Null Pointer Dereference
Monthly
Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).
NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.
NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.
NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.
Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.
NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Denial of service in the IBM WebSphere WebServer Plug-in component affects IBM i 7.3 through 7.6, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty via a NULL pointer dereference (CWE-476) triggered by crafted HTTP requests. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote unauthenticated exploitation, though high attack complexity limits opportunistic mass exploitation. Impact is limited to availability - no confidentiality or integrity compromise - and no public exploit or CISA KEV listing has been identified at time of analysis.
Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker service by submitting an unknown value that triggers a NULL pointer dereference. The flaw also impacts deployments embedding the server via NI InstrumentStudio. No public exploit is identified at time of analysis, though the CVSS 4.0 base score of 8.7 reflects high availability impact reachable over the network without privileges.
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when loginctl returns an empty Remote field during session locality checks. The crash terminates the PAM module with SIGSEGV, and depending on PAM stack control flags (required vs. optional), can deny authentication to all users of the affected service - a local denial of service with potentially severe impact on system accessibility. No active exploitation confirmed (not in CISA KEV); vendor-released patch available in version 0.9.2, which also addresses 11 additional security findings discovered during an ongoing audit.
Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggering HPACK dynamic table insertions under memory pressure. The flaw lives in hpack_dht_insert() in src/hpack-tbl.c, where the return value of hpack_dht_defrag() is not validated; when the memory pool is exhausted defrag returns NULL and the subsequent dereference crashes the worker. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
NULL pointer dereference in Autodesk Revit's 'Convert RFA to FormIt' feature causes the application to crash when processing a specially crafted RFA file, resulting in a denial-of-service condition. All tracked versions of Autodesk Revit are affected per CPE data, with the attack requiring local file access and deliberate user interaction to trigger the vulnerable conversion workflow. No public exploit code and no CISA KEV listing exist at time of analysis; a vendor-released patch is available through Autodesk Access.
Remote denial of service in Android (Pixel) RTP stack arises from a missing null check in checkSsrcCollisionOnRcv within RtpSession.cpp, allowing unauthenticated attackers to crash the affected media component over the network. The flaw carries CVSS 7.5 with availability-only impact, and at the time of analysis there is no public exploit identified and the EPSS exploitation probability is very low (0.14%, 4th percentile).
NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when processing a specially crafted MP4 file, delivering a denial of service against any user or automated pipeline invoking the tool. The flaw is isolated to the TrackWriter handling component in filters/mux_isom.c, triggered by malformed MP4 input that causes an unvalidated pointer dereference. No public exploit code has been identified and this CVE does not appear in CISA KEV; SSVC rates exploitation status as none with no automation potential, consistent with a limited, file-delivery-dependent attack surface.
NULL pointer dereference in dhcpcd 10.3.0 allows an unauthenticated attacker on the same network segment to crash the DHCP client daemon by sending a crafted packet with unexpected or invalid option tokens. The fault occurs in parse_option() at src/if-options.c:1886, where a NULL return from option lookup is immediately dereferenced as a 'struct dhcp_opt' member without a null check, causing a runtime abort. No public exploit or CISA KEV listing exists, and EPSS sits at the 4th percentile, indicating low but real crash-level risk for any host running this specific dhcpcd version on a shared or adversarially accessible network segment.
NULL pointer dereference in GPAC's MP4Box media tool crashes the process when importing a crafted MP4 file containing an unknown svcC box nested inside an av01 parent box. The unsupported-box handling path in the ISOBMFF parser leaves the sample entry pointer uninitialized; Track_SetStreamDescriptor() at isomedia/track.c:1677 subsequently dereferences this invalid pointer during bitrate update processing without validation, producing a SEGV. No active exploitation has been confirmed (not in CISA KEV), but a public proof-of-concept MP4 file is available at the reporter's GitHub repository, and the CVSS-assigned severity is 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the application by supplying a crafted MP4 file with corrupted Elementary Stream Descriptor (ESD) data. The function `gf_media_map_esd()` in `media_tools/isom_tools.c` at line 1359 calls `strlen()` on `esd->URLString` without verifying the pointer is non-NULL, triggering a SEGV when the ESD contains a missing or corrupted URLString field. A public proof-of-concept MP4 file exists; no active exploitation has been confirmed (not in CISA KEV). EPSS data is not available in the provided intelligence.
NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata with an invalid sai_samples count. The function gf_isom_copy_sample_info() in isomedia/isom_write.c:8164 fails to validate pointers after SAI merge handling fails, resulting in a SEGV read at address 0x0 and an application crash. A publicly available proof-of-concept MP4 file exists on GitHub; however, this CVE is not in CISA KEV, and exploitation is constrained to a denial-of-service (process crash) with no code execution or data exposure demonstrated.
Null pointer dereference in the Avira Antivirus scanning engine crashes the antivirus process when it parses a specially crafted malformed Windows PE file. All platform deployments - Windows, macOS, and Linux - running engine builds prior to 8.3.70.64 are affected, making this a cross-platform availability risk. No public exploit identified at time of analysis and no CISA KEV listing; however, the ease of crafting a malformed PE file as a trigger lowers the practical barrier for targeted disruption of endpoint protection.
Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies malformed distort arguments via a crafted image. Affected are all ImageMagick 6.x versions prior to 6.9.13-50 and all 7.x versions prior to 7.1.2-25. An unauthenticated remote attacker who can cause a target application to process a specially crafted image can trigger a DoS; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Nil-pointer dereference in Incus daemon (incusd) versions before 7.1.0 allows any authenticated API user holding the standard can_create permission on any project to crash the entire incusd process by uploading a crafted backup tarball, causing denial of service across all projects on the affected cluster member. The vulnerable path in internal/server/storage/backend.go:795 dereferences Config.Volume without a nil guard while adjacent fields received nil-checks in sibling patches (GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, GHSA-x5r6-jr56-89pv) released 2026-05-04. Publicly available exploit code exists in the form of a self-contained Go unit test and 2560-byte tarball builder included with the disclosure; no CISA KEV listing at time of analysis.
NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems enables a remote, administrator-authenticated attacker to trigger a denial-of-service condition. Exploitation requires the attacker to first hold or acquire an administrator account on the target device, after which a crafted request can crash system services. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a denial-of-service condition. Exploitation requires prior acquisition of a valid user account on the target QNAP NAS device, after which the attacker can trigger the dereference remotely over the network. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to crash a network-facing service and cause a denial-of-service condition without any authentication or user interaction. Multiple active OS branches are affected - QTS 5.2.x and QuTS hero h5.2.x through h6.0.x - across a device population that is historically internet-exposed and frequently targeted. No public exploit has been identified and this vulnerability is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface makes DoS attempts trivially repeatable against unpatched devices.
NULL pointer dereference in QNAP QuTS hero NAS operating system allows a remote attacker who has already obtained or possesses an administrator account to trigger a denial-of-service condition, crashing affected services. Affected branches span QuTS hero h5.2.x, h5.3.x, and h6.0.x series, with vendor-released patches available as of early-to-mid 2026. No public exploit code or CISA KEV listing has been identified at time of analysis, and the mandatory prerequisite of high-privilege authentication substantially constrains real-world impact.
Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to crash IoT devices by sending a malformed Sec-WebSocket-Protocol header. The flaw (CWE-476 NULL-pointer dereference) is triggered pre-authentication during subprotocol negotiation and affects ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0; no public exploit identified at time of analysis, though upstream commits disclose the exact vulnerable code path.
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial query backed by a 2dsphere index where the indexed field holds a GeoJSON GeometryCollection containing a Polygon defined with a strict-winding CRS. The flaw is a CWE-476 null pointer dereference reached because the rejection guard for unsupported strict-winding polygons does not recurse into GeometryCollection members. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the server process by issuing a specially crafted aggregation followed by a getMore command on the same cursor, triggering a null pointer dereference in the aggregation stage's _subPipeline field. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a credible availability threat for multi-tenant or shared MongoDB deployments.
NULL Pointer Dereference in Adobe InDesign Desktop versions 21.3 and 20.5.3 and earlier allows a local attacker to crash the application by delivering a crafted document file that a victim must open, resulting in a denial-of-service condition with no confidentiality or integrity impact. Exploitation is constrained by mandatory user interaction (UI:R) and a local attack vector (AV:L), significantly limiting real-world risk beyond targeted social-engineering scenarios involving design professionals. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog.
NULL Pointer Dereference in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier enables a denial-of-service condition by crashing the application when a victim opens a specially crafted malicious file. The vulnerability carries no confidentiality or integrity impact - availability is the sole affected component. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, limiting its urgency relative to higher-severity Adobe vulnerabilities.
Null pointer dereference in Windows Kerberos enables an authenticated network attacker to crash the Kerberos service, causing denial of service. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation is achievable over the network by any low-privilege authenticated user with no user interaction required, resulting in high availability impact (A:H) with no confidentiality or integrity consequences. No active exploitation confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Denial of service in OpenSSL 3.6.0-3.6.2 and 4.0.0 allows remote attackers to crash applications by triggering a NULL pointer dereference during certificate verification when OCSP checking is enabled. The flaw is patched in OpenSSL 4.0.1 (and 3.6.3) per the vendor's 2026-06-09 security advisory; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
NULL pointer dereference in OpenSSL's CRMF EncryptedValue decryption path crashes the affected process, creating a remotely triggerable denial-of-service condition across five actively maintained OpenSSL branches (3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.x). The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, score 5.9) confirms network reachability with no authentication required, but high attack complexity limits trivial mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the broad version coverage and OpenSSL's ubiquitous deployment make patching a priority for any infrastructure using certificate management protocols.
Denial of service in OpenSSL 3.5.x, 3.6.x, and 4.0.0 stems from a NULL pointer dereference triggered during QUIC server initial packet handling, allowing remote unauthenticated attackers to crash affected servers by sending crafted QUIC traffic. The flaw was disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside multiple other CVEs; no public exploit identified at time of analysis and no CISA KEV listing. Patched versions are available from the upstream project and downstream distributions including Ubuntu (USN-8414-1).
Null pointer dereference in OpenSSL's password-based CMS decryption path enables remote denial of service against applications that process CMS EnvelopedData with password-based key derivation. The flaw affects a wide range of OpenSSL branches spanning 1.0.2 through 4.0.0, making the exposure surface unusually broad across long-term support and current releases. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS score of 5.9 (Medium) reflects the high attack complexity required to trigger the condition.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a malicious MP4 file that triggers a NULL pointer dereference in the VVC (Versatile Video Coding) configuration writer. The flaw resides in gf_odf_vvc_cfg_write_bs within odf/descriptors.c and requires no authentication or user privileges beyond convincing the target to process the crafted file. No public exploit identified at time of analysis, and SSVC indicates exploitation has not been observed despite the issue being automatable.
NULL pointer dereference in GPAC MP4Box v2.4 allows unauthenticated remote attackers to crash the application by delivering a crafted MP4 file that a user opens. The vulnerable function ctts_box_write in isomedia/box_code_base.c fails to validate a pointer before dereferencing it when processing a malformed Composition Time to Sample (ctts) box, resulting in a denial-of-service condition. No public exploit code or active exploitation has been identified; SSVC rates exploitation status as none, though delivery is rated automatable.
NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when parsing a maliciously crafted MP4 file, enabling a Denial of Service against any user or pipeline that processes untrusted media with this tool. The flaw resides in gf_isom_get_user_data_count within isomedia/isom_read.c, where an unvalidated pointer is dereferenced during user-data atom counting. Publicly available exploit code exists as a crafted MP4 PoC, though no public exploit identified at time of analysis in CISA KEV and EPSS sits at the 5th percentile, suggesting minimal observed exploitation activity.
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in `ipu6_pci_probe()` at `drivers/media/pci/intel/ipu6/ipu6.c:690`, where `isp->psys` holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
NULL pointer dereference in the Linux kernel's Renesas VSP1 media driver crashes the kernel during module unload on Generation 4 Renesas SoC hardware. The defect exists because the cleanup path unconditionally invokes vsp1_drm_cleanup() rather than vsp1_vspx_cleanup() for gen 4 IP versions, while the initialization path correctly checks the IP version - an asymmetry introduced when gen 4 support was added. With an EPSS of 0.02% (4th percentile), no KEV listing, and no public exploit code, real-world exploitation risk is very low and confined to niche embedded and automotive platforms; vendor-released patches are available in stable kernel branches.
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, `hugetlb_add_param()` in `mm/hugetlb` dereferences a NULL pointer via `strlen()` when `hugepages`, `hugepagesz`, or `default_hugepagesz` kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
NULL pointer dereference in the Linux kernel's drm/imagination (PowerVR GPU) driver crashes the kernel when a local user writes to the ftrace mask debugfs entry. Affected kernels range from the introduction of the drm/imagination driver at commit a331631496a0af9a6f4e7e1860983afd8b1bb013 through Linux 7.0, with fixes landed in 7.0.4 and 7.1-rc2. An attacker with local access and write permission to the debugfs interface can trigger a kernel Oops, resulting in a full system crash and denial of service. No public exploit exists and EPSS is 0.02%, consistent with the narrow hardware scope (Imagination Technologies PowerVR GPUs) and local-only attack surface.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
NULL pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when a local user processes a crafted media file, resulting in Denial of Service. The flaw exists in gf_filter_pid_resolve_file_template_ex (filter_pid.c), where prop_val->value.string is passed to strncmp without a prior null check - confirmed by upstream commit diff. Publicly available exploit code exists, but SSVC signals no active exploitation and non-automatable attack conditions; no CISA KEV listing is present.
Local denial of service in NI's NI-PAL kernel driver (versions 26.3.0 and prior on Windows and Linux) allows an authenticated local user to crash the host system by sending malformed input that triggers a NULL pointer dereference in kernel space. No public exploit identified at time of analysis, but the kernel-level impact means a successful trigger takes down the entire host, not just the driver process. The issue is vendor-disclosed by NI with an advisory published on ni.com.
Null pointer dereference in whisper.cpp up to version 1.8.2 allows a local authenticated attacker to crash the application via a crafted input during model loading. The vulnerable code path is the whisper_model_load function within ggml/src/ggml.c, resulting in a limited availability impact (application denial of service) with no confidentiality or integrity consequences. A proof-of-concept exploit is publicly available via a GitHub issue report; however, no vendor patch has been released and the project has not yet responded to the disclosure.
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged local access to corrupt memory during secure data initialization, leading to high impact on confidentiality, integrity, and availability. The flaw is traceable to a NULL pointer dereference (CWE-476) reachable when heap memory is exhausted, and is addressed in the Qualcomm June 2026 security bulletin. No public exploit identified at time of analysis, and EPSS data was not provided.
Local memory corruption in Qualcomm Snapdragon platforms (CVE-2025-59604) allows a low-privileged local attacker to trigger invalid memory writes via a null pointer condition during a memory copy operation, resulting in high confidentiality, integrity, and availability impact (CVSS 7.8). The flaw is disclosed in the Qualcomm June 2026 security bulletin with no public exploit identified at time of analysis and no CISA KEV listing. While CWE-476 (null pointer dereference) typically yields denial of service, the vendor's CIA:H scoring indicates the invalid writes may be steerable into broader corruption beyond a simple crash.
Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.
Null pointer dereference in ThorVG's SVG loader crashes any process that passes untrusted SVG content through Picture::load(), enabling remote denial-of-service with a trivial 6-byte payload. All ThorVG releases prior to 1.0.5 are affected (CPE: cpe:2.3:a:thorvg:thorvg:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis and no CISA KEV listing, but the fix-confirming PR diff (PR #4387) exposes the exact null-check omissions, substantially lowering the bar for independent exploit development.
Null pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when parsing crafted MP4 files, resulting in a Denial of Service. The vulnerable function gf_media_get_color_info in src/media_tools/isom_tools.c fails to validate pointers to AVC (avcc) and HEVC (hvcc) configuration boxes before dereferencing them, causing a segmentation fault when a malformed file omits these structures. No public exploit is confirmed as actively exploited (not in CISA KEV), but publicly available exploit code exists and the attack requires only that a user open a crafted file.
Segmentation violation in GPAC MP4Box before version 26.02.0 crashes the application when processing crafted MP4 files, enabling denial of service against any user or pipeline invoking the tool on attacker-supplied input. The root cause is a null pointer dereference (CWE-476) in gf_isom_apple_set_tag_ex within isom_write.c, where custom iTunes-style tag pointers are dereferenced without prior null validation. A publicly available proof-of-concept exploit exists, though no public exploit identified at time of analysis correlates to confirmed active exploitation - the local attack vector (AV:L/UI:R) limits exposure primarily to media processing workflows that ingest untrusted MP4 files.
NULL pointer dereference in MP4Box's AC4 audio parser crashes the process when parsing a maliciously crafted AC4 file, enabling a local Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0, with the root cause in gf_ac4_pres_b_4_back_channels_present() and related AC4 presentation parsing routines in av_parsers.c. A publicly available proof-of-concept exists, though no public exploit confirmed active exploitation is in CISA KEV at time of analysis.
NULL pointer dereference in GPAC MP4Box's AC4 audio DSI parser crashes the application when processing a crafted AC4 file, resulting in denial of service. All GPAC MP4Box versions before 26.02.0 are affected; the CVSS vector (AV:L/UI:R) confirms exploitation requires a victim to locally open a malicious file. A publicly available proof-of-concept exploit exists at a referenced GitHub repository, though no public exploit identified at time of analysis has been confirmed as actively exploited in the wild (not listed in CISA KEV).
Denial of service in lwext4 1.0.0 allows remote attackers to crash applications by supplying a malformed EXT4 filesystem image that triggers a NULL pointer dereference in ext4_dir_en_get_name_len during directory iteration. The flaw affects the 2016-era lwext4 codebase commonly embedded in IoT, bootloaders, and forensic tools that mount untrusted EXT4 images. Publicly available exploit code exists, though EPSS rates real-world exploitation probability as very low (0.02%, 4th percentile).
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated network attackers to crash the iApp process by sending an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node, triggering either a SIGABRT (Debug builds via assert) or SIGSEGV (Release builds via NULL pointer dereference) on TCP port 36422. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and trivial trigger conditions make this a meaningful availability risk for any exposed FlexRIC RAN Intelligent Controller deployment.
Remote denial-of-service in FlexRIC v2.0.0 near-RT RIC allows unauthenticated attackers to crash the controller process by sending a RIC_INDICATION message containing an unregistered ran_func_id, which causes the registry lookup to return NULL and trigger either an assertion failure (SIGABRT in Debug builds) or a NULL pointer dereference (SIGSEGV in Release builds). The flaw is reachable over the network on port 36421 with no authentication or user interaction, though EPSS remains low at 0.04% and there is no public exploit identified at time of analysis. KEV does not list this issue.
Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local low-privileged attacker to crash any application that processes attacker-supplied 3D model files via the library. The flaw resides in the `ImportAnimations()` function, where `glTF2::LazyDict::operator[]` is invoked with animation channel node indices that are never validated for validity before dereferencing, producing a CWE-476 null pointer dereference and denial-of-service. A public proof-of-concept exploit (poc.zip) has been disclosed and an upstream patch commit is available, though no active exploitation is confirmed by CISA KEV.
Null pointer dereference in Assimp's glTF mesh importer (versions up to and including 6.0.4) allows a locally authenticated attacker with low privileges to crash any application that uses the library to process a crafted 3D model file. The flaw resides specifically in the Assimp::glTFImporter::ImportMeshes function within glTFImporter.cpp, meaning only applications that invoke the glTF import pipeline are exposed. A publicly available proof-of-concept exploit (poc.zip) has been released, though no active exploitation has been confirmed and the CVSS score of 3.3 (Low) reflects the constrained local-only, availability-only impact.
Null pointer dereference in NanoMQ MQTT Broker 0.24.8 and earlier causes a denial-of-service condition via the QUIC transport layer. The function quic_stream_recv fails to return after completing an asynchronous I/O operation with an error when a substream is in reopen state, proceeding to lock c->mtx against a null substream pointer. An unauthenticated remote attacker can crash the broker process, disrupting edge messaging services. No public exploit identified at time of analysis beyond proof-of-concept code reflected in the CVSS 4.0 E:P metric; not listed in CISA KEV.
Denial of service in cpp-httplib (C++ header-only HTTP/HTTPS library) versions prior to 0.44.0 allows remote unauthenticated attackers to crash server processes by sending an HTTP request with a malformed X-Forwarded-For header. The flaw is reachable only when the application has configured a non-empty trusted-proxy list via Server::set_trusted_proxies(). CVSS 4.0 scores this 8.7 (high) due to network reachability and high availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.
Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.
NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.
Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `>->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.
NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.
Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.
NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.
NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.
Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.
Remote information disclosure in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows unauthenticated network attackers to leak adjacent kernel skb head-buffer memory by sending zero-length ATOMIC_WRITE RDMA packets. The flaw, tracked as CVE-2026-46114 and affecting kernels from 6.2 onward, lets a remote initiator extract 4 bytes of kernel tailroom per probe - including kernel strings and partial direct-map pointer words - into an attacker-controlled memory region. No public exploit identified at time of analysis and EPSS is low (0.05%, 17th percentile), but the vendor (kernel.org) has released stable patches across multiple branches.
Denial of service in the Linux kernel's stmmac Ethernet driver allows remote attackers to trigger a NULL pointer dereference and kernel panic on systems using STMicroelectronics MAC network controllers under sustained memory pressure. The flaw stems from incomplete handling of the DMA RX descriptor ring lifecycle, where stmmac_rx() cannot distinguish 'full' from 'dirty' descriptors when stmmac_rx_refill() fails to allocate replacement buffers. EPSS rates exploitation probability at only 0.02% (5th percentile), and no public exploit identified at time of analysis.
NULL pointer dereference in pam_usb prior to 0.8.7 allows a physically present attacker to crash the PAM authentication stack by inserting a USB device whose serial, vendor, or model metadata fields are absent. The module in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks, despite the GIO/UDisks2 API explicitly documenting that these accessors can return NULL for devices not exposing those fields. The result is undefined behavior - typically a SIGSEGV - that terminates the authentication process. No public exploit has been identified at time of analysis and no active exploitation is confirmed.
pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP request whose URL path begins with /status or /sysinfo. The server tries to load WOSHttpStatusModule.dll to service those paths and calls WOSBin_LoadHttpModule, but that DLL ships missing from the installation, so the resolved function pointer is NULL and the code invokes a function at address 0, terminating the process (CWE-476). The flaw was discovered and reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and it is not on the CISA KEV list, with availability-only impact (CVSS 7.5).
Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering a NULL pointer dereference. The function WOSSysInfoGetDeviceInterface() in WOSCommonUtil.dll returns NULL whenever no user is logged into the Server Agent Management Console, and callers such as WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference that pointer without checking it, causing a process crash. There is no public exploit identified at time of analysis and the issue affects only availability (CVSS 7.5).
Local denial of service in the Linux kernel's Intel Xe DRM driver (drm/xe/dma-buf) arises from use-after-free and NULL pointer dereference race conditions in the dma-buf import path, affecting kernels from 6.8 through the fixes in 6.12.91, 6.18.33, 7.0.10 and 7.1. When a buffer object is shared from another GPU driver such as amdgpu, the exporter can invoke the Xe invalidate_mappings hook against a partially initialized or already-freed bo, crashing the system; two customers reported NULL ptr derefs in evict_flags. This is tagged Denial of Service, has no public exploit identified at time of analysis, and carries a low EPSS of 0.18% (7th percentile).
NULL pointer dereference in the Linux kernel SMC subsystem's smc_msg_event tracepoint crashes the kernel when SMC-D socket traffic is processed while the tracepoint is active. Affected kernels from commit aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 across multiple stable branches dereference conn->lnk unconditionally in the tracepoint, though this pointer is only valid for SMC-R connections and is NULL for SMC-D. While activating the tracepoint requires root, the crash itself can be triggered by any unprivileged user via AF_SMC socket operations on SMC-D capable systems (s390 natively, or x86 with loopback ISM loaded). No public exploit or active exploitation confirmed; EPSS sits at 0.16%.
NULL pointer dereference in the Linux kernel RDS/InfiniBand subsystem allows an unprivileged local user to trigger a kernel panic by sending an atomic cmsg over an active RDS/IB connection. The completion handler rds_ib_send_unmap_op() lacks switch cases for masked atomic opcodes (IB_WR_MASKED_ATOMIC_CMP_AND_SWP, IB_WR_MASKED_ATOMIC_FETCH_AND_ADD), returning rm=NULL while the send operation remains flagged, leading to a fatal NULL dereference at rm->m_final_op in softirq context. No public exploit has been identified and EPSS is 0.16% (6th percentile), but the crash is deterministic and reproducible on any system with mlx4/mlx5 InfiniBand hardware running an unpatched kernel with active RDS/IB connections.
NULL pointer dereference in the Linux kernel's BPF socket storage subsystem (net/core/bpf_sk_storage.c) allows a local low-privileged user to crash the kernel. The race condition between bpf_selem_unlink_nofail() - which nulls smap before removing the element from the hlist - and concurrent RCU readers in bpf_sk_storage_clone() and bpf_sk_storage_diag_put_all() can be triggered during TCP SYN handling (socket cloning path), producing a kernel panic. No public exploit identified at time of analysis; EPSS of 0.14% (4th percentile) confirms negligible observed exploitation probability.
Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). There is no public exploit identified at time of analysis and EPSS is low (0.16%), indicating no observed weaponization.
NULL pointer dereference in the Linux kernel VRF (Virtual Routing and Forwarding) subsystem allows a local low-privileged user to crash the kernel via a race condition between RCU readers and VRF port removal operations, resulting in a complete denial of service on affected systems. Systems using VRF network segmentation are at risk specifically when VRF port membership is dynamically modified concurrent with socket bind() operations. EPSS is 0.16% (6th percentile) and the vulnerability is not listed in CISA KEV; no public exploit code has been identified, but patched kernel versions are available across all active stable branches.
Denial of service in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh routing subsystem allows a crash via NULL pointer dereference in the Distributed ARP Table (DAT) forwarding path. The function batadv_dat_forward_data() fails to check the return value of pskb_copy_for_clone() before passing the cloned skb to batadv_send_skb_prepare_unicast_4addr(), so a failed allocation while forwarding to a DHT candidate triggers a kernel oops. Affects systems running batman-adv mesh networking; this is a memory-pressure-dependent crash with no public exploit identified at time of analysis (EPSS 0.17%, 6th percentile), and it is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's batman-adv OGMv2 subsystem allows a local low-privilege user to crash the kernel by racing interface teardown against OGM dispatch. When a batman-adv hard interface is disabled and its mesh_iface pointer is set to NULL, the batadv_v_ogm_queue_on_if() function continues to call netdev_priv() on that NULL pointer, triggering a kernel panic. No public exploit exists and EPSS is 0.18% (7th percentile), making this low operational priority except on systems actively running batman-adv mesh networking.
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Denial of service in the IBM WebSphere WebServer Plug-in component affects IBM i 7.3 through 7.6, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty via a NULL pointer dereference (CWE-476) triggered by crafted HTTP requests. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote unauthenticated exploitation, though high attack complexity limits opportunistic mass exploitation. Impact is limited to availability - no confidentiality or integrity compromise - and no public exploit or CISA KEV listing has been identified at time of analysis.
Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker service by submitting an unknown value that triggers a NULL pointer dereference. The flaw also impacts deployments embedding the server via NI InstrumentStudio. No public exploit is identified at time of analysis, though the CVSS 4.0 base score of 8.7 reflects high availability impact reachable over the network without privileges.
NULL pointer dereference in pam_usb 0.9.1 and below crashes PAM-integrated authentication services (sudo, login) when loginctl returns an empty Remote field during session locality checks. The crash terminates the PAM module with SIGSEGV, and depending on PAM stack control flags (required vs. optional), can deny authentication to all users of the affected service - a local denial of service with potentially severe impact on system accessibility. No active exploitation confirmed (not in CISA KEV); vendor-released patch available in version 0.9.2, which also addresses 11 additional security findings discovered during an ongoing audit.
Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggering HPACK dynamic table insertions under memory pressure. The flaw lives in hpack_dht_insert() in src/hpack-tbl.c, where the return value of hpack_dht_defrag() is not validated; when the memory pool is exhausted defrag returns NULL and the subsequent dereference crashes the worker. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
NULL pointer dereference in Autodesk Revit's 'Convert RFA to FormIt' feature causes the application to crash when processing a specially crafted RFA file, resulting in a denial-of-service condition. All tracked versions of Autodesk Revit are affected per CPE data, with the attack requiring local file access and deliberate user interaction to trigger the vulnerable conversion workflow. No public exploit code and no CISA KEV listing exist at time of analysis; a vendor-released patch is available through Autodesk Access.
Remote denial of service in Android (Pixel) RTP stack arises from a missing null check in checkSsrcCollisionOnRcv within RtpSession.cpp, allowing unauthenticated attackers to crash the affected media component over the network. The flaw carries CVSS 7.5 with availability-only impact, and at the time of analysis there is no public exploit identified and the EPSS exploitation probability is very low (0.14%, 4th percentile).
NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when processing a specially crafted MP4 file, delivering a denial of service against any user or automated pipeline invoking the tool. The flaw is isolated to the TrackWriter handling component in filters/mux_isom.c, triggered by malformed MP4 input that causes an unvalidated pointer dereference. No public exploit code has been identified and this CVE does not appear in CISA KEV; SSVC rates exploitation status as none with no automation potential, consistent with a limited, file-delivery-dependent attack surface.
NULL pointer dereference in dhcpcd 10.3.0 allows an unauthenticated attacker on the same network segment to crash the DHCP client daemon by sending a crafted packet with unexpected or invalid option tokens. The fault occurs in parse_option() at src/if-options.c:1886, where a NULL return from option lookup is immediately dereferenced as a 'struct dhcp_opt' member without a null check, causing a runtime abort. No public exploit or CISA KEV listing exists, and EPSS sits at the 4th percentile, indicating low but real crash-level risk for any host running this specific dhcpcd version on a shared or adversarially accessible network segment.
NULL pointer dereference in GPAC's MP4Box media tool crashes the process when importing a crafted MP4 file containing an unknown svcC box nested inside an av01 parent box. The unsupported-box handling path in the ISOBMFF parser leaves the sample entry pointer uninitialized; Track_SetStreamDescriptor() at isomedia/track.c:1677 subsequently dereferences this invalid pointer during bitrate update processing without validation, producing a SEGV. No active exploitation has been confirmed (not in CISA KEV), but a public proof-of-concept MP4 file is available at the reporter's GitHub repository, and the CVSS-assigned severity is 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the application by supplying a crafted MP4 file with corrupted Elementary Stream Descriptor (ESD) data. The function `gf_media_map_esd()` in `media_tools/isom_tools.c` at line 1359 calls `strlen()` on `esd->URLString` without verifying the pointer is non-NULL, triggering a SEGV when the ESD contains a missing or corrupted URLString field. A public proof-of-concept MP4 file exists; no active exploitation has been confirmed (not in CISA KEV). EPSS data is not available in the provided intelligence.
NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata with an invalid sai_samples count. The function gf_isom_copy_sample_info() in isomedia/isom_write.c:8164 fails to validate pointers after SAI merge handling fails, resulting in a SEGV read at address 0x0 and an application crash. A publicly available proof-of-concept MP4 file exists on GitHub; however, this CVE is not in CISA KEV, and exploitation is constrained to a denial-of-service (process crash) with no code execution or data exposure demonstrated.
Null pointer dereference in the Avira Antivirus scanning engine crashes the antivirus process when it parses a specially crafted malformed Windows PE file. All platform deployments - Windows, macOS, and Linux - running engine builds prior to 8.3.70.64 are affected, making this a cross-platform availability risk. No public exploit identified at time of analysis and no CISA KEV listing; however, the ease of crafting a malformed PE file as a trigger lowers the practical barrier for targeted disruption of endpoint protection.
Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies malformed distort arguments via a crafted image. Affected are all ImageMagick 6.x versions prior to 6.9.13-50 and all 7.x versions prior to 7.1.2-25. An unauthenticated remote attacker who can cause a target application to process a specially crafted image can trigger a DoS; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Nil-pointer dereference in Incus daemon (incusd) versions before 7.1.0 allows any authenticated API user holding the standard can_create permission on any project to crash the entire incusd process by uploading a crafted backup tarball, causing denial of service across all projects on the affected cluster member. The vulnerable path in internal/server/storage/backend.go:795 dereferences Config.Volume without a nil guard while adjacent fields received nil-checks in sibling patches (GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, GHSA-x5r6-jr56-89pv) released 2026-05-04. Publicly available exploit code exists in the form of a self-contained Go unit test and 2560-byte tarball builder included with the disclosure; no CISA KEV listing at time of analysis.
NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems enables a remote, administrator-authenticated attacker to trigger a denial-of-service condition. Exploitation requires the attacker to first hold or acquire an administrator account on the target device, after which a crafted request can crash system services. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a denial-of-service condition. Exploitation requires prior acquisition of a valid user account on the target QNAP NAS device, after which the attacker can trigger the dereference remotely over the network. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to crash a network-facing service and cause a denial-of-service condition without any authentication or user interaction. Multiple active OS branches are affected - QTS 5.2.x and QuTS hero h5.2.x through h6.0.x - across a device population that is historically internet-exposed and frequently targeted. No public exploit has been identified and this vulnerability is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface makes DoS attempts trivially repeatable against unpatched devices.
NULL pointer dereference in QNAP QuTS hero NAS operating system allows a remote attacker who has already obtained or possesses an administrator account to trigger a denial-of-service condition, crashing affected services. Affected branches span QuTS hero h5.2.x, h5.3.x, and h6.0.x series, with vendor-released patches available as of early-to-mid 2026. No public exploit code or CISA KEV listing has been identified at time of analysis, and the mandatory prerequisite of high-privilege authentication substantially constrains real-world impact.
Remote denial-of-service in Espressif ESP-IDF's esp_http_server WebSocket handshake allows unauthenticated attackers to crash IoT devices by sending a malformed Sec-WebSocket-Protocol header. The flaw (CWE-476 NULL-pointer dereference) is triggered pre-authentication during subprotocol negotiation and affects ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0; no public exploit identified at time of analysis, though upstream commits disclose the exact vulnerable code path.
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial query backed by a 2dsphere index where the indexed field holds a GeoJSON GeometryCollection containing a Polygon defined with a strict-winding CRS. The flaw is a CWE-476 null pointer dereference reached because the rejection guard for unsupported strict-winding polygons does not recurse into GeometryCollection members. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the server process by issuing a specially crafted aggregation followed by a getMore command on the same cursor, triggering a null pointer dereference in the aggregation stage's _subPipeline field. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a credible availability threat for multi-tenant or shared MongoDB deployments.
NULL Pointer Dereference in Adobe InDesign Desktop versions 21.3 and 20.5.3 and earlier allows a local attacker to crash the application by delivering a crafted document file that a victim must open, resulting in a denial-of-service condition with no confidentiality or integrity impact. Exploitation is constrained by mandatory user interaction (UI:R) and a local attack vector (AV:L), significantly limiting real-world risk beyond targeted social-engineering scenarios involving design professionals. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog.
NULL Pointer Dereference in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier enables a denial-of-service condition by crashing the application when a victim opens a specially crafted malicious file. The vulnerability carries no confidentiality or integrity impact - availability is the sole affected component. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, limiting its urgency relative to higher-severity Adobe vulnerabilities.
Null pointer dereference in Windows Kerberos enables an authenticated network attacker to crash the Kerberos service, causing denial of service. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation is achievable over the network by any low-privilege authenticated user with no user interaction required, resulting in high availability impact (A:H) with no confidentiality or integrity consequences. No active exploitation confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Denial of service in OpenSSL 3.6.0-3.6.2 and 4.0.0 allows remote attackers to crash applications by triggering a NULL pointer dereference during certificate verification when OCSP checking is enabled. The flaw is patched in OpenSSL 4.0.1 (and 3.6.3) per the vendor's 2026-06-09 security advisory; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
NULL pointer dereference in OpenSSL's CRMF EncryptedValue decryption path crashes the affected process, creating a remotely triggerable denial-of-service condition across five actively maintained OpenSSL branches (3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.x). The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, score 5.9) confirms network reachability with no authentication required, but high attack complexity limits trivial mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the broad version coverage and OpenSSL's ubiquitous deployment make patching a priority for any infrastructure using certificate management protocols.
Denial of service in OpenSSL 3.5.x, 3.6.x, and 4.0.0 stems from a NULL pointer dereference triggered during QUIC server initial packet handling, allowing remote unauthenticated attackers to crash affected servers by sending crafted QUIC traffic. The flaw was disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside multiple other CVEs; no public exploit identified at time of analysis and no CISA KEV listing. Patched versions are available from the upstream project and downstream distributions including Ubuntu (USN-8414-1).
Null pointer dereference in OpenSSL's password-based CMS decryption path enables remote denial of service against applications that process CMS EnvelopedData with password-based key derivation. The flaw affects a wide range of OpenSSL branches spanning 1.0.2 through 4.0.0, making the exposure surface unusually broad across long-term support and current releases. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS score of 5.9 (Medium) reflects the high attack complexity required to trigger the condition.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a malicious MP4 file that triggers a NULL pointer dereference in the VVC (Versatile Video Coding) configuration writer. The flaw resides in gf_odf_vvc_cfg_write_bs within odf/descriptors.c and requires no authentication or user privileges beyond convincing the target to process the crafted file. No public exploit identified at time of analysis, and SSVC indicates exploitation has not been observed despite the issue being automatable.
NULL pointer dereference in GPAC MP4Box v2.4 allows unauthenticated remote attackers to crash the application by delivering a crafted MP4 file that a user opens. The vulnerable function ctts_box_write in isomedia/box_code_base.c fails to validate a pointer before dereferencing it when processing a malformed Composition Time to Sample (ctts) box, resulting in a denial-of-service condition. No public exploit code or active exploitation has been identified; SSVC rates exploitation status as none, though delivery is rated automatable.
NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when parsing a maliciously crafted MP4 file, enabling a Denial of Service against any user or pipeline that processes untrusted media with this tool. The flaw resides in gf_isom_get_user_data_count within isomedia/isom_read.c, where an unvalidated pointer is dereferenced during user-data atom counting. Publicly available exploit code exists as a crafted MP4 PoC, though no public exploit identified at time of analysis in CISA KEV and EPSS sits at the 5th percentile, suggesting minimal observed exploitation activity.
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in `ipu6_pci_probe()` at `drivers/media/pci/intel/ipu6/ipu6.c:690`, where `isp->psys` holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
NULL pointer dereference in the Linux kernel's Renesas VSP1 media driver crashes the kernel during module unload on Generation 4 Renesas SoC hardware. The defect exists because the cleanup path unconditionally invokes vsp1_drm_cleanup() rather than vsp1_vspx_cleanup() for gen 4 IP versions, while the initialization path correctly checks the IP version - an asymmetry introduced when gen 4 support was added. With an EPSS of 0.02% (4th percentile), no KEV listing, and no public exploit code, real-world exploitation risk is very low and confined to niche embedded and automotive platforms; vendor-released patches are available in stable kernel branches.
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, `hugetlb_add_param()` in `mm/hugetlb` dereferences a NULL pointer via `strlen()` when `hugepages`, `hugepagesz`, or `default_hugepagesz` kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
NULL pointer dereference in the Linux kernel's drm/imagination (PowerVR GPU) driver crashes the kernel when a local user writes to the ftrace mask debugfs entry. Affected kernels range from the introduction of the drm/imagination driver at commit a331631496a0af9a6f4e7e1860983afd8b1bb013 through Linux 7.0, with fixes landed in 7.0.4 and 7.1-rc2. An attacker with local access and write permission to the debugfs interface can trigger a kernel Oops, resulting in a full system crash and denial of service. No public exploit exists and EPSS is 0.02%, consistent with the narrow hardware scope (Imagination Technologies PowerVR GPUs) and local-only attack surface.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
NULL pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when a local user processes a crafted media file, resulting in Denial of Service. The flaw exists in gf_filter_pid_resolve_file_template_ex (filter_pid.c), where prop_val->value.string is passed to strncmp without a prior null check - confirmed by upstream commit diff. Publicly available exploit code exists, but SSVC signals no active exploitation and non-automatable attack conditions; no CISA KEV listing is present.
Local denial of service in NI's NI-PAL kernel driver (versions 26.3.0 and prior on Windows and Linux) allows an authenticated local user to crash the host system by sending malformed input that triggers a NULL pointer dereference in kernel space. No public exploit identified at time of analysis, but the kernel-level impact means a successful trigger takes down the entire host, not just the driver process. The issue is vendor-disclosed by NI with an advisory published on ni.com.
Null pointer dereference in whisper.cpp up to version 1.8.2 allows a local authenticated attacker to crash the application via a crafted input during model loading. The vulnerable code path is the whisper_model_load function within ggml/src/ggml.c, resulting in a limited availability impact (application denial of service) with no confidentiality or integrity consequences. A proof-of-concept exploit is publicly available via a GitHub issue report; however, no vendor patch has been released and the project has not yet responded to the disclosure.
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged local access to corrupt memory during secure data initialization, leading to high impact on confidentiality, integrity, and availability. The flaw is traceable to a NULL pointer dereference (CWE-476) reachable when heap memory is exhausted, and is addressed in the Qualcomm June 2026 security bulletin. No public exploit identified at time of analysis, and EPSS data was not provided.
Local memory corruption in Qualcomm Snapdragon platforms (CVE-2025-59604) allows a low-privileged local attacker to trigger invalid memory writes via a null pointer condition during a memory copy operation, resulting in high confidentiality, integrity, and availability impact (CVSS 7.8). The flaw is disclosed in the Qualcomm June 2026 security bulletin with no public exploit identified at time of analysis and no CISA KEV listing. While CWE-476 (null pointer dereference) typically yields denial of service, the vendor's CIA:H scoring indicates the invalid writes may be steerable into broader corruption beyond a simple crash.
Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.
Null pointer dereference in ThorVG's SVG loader crashes any process that passes untrusted SVG content through Picture::load(), enabling remote denial-of-service with a trivial 6-byte payload. All ThorVG releases prior to 1.0.5 are affected (CPE: cpe:2.3:a:thorvg:thorvg:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis and no CISA KEV listing, but the fix-confirming PR diff (PR #4387) exposes the exact null-check omissions, substantially lowering the bar for independent exploit development.
Null pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when parsing crafted MP4 files, resulting in a Denial of Service. The vulnerable function gf_media_get_color_info in src/media_tools/isom_tools.c fails to validate pointers to AVC (avcc) and HEVC (hvcc) configuration boxes before dereferencing them, causing a segmentation fault when a malformed file omits these structures. No public exploit is confirmed as actively exploited (not in CISA KEV), but publicly available exploit code exists and the attack requires only that a user open a crafted file.
Segmentation violation in GPAC MP4Box before version 26.02.0 crashes the application when processing crafted MP4 files, enabling denial of service against any user or pipeline invoking the tool on attacker-supplied input. The root cause is a null pointer dereference (CWE-476) in gf_isom_apple_set_tag_ex within isom_write.c, where custom iTunes-style tag pointers are dereferenced without prior null validation. A publicly available proof-of-concept exploit exists, though no public exploit identified at time of analysis correlates to confirmed active exploitation - the local attack vector (AV:L/UI:R) limits exposure primarily to media processing workflows that ingest untrusted MP4 files.
NULL pointer dereference in MP4Box's AC4 audio parser crashes the process when parsing a maliciously crafted AC4 file, enabling a local Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0, with the root cause in gf_ac4_pres_b_4_back_channels_present() and related AC4 presentation parsing routines in av_parsers.c. A publicly available proof-of-concept exists, though no public exploit confirmed active exploitation is in CISA KEV at time of analysis.
NULL pointer dereference in GPAC MP4Box's AC4 audio DSI parser crashes the application when processing a crafted AC4 file, resulting in denial of service. All GPAC MP4Box versions before 26.02.0 are affected; the CVSS vector (AV:L/UI:R) confirms exploitation requires a victim to locally open a malicious file. A publicly available proof-of-concept exploit exists at a referenced GitHub repository, though no public exploit identified at time of analysis has been confirmed as actively exploited in the wild (not listed in CISA KEV).
Denial of service in lwext4 1.0.0 allows remote attackers to crash applications by supplying a malformed EXT4 filesystem image that triggers a NULL pointer dereference in ext4_dir_en_get_name_len during directory iteration. The flaw affects the 2016-era lwext4 codebase commonly embedded in IoT, bootloaders, and forensic tools that mount untrusted EXT4 images. Publicly available exploit code exists, though EPSS rates real-world exploitation probability as very low (0.02%, 4th percentile).
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated network attackers to crash the iApp process by sending an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node, triggering either a SIGABRT (Debug builds via assert) or SIGSEGV (Release builds via NULL pointer dereference) on TCP port 36422. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and trivial trigger conditions make this a meaningful availability risk for any exposed FlexRIC RAN Intelligent Controller deployment.
Remote denial-of-service in FlexRIC v2.0.0 near-RT RIC allows unauthenticated attackers to crash the controller process by sending a RIC_INDICATION message containing an unregistered ran_func_id, which causes the registry lookup to return NULL and trigger either an assertion failure (SIGABRT in Debug builds) or a NULL pointer dereference (SIGSEGV in Release builds). The flaw is reachable over the network on port 36421 with no authentication or user interaction, though EPSS remains low at 0.04% and there is no public exploit identified at time of analysis. KEV does not list this issue.
Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local low-privileged attacker to crash any application that processes attacker-supplied 3D model files via the library. The flaw resides in the `ImportAnimations()` function, where `glTF2::LazyDict::operator[]` is invoked with animation channel node indices that are never validated for validity before dereferencing, producing a CWE-476 null pointer dereference and denial-of-service. A public proof-of-concept exploit (poc.zip) has been disclosed and an upstream patch commit is available, though no active exploitation is confirmed by CISA KEV.
Null pointer dereference in Assimp's glTF mesh importer (versions up to and including 6.0.4) allows a locally authenticated attacker with low privileges to crash any application that uses the library to process a crafted 3D model file. The flaw resides specifically in the Assimp::glTFImporter::ImportMeshes function within glTFImporter.cpp, meaning only applications that invoke the glTF import pipeline are exposed. A publicly available proof-of-concept exploit (poc.zip) has been released, though no active exploitation has been confirmed and the CVSS score of 3.3 (Low) reflects the constrained local-only, availability-only impact.
Null pointer dereference in NanoMQ MQTT Broker 0.24.8 and earlier causes a denial-of-service condition via the QUIC transport layer. The function quic_stream_recv fails to return after completing an asynchronous I/O operation with an error when a substream is in reopen state, proceeding to lock c->mtx against a null substream pointer. An unauthenticated remote attacker can crash the broker process, disrupting edge messaging services. No public exploit identified at time of analysis beyond proof-of-concept code reflected in the CVSS 4.0 E:P metric; not listed in CISA KEV.
Denial of service in cpp-httplib (C++ header-only HTTP/HTTPS library) versions prior to 0.44.0 allows remote unauthenticated attackers to crash server processes by sending an HTTP request with a malformed X-Forwarded-For header. The flaw is reachable only when the application has configured a non-empty trusted-proxy list via Server::set_trusted_proxies(). CVSS 4.0 scores this 8.7 (high) due to network reachability and high availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.
Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.
NULL pointer dereference in the Linux kernel's batman-adv Bridge Loop Avoidance (BLA) subsystem enables local denial of service via kernel panic. The race condition exists in batadv_bla_purge_claims(), which traverses the claim hash list under rcu_read_lock() without accounting for concurrent claim releases - when batadv_claim_release() NULLs the backbone_gw pointer mid-traversal, a subsequent call to batadv_bla_claim_get_backbone_gw() on the partially-freed claim triggers a NULL dereference. Exploitation requires local low-privilege access on systems actively running batman-adv with BLA enabled; no active exploitation is confirmed and EPSS stands at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.
Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function `intel_hdcp_gsc_check_status()` evaluates `>->uc.gsc` without first verifying that `media_gt` is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.
NULL pointer dereference and silent error suppression in the Linux kernel's Qualcomm MSM DRM/GEM subsystem allows a low-privileged local user to crash the kernel (denial of service) via a crafted GEM_INFO ioctl call. The msm_ioctl_gem_info_get_metadata() function unconditionally returns 0 on error and fails to check kmemdup() for a NULL return, enabling a dereference in the subsequent copy_to_user() call. No public exploit has been identified at time of analysis and EPSS is 0.02% (5th percentile), reflecting minimal real-world exploitation pressure despite the confirmed availability of upstream patch commits.
Memory corruption in the Linux kernel SMB client (cifs) allows a malicious SMB server to trigger out-of-bounds reads and potential dereferences in the DACL parsing path on 32-bit builds. The flaw resides in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl(), where a server-supplied dacloffset value near U32_MAX can wrap around and bypass pointer-based bounds checks during chmod/chown operations against SMB shares. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but the issue is a confirmed kernel bug with upstream fixes already merged.
NULL pointer dereference in the Linux kernel's octeon_ep_vf driver crashes the kernel when napi_build_skb() fails during memory allocation in the receive path. Systems running kernels from the introduction of the octeon_ep_vf driver (commit 1cd3b407977c) through multiple stable branches are affected where Marvell Octeon EP VF network adapters are in use. A local, low-privileged attacker who can induce memory pressure while network traffic flows through an Octeon EP VF interface can trigger a kernel panic, resulting in full system unavailability. No public exploit code exists, EPSS is 0.02% (5th percentile), and this vulnerability has not been added to CISA KEV.
NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.
Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.
Remote information disclosure in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows unauthenticated network attackers to leak adjacent kernel skb head-buffer memory by sending zero-length ATOMIC_WRITE RDMA packets. The flaw, tracked as CVE-2026-46114 and affecting kernels from 6.2 onward, lets a remote initiator extract 4 bytes of kernel tailroom per probe - including kernel strings and partial direct-map pointer words - into an attacker-controlled memory region. No public exploit identified at time of analysis and EPSS is low (0.05%, 17th percentile), but the vendor (kernel.org) has released stable patches across multiple branches.
Denial of service in the Linux kernel's stmmac Ethernet driver allows remote attackers to trigger a NULL pointer dereference and kernel panic on systems using STMicroelectronics MAC network controllers under sustained memory pressure. The flaw stems from incomplete handling of the DMA RX descriptor ring lifecycle, where stmmac_rx() cannot distinguish 'full' from 'dirty' descriptors when stmmac_rx_refill() fails to allocate replacement buffers. EPSS rates exploitation probability at only 0.02% (5th percentile), and no public exploit identified at time of analysis.
NULL pointer dereference in pam_usb prior to 0.8.7 allows a physically present attacker to crash the PAM authentication stack by inserting a USB device whose serial, vendor, or model metadata fields are absent. The module in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks, despite the GIO/UDisks2 API explicitly documenting that these accessors can return NULL for devices not exposing those fields. The result is undefined behavior - typically a SIGSEGV - that terminates the authentication process. No public exploit has been identified at time of analysis and no active exploitation is confirmed.
pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP request whose URL path begins with /status or /sysinfo. The server tries to load WOSHttpStatusModule.dll to service those paths and calls WOSBin_LoadHttpModule, but that DLL ships missing from the installation, so the resolved function pointer is NULL and the code invokes a function at address 0, terminating the process (CWE-476). The flaw was discovered and reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and it is not on the CISA KEV list, with availability-only impact (CVSS 7.5).
Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering a NULL pointer dereference. The function WOSSysInfoGetDeviceInterface() in WOSCommonUtil.dll returns NULL whenever no user is logged into the Server Agent Management Console, and callers such as WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference that pointer without checking it, causing a process crash. There is no public exploit identified at time of analysis and the issue affects only availability (CVSS 7.5).