULL Pointer Dereference vulnerability. [CVSS 7.5 HIGH]
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c. [CVSS 5.5 MEDIUM]
A flaw has been found in skvadrik re2c versions up to 4.4. is affected by improper resource shutdown or release (CVSS 3.3).
A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. [CVSS 5.3 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.
A security vulnerability has been detected in ggreer the_silver_searcher versions up to 2.2.0. is affected by improper resource shutdown or release (CVSS 3.3).
The Linux kernel's ice driver contains a race condition in PTP (Precision Time Protocol) handling where periodic work can execute while the Virtual Station Interface (VSI) is being rebuilt, causing a NULL pointer dereference when accessing rx_rings. A local attacker with low privileges can trigger this vulnerability to cause a denial of service by crashing the kernel. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.
In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.
A null pointer dereference in the CephFS kernel client's MDS authentication matching function (ceph_mds_auth_match()) allows local attackers with low privileges to cause a denial of service by crashing the kernel when the mds_namespace mount option is not specified. This regression affects Linux kernel versions 6.18-rc1 and later, impacting systems using CephFS with default mount configurations. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace: <TASK> dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887 It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max".
In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET command.
A null pointer dereference in the Linux kernel's mlx5e TC steering driver allows local attackers with user privileges to cause a denial of service by triggering improper flow deletion logic that attempts to access non-existent device peers. The vulnerability occurs when deleting TC flows without validating peer existence, leading to kernel crashes. No patch is currently available for this medium-severity flaw affecting Linux systems with Mellanox network drivers.
A NULL pointer dereference in the Intel ice network driver's ice_vsi_set_napi_queues() function can cause a kernel crash on Linux systems during suspend/resume operations when ring queue vectors are improperly initialized. Local users with standard privileges can trigger this denial of service condition through standard power management operations like systemctl suspend. No patch is currently available for this vulnerability affecting Linux kernel v6.18 and the Intel E810 Ethernet adapter family.
The Linux kernel amdgpu graphics driver crashes with a NULL pointer dereference on APU platforms (Raven, Renoir) when SVM page fault recovery attempts to access uninitialized interrupt ring buffers that only exist on discrete GPUs. A local authenticated attacker can trigger this denial of service by enabling retry faults on affected APUs. No patch is currently available.
A null pointer dereference in the Linux kernel's perf scheduler functionality causes a denial of service when handling user space stacktraces for certain kernel tasks. Local attackers with low privileges can trigger this crash by exploiting inconsistent task classification logic that fails to properly identify user versus kernel tasks. The vulnerability affects the Linux kernel with no patch currently available.
A null pointer dereference in the Linux kernel's gs_usb driver can cause a denial of service when processing malformed USB bulk transfer callbacks, affecting systems with vulnerable CAN interface hardware. Local attackers with unprivileged access can trigger this crash by submitting crafted USB requests that fail resubmission. No patch is currently available for this vulnerability.
A race condition in the Linux kernel's NVMe target bio completion handler can cause a NULL pointer dereference when a bio is re-submitted while simultaneously being deinitialized, leading to denial of service on systems running affected kernel versions. Local attackers with access to NVMe target functionality can trigger this race to crash the kernel. A patch is not currently available.
A race condition in the Linux kernel's Bluetooth HCI UART driver allows local attackers with user privileges to trigger a null pointer dereference and cause a denial of service by initiating a TTY write wakeup during driver initialization. The vulnerability occurs when hci_uart_tx_wakeup() schedules write work before the protocol handler's private data structure is initialized, leading to a crash in hci_uart_write_work(). No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's SCTP authentication initialization can be triggered by local attackers with user privileges to cause a denial of service through a crash in the packet transmission path. The vulnerability occurs when SCTP-AUTH key setup fails during association peer initialization, leaving a dangling pointer that is subsequently dereferenced. No patch is currently available for this medium-severity issue affecting the Linux kernel.
A NULL pointer dereference in the Linux kernel's ice driver occurs when devlink reload fails and the driver is subsequently removed, affecting systems using Intel ice network adapters. A local privileged user can trigger this denial of service condition by initiating a devlink reinit operation that fails, leaving the hardware in an uninitialized state. The vulnerability stems from a missing ice_deinit_hw() call in the devlink reinit path that leaves control queues uninitialized.
A Null Pointer Dereference vulnerability exists in the TON Virtual Machine (TVM) within the TON Blockchain before v2025.06. The issue is located in the execution logic of the INMSGPARAM instruction, where the program fails to validate if a specific pointer is null before accessing it. [CVSS 7.5 HIGH]
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
Windows Remote Access Connection Manager contains a null pointer dereference flaw affecting Windows 10 (versions 1809 and 21h2) and Windows 11 (version 23h2) that has been confirmed as actively exploited. A local attacker can trigger a denial of service condition without requiring authentication or user interaction. No patch is currently available for this vulnerability.
Adobe After Effects 25.6 and earlier suffers from a null pointer dereference that allows attackers to trigger application crashes by convincing users to open a specially crafted file. This local denial-of-service vulnerability requires user interaction but requires no special privileges, potentially disrupting creative workflows. No patch is currently available.
Substance 3D Designer 15.1.0 and earlier contains a null pointer dereference vulnerability that allows local attackers to crash the application by tricking users into opening malicious files. This denial-of-service attack requires user interaction but causes service disruption with no mitigation patch currently available.
Denial-of-service in Adobe Substance 3D Designer version 15.1.0 and earlier stems from a null pointer dereference vulnerability that crashes the application when a user opens a malicious file. The attack requires no special privileges and relies solely on user interaction to trigger the crash. No patch is currently available for this vulnerability.
Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.
Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial of service. [CVSS 6.8 MEDIUM]
A security vulnerability has been detected in ckolivas lrzip up to 0.651. This vulnerability affects the function ucompthread of the file stream.c. [CVSS 3.3 LOW]
FreeRDP proxy versions prior to 3.22.0 are vulnerable to denial of service when processing specially crafted RDP server responses that trigger a null pointer dereference in the logon information handler. An unauthenticated attacker controlling a malicious RDP server can crash the FreeRDP proxy by sending a LogonInfoV2 PDU with empty domain or username fields. This vulnerability has been patched in version 3.22.0 and later.
Open5GS versions up to 2.7.6 suffer from a null pointer dereference in the PGW S5U Address Handler component that can be triggered remotely without authentication, resulting in denial of service. Public exploit code exists for this vulnerability, and administrators should apply the available patch immediately.
A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. [CVSS 3.3 LOW]
A security vulnerability has been detected in oatpp versions up to 1.3.1. is affected by improper resource shutdown or release (CVSS 3.3).
Free5GC versions up to 4.1.0 are vulnerable to a null pointer dereference in the SMF component's SessionDeletionResponse function, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference vulnerability in the identityTriggerType function of pfcp_reports.go that allows remote attackers to cause denial of service without authentication. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference in the SMF's establishPfcpSession function that can be triggered remotely without authentication, causing a denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME.
Linux kernel null pointer dereference in the tracing subsystem causes a denial of service when synthetic events reference stacktrace fields from other synthetic events. Local users with tracing permissions can trigger a kernel crash by creating chained synthetic events that pass stacktrace data between them. No patch is currently available for this vulnerability.
A null pointer dereference vulnerability in the Linux kernel's be2net driver allows local users with low privileges to cause a denial of service by triggering a crash through improper parameter handling in the be_cmd_get_mac_from_list() function. The vulnerability occurs when the driver passes both a false pmac_id_valid flag and a NULL pointer to this function, causing the kernel to dereference the invalid pointer. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's net/sched act_ife module allows local users with low privileges to cause a denial of service through a kernel crash when the ife_encode() function fails to validate return values. The vulnerability affects the traffic control scheduling subsystem and requires local access to trigger.
Linux kernel UACCE subsystem is vulnerable to a null pointer dereference that causes a denial of service when queue release and device removal operations execute concurrently during system shutdown. A local attacker with standard user privileges can trigger this condition by forcing accelerator queue cleanup while the device is being removed, crashing the kernel. No patch is currently available.
The hp-bioscfg driver in the Linux kernel contains a null pointer dereference vulnerability triggered by an off-by-one error and missing NULL checks in the GET_INSTANCE_ID macro when accessing BIOS configuration sysfs attributes. Local users with unprivileged access can trigger a kernel panic by reading certain attribute files, causing denial of service during BIOS configuration operations. No patch is currently available for this vulnerability.
The Linux kernel's authencesn crypto module fails to validate minimum AAD (Associated Authenticated Data) length, allowing local attackers with unprivileged access to trigger a NULL pointer dereference and kernel panic by submitting specially crafted authentication requests with oversized AAD parameters. This denial-of-service vulnerability affects systems running vulnerable Linux kernel versions and requires local access to exploit. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)
In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay().
In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport.
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel.
Remote denial of service in Free5GC PCF versions up to 1.4.1 stems from a null pointer dereference in the SM Policy request handler, allowing unauthenticated attackers to crash the service from the network. Public exploit code exists for this vulnerability, and a patch is available to remediate the issue.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails.
The 3com 3c59x driver in the Linux kernel is susceptible to a null pointer dereference in the vortex_probe1() function when pdev is null, potentially causing a denial of service through system crash or hang. A local attacker with unprivileged access can trigger this condition during driver initialization. A patch is available to resolve this issue.
A NULL pointer dereference in the Linux kernel's Marvell Prestera driver occurs when devlink_alloc() fails to allocate memory, as the code does not validate the returned pointer before dereferencing it. A local attacker with unprivileged access can trigger a kernel crash by exhausting memory or forcing allocation failures. A patch is available to add proper NULL pointer validation before dereferencing the devlink object.
The Linux kernel idpf driver fails to properly handle initialization errors during driver load, leaving the system in an inconsistent state where subsequent resets trigger a null pointer dereference crash. Local users with administrative privileges can cause a denial of service by triggering conditions that cause the init_task to fail, such as rejected firmware operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id.
Free5GC SMF versions up to 4.1.0 contain a null pointer dereference in the PFCP UDP endpoint handler that can be triggered remotely without authentication, leading to denial of service. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can crash the session management function by sending specially crafted PFCP association release requests.
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
Unauthenticated remote denial of service in TP-Link Tapo C220 and C520WS network cameras allows attackers to crash the HTTP service by sending POST requests with malformed Content-Length headers, triggering a null pointer dereference. Repeated attacks can keep the devices offline despite automatic restarts, with no available patch to mitigate the vulnerability. This affects camera availability and requires manual intervention to restore service.
OpenSSL's PKCS#7 signature verification fails to validate ASN1_TYPE union members before access, allowing attackers to trigger null pointer dereference crashes by submitting malformed PKCS#7 data. Applications performing signature verification or using PKCS7_digest_from_attributes() directly are vulnerable to denial of service attacks. A patch is available to address this type confusion vulnerability.
Processing a malformed PKCS#12 file in OpenSSL and related TLS libraries can trigger a null pointer dereference due to improper type validation in ASN.1 parsing, causing applications to crash. This vulnerability requires local user interaction to exploit and results only in denial of service, with no impact on data confidentiality or integrity. A patch is available to address this medium-severity issue.
An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, and 2400. A NULL pointer dereference of ft_handle in load_fw_utc_vector() causes a denial of service. [CVSS 7.5 HIGH]
Open Babel versions up to 3.1.1 contain a null pointer dereference in the CDXML file handler's OBAtom::GetExplicitValence function, allowing remote attackers to crash the application through maliciously crafted files. Public exploit code exists for this vulnerability, making it a practical attack vector for denial of service. A patch is available and should be applied to all affected installations.
A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. [CVSS 3.3 LOW]
A vulnerability was determined in Squirrel up to 3.2. This vulnerability affects the function sqstd_rex_newnode in the library sqstdlib/sqstdrex.cpp. [CVSS 3.3 LOW]
A vulnerability has been found in wren-lang wren up to 0.4.0. Affected by this issue is the function getByteCountForArguments of the file src/vm/wren_compiler.c. [CVSS 3.3 LOW]
Null pointer dereference in Windows allows authenticated local users to cause a denial of service condition with potential system instability. An attacker with valid user credentials can trigger this memory safety issue to crash affected processes or degrade system availability. No patch is currently available for this vulnerability.
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. [CVSS 3.3 LOW]
SonicOS firewalls are vulnerable to denial-of-service attacks when an authenticated remote attacker triggers a null pointer dereference, causing the device to crash. This post-authentication flaw affects firewall availability but requires valid credentials to exploit. No patch is currently available.
A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request. [CVSS 4.9 MEDIUM]
ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]
ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 have a NULL Pointer Dereference vulnerability. [CVSS 7.5 HIGH]
libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c. [CVSS 5.5 MEDIUM]
A flaw has been found in skvadrik re2c versions up to 4.4. is affected by improper resource shutdown or release (CVSS 3.3).
A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. [CVSS 5.3 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.
A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.
A security vulnerability has been detected in ggreer the_silver_searcher versions up to 2.2.0. is affected by improper resource shutdown or release (CVSS 3.3).
The Linux kernel's ice driver contains a race condition in PTP (Precision Time Protocol) handling where periodic work can execute while the Virtual Station Interface (VSI) is being rebuilt, causing a NULL pointer dereference when accessing rx_rings. A local attacker with low privileges can trigger this vulnerability to cause a denial of service by crashing the kernel. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress.
In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.
In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.
A null pointer dereference in the CephFS kernel client's MDS authentication matching function (ceph_mds_auth_match()) allows local attackers with low privileges to cause a denial of service by crashing the kernel when the mds_namespace mount option is not specified. This regression affects Linux kernel versions 6.18-rc1 and later, impacting systems using CephFS with default mount configurations. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace: <TASK> dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887 It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max".
In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET command.
A null pointer dereference in the Linux kernel's mlx5e TC steering driver allows local attackers with user privileges to cause a denial of service by triggering improper flow deletion logic that attempts to access non-existent device peers. The vulnerability occurs when deleting TC flows without validating peer existence, leading to kernel crashes. No patch is currently available for this medium-severity flaw affecting Linux systems with Mellanox network drivers.
A NULL pointer dereference in the Intel ice network driver's ice_vsi_set_napi_queues() function can cause a kernel crash on Linux systems during suspend/resume operations when ring queue vectors are improperly initialized. Local users with standard privileges can trigger this denial of service condition through standard power management operations like systemctl suspend. No patch is currently available for this vulnerability affecting Linux kernel v6.18 and the Intel E810 Ethernet adapter family.
The Linux kernel amdgpu graphics driver crashes with a NULL pointer dereference on APU platforms (Raven, Renoir) when SVM page fault recovery attempts to access uninitialized interrupt ring buffers that only exist on discrete GPUs. A local authenticated attacker can trigger this denial of service by enabling retry faults on affected APUs. No patch is currently available.
A null pointer dereference in the Linux kernel's perf scheduler functionality causes a denial of service when handling user space stacktraces for certain kernel tasks. Local attackers with low privileges can trigger this crash by exploiting inconsistent task classification logic that fails to properly identify user versus kernel tasks. The vulnerability affects the Linux kernel with no patch currently available.
A null pointer dereference in the Linux kernel's gs_usb driver can cause a denial of service when processing malformed USB bulk transfer callbacks, affecting systems with vulnerable CAN interface hardware. Local attackers with unprivileged access can trigger this crash by submitting crafted USB requests that fail resubmission. No patch is currently available for this vulnerability.
A race condition in the Linux kernel's NVMe target bio completion handler can cause a NULL pointer dereference when a bio is re-submitted while simultaneously being deinitialized, leading to denial of service on systems running affected kernel versions. Local attackers with access to NVMe target functionality can trigger this race to crash the kernel. A patch is not currently available.
A race condition in the Linux kernel's Bluetooth HCI UART driver allows local attackers with user privileges to trigger a null pointer dereference and cause a denial of service by initiating a TTY write wakeup during driver initialization. The vulnerability occurs when hci_uart_tx_wakeup() schedules write work before the protocol handler's private data structure is initialized, leading to a crash in hci_uart_write_work(). No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's SCTP authentication initialization can be triggered by local attackers with user privileges to cause a denial of service through a crash in the packet transmission path. The vulnerability occurs when SCTP-AUTH key setup fails during association peer initialization, leaving a dangling pointer that is subsequently dereferenced. No patch is currently available for this medium-severity issue affecting the Linux kernel.
A NULL pointer dereference in the Linux kernel's ice driver occurs when devlink reload fails and the driver is subsequently removed, affecting systems using Intel ice network adapters. A local privileged user can trigger this denial of service condition by initiating a devlink reinit operation that fails, leaving the hardware in an uninitialized state. The vulnerability stems from a missing ice_deinit_hw() call in the devlink reinit path that leaves control queues uninitialized.
A Null Pointer Dereference vulnerability exists in the TON Virtual Machine (TVM) within the TON Blockchain before v2025.06. The issue is located in the execution logic of the INMSGPARAM instruction, where the program fails to validate if a specific pointer is null before accessing it. [CVSS 7.5 HIGH]
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 4.9 MEDIUM]
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]
Windows Remote Access Connection Manager contains a null pointer dereference flaw affecting Windows 10 (versions 1809 and 21h2) and Windows 11 (version 23h2) that has been confirmed as actively exploited. A local attacker can trigger a denial of service condition without requiring authentication or user interaction. No patch is currently available for this vulnerability.
Adobe After Effects 25.6 and earlier suffers from a null pointer dereference that allows attackers to trigger application crashes by convincing users to open a specially crafted file. This local denial-of-service vulnerability requires user interaction but requires no special privileges, potentially disrupting creative workflows. No patch is currently available.
Substance 3D Designer 15.1.0 and earlier contains a null pointer dereference vulnerability that allows local attackers to crash the application by tricking users into opening malicious files. This denial-of-service attack requires user interaction but causes service disruption with no mitigation patch currently available.
Denial-of-service in Adobe Substance 3D Designer version 15.1.0 and earlier stems from a null pointer dereference vulnerability that crashes the application when a user opens a malicious file. The attack requires no special privileges and relies solely on user interaction to trigger the crash. No patch is currently available for this vulnerability.
Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.
Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial of service. [CVSS 6.8 MEDIUM]
A security vulnerability has been detected in ckolivas lrzip up to 0.651. This vulnerability affects the function ucompthread of the file stream.c. [CVSS 3.3 LOW]
FreeRDP proxy versions prior to 3.22.0 are vulnerable to denial of service when processing specially crafted RDP server responses that trigger a null pointer dereference in the logon information handler. An unauthenticated attacker controlling a malicious RDP server can crash the FreeRDP proxy by sending a LogonInfoV2 PDU with empty domain or username fields. This vulnerability has been patched in version 3.22.0 and later.
Open5GS versions up to 2.7.6 suffer from a null pointer dereference in the PGW S5U Address Handler component that can be triggered remotely without authentication, resulting in denial of service. Public exploit code exists for this vulnerability, and administrators should apply the available patch immediately.
A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. [CVSS 3.3 LOW]
A security vulnerability has been detected in oatpp versions up to 1.3.1. is affected by improper resource shutdown or release (CVSS 3.3).
Free5GC versions up to 4.1.0 are vulnerable to a null pointer dereference in the SMF component's SessionDeletionResponse function, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference vulnerability in the identityTriggerType function of pfcp_reports.go that allows remote attackers to cause denial of service without authentication. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference in the SMF's establishPfcpSession function that can be triggered remotely without authentication, causing a denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME.
Linux kernel null pointer dereference in the tracing subsystem causes a denial of service when synthetic events reference stacktrace fields from other synthetic events. Local users with tracing permissions can trigger a kernel crash by creating chained synthetic events that pass stacktrace data between them. No patch is currently available for this vulnerability.
A null pointer dereference vulnerability in the Linux kernel's be2net driver allows local users with low privileges to cause a denial of service by triggering a crash through improper parameter handling in the be_cmd_get_mac_from_list() function. The vulnerability occurs when the driver passes both a false pmac_id_valid flag and a NULL pointer to this function, causing the kernel to dereference the invalid pointer. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's net/sched act_ife module allows local users with low privileges to cause a denial of service through a kernel crash when the ife_encode() function fails to validate return values. The vulnerability affects the traffic control scheduling subsystem and requires local access to trigger.
Linux kernel UACCE subsystem is vulnerable to a null pointer dereference that causes a denial of service when queue release and device removal operations execute concurrently during system shutdown. A local attacker with standard user privileges can trigger this condition by forcing accelerator queue cleanup while the device is being removed, crashing the kernel. No patch is currently available.
The hp-bioscfg driver in the Linux kernel contains a null pointer dereference vulnerability triggered by an off-by-one error and missing NULL checks in the GET_INSTANCE_ID macro when accessing BIOS configuration sysfs attributes. Local users with unprivileged access can trigger a kernel panic by reading certain attribute files, causing denial of service during BIOS configuration operations. No patch is currently available for this vulnerability.
The Linux kernel's authencesn crypto module fails to validate minimum AAD (Associated Authenticated Data) length, allowing local attackers with unprivileged access to trigger a NULL pointer dereference and kernel panic by submitting specially crafted authentication requests with oversized AAD parameters. This denial-of-service vulnerability affects systems running vulnerable Linux kernel versions and requires local access to exploit. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)
In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay().
In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport.
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel.
Remote denial of service in Free5GC PCF versions up to 1.4.1 stems from a null pointer dereference in the SM Policy request handler, allowing unauthenticated attackers to crash the service from the network. Public exploit code exists for this vulnerability, and a patch is available to remediate the issue.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails.
The 3com 3c59x driver in the Linux kernel is susceptible to a null pointer dereference in the vortex_probe1() function when pdev is null, potentially causing a denial of service through system crash or hang. A local attacker with unprivileged access can trigger this condition during driver initialization. A patch is available to resolve this issue.
A NULL pointer dereference in the Linux kernel's Marvell Prestera driver occurs when devlink_alloc() fails to allocate memory, as the code does not validate the returned pointer before dereferencing it. A local attacker with unprivileged access can trigger a kernel crash by exhausting memory or forcing allocation failures. A patch is available to add proper NULL pointer validation before dereferencing the devlink object.
The Linux kernel idpf driver fails to properly handle initialization errors during driver load, leaving the system in an inconsistent state where subsequent resets trigger a null pointer dereference crash. Local users with administrative privileges can cause a denial of service by triggering conditions that cause the init_task to fail, such as rejected firmware operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id.
Free5GC SMF versions up to 4.1.0 contain a null pointer dereference in the PFCP UDP endpoint handler that can be triggered remotely without authentication, leading to denial of service. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can crash the session management function by sending specially crafted PFCP association release requests.
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
Unauthenticated remote denial of service in TP-Link Tapo C220 and C520WS network cameras allows attackers to crash the HTTP service by sending POST requests with malformed Content-Length headers, triggering a null pointer dereference. Repeated attacks can keep the devices offline despite automatic restarts, with no available patch to mitigate the vulnerability. This affects camera availability and requires manual intervention to restore service.
OpenSSL's PKCS#7 signature verification fails to validate ASN1_TYPE union members before access, allowing attackers to trigger null pointer dereference crashes by submitting malformed PKCS#7 data. Applications performing signature verification or using PKCS7_digest_from_attributes() directly are vulnerable to denial of service attacks. A patch is available to address this type confusion vulnerability.
Processing a malformed PKCS#12 file in OpenSSL and related TLS libraries can trigger a null pointer dereference due to improper type validation in ASN.1 parsing, causing applications to crash. This vulnerability requires local user interaction to exploit and results only in denial of service, with no impact on data confidentiality or integrity. A patch is available to address this medium-severity issue.