Null Pointer Dereference
Monthly
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind, which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this structure needs to be stored inside the driver data before invoking it. As drvdata is currently uninitialized it leads to a crash when registering the DSI DRM encoder right after acquiring the mode_config.idr_mutex, blocking all subsequent DRM operations. Fixes the following crash during mediatek-drm probe (tested on Xiaomi Smart Clock x04g): Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [...] Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib drm_dma_helper drm_kms_helper panel_simple [...] Call trace: drm_mode_object_add+0x58/0x98 (P) __drm_encoder_init+0x48/0x140 drm_encoder_init+0x6c/0xa0 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper] mtk_dsi_bind+0x34/0x13c [mediatek_drm] component_bind_all+0x120/0x280 mtk_drm_bind+0x284/0x67c [mediatek_drm] try_to_bring_up_aggregate_device+0x23c/0x320 __component_add+0xa4/0x198 component_add+0x14/0x20 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm] mipi_dsi_attach+0x2c/0x50 panel_simple_dsi_probe+0x4c/0x9c [panel_simple] mipi_dsi_drv_probe+0x1c/0x28 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __device_attach_driver+0xbc/0x17c bus_for_each_drv+0x88/0xf0 __device_attach+0x9c/0x1cc device_initial_probe+0x54/0x60 bus_probe_device+0x34/0xa0 device_add+0x5b0/0x800 mipi_dsi_device_register_full+0xdc/0x16c mipi_dsi_host_register+0xc4/0x17c mtk_dsi_probe+0x10c/0x260 [mediatek_drm] platform_probe+0x5c/0xa4 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1f8 bus_for_each_dev+0x7c/0xe0 driver_attach+0x24/0x30 bus_add_driver+0x11c/0x240 driver_register+0x68/0x130 __platform_register_drivers+0x64/0x160 mtk_drm_init+0x24/0x1000 [mediatek_drm] do_one_initcall+0x60/0x1d0 do_init_module+0x54/0x240 load_module+0x1838/0x1dc0 init_module_from_file+0xd8/0xf0 __arm64_sys_finit_module+0x1b4/0x428 invoke_syscall.constprop.0+0x48/0xc8 do_el0_svc+0x3c/0xb8 el0_svc+0x34/0xe8 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix missing NULL checks for kstrdup() 1. Replace "of_find_node_by_path("/")" with "of_root" to avoid multiple calls to "of_node_put()". 2. Fix a potential kernel oops during early boot when memory allocation fails while parsing CPU model from device tree.
In the Linux kernel, the following vulnerability has been resolved: i2c: cp2615: fix serial string NULL-deref at probe The cp2615 driver uses the USB device serial string as the i2c adapter name but does not make sure that the string exists. Verify that the device has a serial number before accessing it to avoid triggering a NULL-pointer dereference (e.g. with malicious devices).
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL deref in bond_debug_rlb_hash_show rlb_clear_slave intentionally keeps RLB hash-table entries on the rx_hashtbl_used_head list with slave set to NULL when no replacement slave is available. However, bond_debug_rlb_hash_show visites client_info->slave without checking if it's NULL. Other used-list iterators in bond_alb.c already handle this NULL-slave state safely: - rlb_update_client returns early on !client_info->slave - rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance compare slave values before visiting - lb_req_update_subnet_clients continues if slave is NULL The following NULL deref crash can be trigger in bond_debug_rlb_hash_show: [ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) [ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 [ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 [ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 [ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 [ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 [ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 [ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 [ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 [ 1.295897] Call Trace: [ 1.296134] seq_read_iter (fs/seq_file.c:231) [ 1.296341] seq_read (fs/seq_file.c:164) [ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) [ 1.296658] vfs_read (fs/read_write.c:572) [ 1.296981] ksys_read (fs/read_write.c:717) [ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Add a NULL check and print "(none)" for entries with no assigned slave.
A NULL pointer dereference in the Linux kernel ARM SCMI firmware driver allows local authenticated users to trigger a denial of service by causing the system to crash. The vulnerability exists in the __scmi_event_handler_get_ops helper function, which can return NULL instead of the expected ERR_PTR on failure, causing downstream code to dereference a NULL pointer when handling unsupported SCMI events. The flaw was introduced in commit b5daf93b809d1 and affects multiple stable kernel versions; patches are available in Linux 6.18.20, 6.19.10, and 7.0.
A null pointer dereference in the i915 GPU driver's graphics translation table (GT) submission logic causes kernel panic and denial of service when the i915 firmware binaries are absent and the system attempts to suspend. Local authenticated attackers with normal user privileges can trigger this crash by initiating system suspend on affected Intel graphics systems without required firmware, resulting in denial of service. No public exploit code identified at time of analysis; EPSS score of 0.02% indicates low exploitation probability in practice.
A denial-of-service vulnerability in the Linux kernel's Btrfs filesystem implementation allows local authenticated attackers to cause filesystem corruption and crashes through a race condition during subvolume creation and lookup. When a newly created Btrfs subvolume's dentry cache is dropped before the BTRFS_ROOT_ORPHAN_CLEANUP flag is set, concurrent orphan cleanup operations can fail with ENOENT, creating negative dentries that prevent subvolume deletion and cause filesystem aborts. EPSS score of 0.02% indicates this is a low-probability exploitation scenario requiring specific timing and configuration conditions, though the impact is severe for affected systems. No public exploit code is identified at time of analysis.
Denial of service in Linux kernel af_key module allows local authenticated attackers to crash the system via buffer overflow in pfkey_send_migrate() function. The vulnerability occurs because pfkey_send_migrate() fails to validate address family parameters before passing them to set_ipsecrequest(), causing truncation that overfills the socket buffer and triggers kernel panic in skb_put(). EPSS score of 0.02% indicates minimal real-world exploitation risk despite moderate CVSS severity.
Null pointer dereference in the Linux kernel Bluetooth L2CAP implementation allows local authenticated attackers to cause a kernel panic and denial of service via the l2cap_sock_ready_cb function during L2CAP connection initialization. The vulnerability occurs when a socket pointer is dereferenced without null validation, triggering a KASAN null-ptr-deref exception that crashes the kernel. EPSS score of 0.02% indicates low real-world exploitation probability despite the moderate CVSS score; no public exploit code or active KEV listing has been identified at time of analysis.
Kernel panic via null pointer dereference in the tracing subsystem occurs when boot-time trigger registration fails and kthread creation does not succeed, allowing deferred trigger frees to accumulate indefinitely and crash the system. Local authenticated attackers can trigger this by specifying malformed trace event parameters on the kernel command line, resulting in denial of service. EPSS exploitation probability is 0.02% (very low) despite moderate CVSS score, suggesting this requires specific boot-time configuration and local access.
Memory exhaustion and kernel crash in Linux kernel's ksmbd SMB server allows remote unauthenticated denial of service via crafted lock requests. The smb2_lock() function contains three critical error-handling defects: memory leaks when vfs_lock_file() returns unexpected errors, stale error propagation in UNLOCK operations, and NULL pointer dereference during rollback when smb_flock_init() allocation fails. CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication. EPSS score of 0.02% (7th percentile) suggests minimal observed scanning activity, and no KEV listing confirms no widespread exploitation detected. However, the network attack vector (AV:N) and high availability impact (A:H) make this a realistic DoS risk for systems running ksmbd. Vendor patches available across stable kernel series 5.15-6.19.
Denial of service via null pointer dereference in Linux kernel DAMON sysfs module allows local privileged users to crash the system by setting nr_contexts to zero while DAMON is running, then issuing state-change commands that dereference an empty contexts array without bounds checking. EPSS exploitation probability is minimal at 0.02%, reflecting the requirement for local privileged access and active DAMON configuration.
Null pointer dereference in Linux kernel DAMON sysfs interface allows local authenticated users to cause denial of service by setting nr_contexts to zero while DAMON is running, triggering dereference of uninitialized context array pointers in damon_sysfs_repeat_call_fn(). The vulnerability requires local access and low-level privileges (non-root user with sysfs write access), with an EPSS exploitation probability of 0.02% indicating low real-world attack likelihood despite the straightforward trigger mechanism.
Use-after-free in Linux kernel's XFS filesystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or information disclosure. The vulnerability occurs in the XFS Active Item List (AIL) push mechanism where log items can be freed by background reclaim processes while still being dereferenced by tracepoints. Vendor patches are available for kernel versions 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Race condition in Linux kernel ext4 filesystem allows denial of service through kernel panic when fast commit feature processes incompletely initialized journal inodes. Affects Linux kernel versions from 3.11 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) prior to patched versions released in early 2025. Vendor patches available across all affected stable branches. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit code identified at time of analysis. CVSS 8.8 reflects authenticated network attack vector, though real-world risk limited to systems where attackers have filesystem write access and ext4 fast commit is enabled.
Null pointer dereference in Linux kernel DAMON subsystem allows local authenticated attackers to cause denial of service when memory allocation failures occur during online parameter updates. The vulnerability affects DAMON's context commit mechanism (damon_commit_ctx), which can partially corrupt kernel state if internal memory allocation fails, potentially leading to NULL pointer dereference in damos_commit_dests(). While real-world impact is rare due to the low probability of allocation failure, the severe consequence of kernel panic necessitates this fix.
Kernel panic in the Linux netfs subsystem's netfs_limit_iter() function crashes systems when a process writes a core dump to a 9P-mounted filesystem. The function handles only ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY iterator types, triggering a hard BUG() when __kernel_write() supplies an ITER_KVEC iterator via netfs_unbuffered_write(), producing a local denial of service via kernel panic. No public exploit code exists and no active exploitation has been identified; this is a no public exploit identified at time of analysis scenario with EPSS at 0.02% (5th percentile), indicating minimal widespread exploitation interest.
NULL pointer dereference in the Linux kernel's netfs subsystem crashes the kernel when retrying unbuffered writes on filesystems that omit the prepare_write stream operation, such as 9P. A local low-privilege user who can write to such a mounted filesystem and induce a get_user_pages() -EFAULT failure can trigger a kernel panic, causing a denial of service. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible observed exploitation probability; the vulnerability is not listed in CISA KEV.
Use-after-free and descriptor management error in Linux kernel's Intel IDXD DMA engine driver allows NULL pointer dereferences, double completion, or descriptor leaks. The llist_abort_desc() function completes the wrong descriptor object due to a loop cursor bug introduced in commit aa8d18becc0c. Patches released for kernel 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no active exploitation or public exploit code identified. Despite CVSS 9.8 critical rating with network vector, the actual attack surface requires local access to DMA engine subsystems, making the CVSS vector likely inaccurate or context-dependent.
Denial of service in PowerDNS Recursor via null pointer dereference in the zoneToCache function when processing zone data from a malicious authoritative server. Affects Recursor 5.2.0 through 5.4.0 and requires high privileges and non-standard network conditions to exploit, resulting in service availability impact but not data compromise. Patch available from vendor.
Null pointer dereference in PowerDNS Recursor allows remote attackers to trigger a denial of service by sending crafted DNS replies that bypass a missing consistency check. The vulnerability affects Recursor versions 5.2.0 through 5.2.8, 5.3.0 through 5.3.5, and 5.4.0, with CVSS 5.9 reflecting high availability impact but requiring special network conditions (AC:H). No public exploit code identified at time of analysis.
Denial of service in PowerDNS Recursor occurs when processing a malicious Response Policy Zone (RPZ) from an authoritative server, triggering a null pointer dereference due to missing validation logic. Versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 are affected. An authenticated remote attacker controlling an authoritative nameserver can crash the Recursor service by sending a specially crafted RPZ response, requiring high privilege level (PR:H) and complex attack conditions (AC:H) as mitigating factors.
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Denial of service via null pointer dereference in Firefox's Audio/Video Playback component allows remote attackers to crash the browser without user interaction. The vulnerability affects Firefox versions prior to 150 and requires only a network connection to trigger, resulting in availability loss but not code execution or data compromise. No active exploitation has been confirmed at time of analysis.
Null pointer dereference in Firebird SQL server causes remote denial-of-service when unauthenticated attackers send malformed op_crypt_key_callback packets. Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 are affected. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitation requiring no authentication or user interaction, allowing attackers who know only the server's IP and port to crash database services. The integrity impact rating (I:L) suggests potential for limited data corruption alongside the high availability impact. Vendor-released patches are available in versions 5.0.4, 4.0.7, and 3.0.14. No public exploit code or CISA KEV listing identified at time of analysis, though the low attack complexity makes weaponization straightforward.
Remote unauthenticated denial of service in Firebird SQL database server versions prior to 6.0.0/5.0.4/4.0.7/3.0.14 allows attackers to crash the database by sending a malformed op_slice network packet that triggers a null pointer dereference in the SDL_info() function. Attack requires only network access to the database port with no authentication (CVSS AV:N/AC:L/PR:N). No public exploit code identified at time of analysis, and EPSS data not available for this recent CVE. Fixed versions released by vendor across all maintained branches.
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
Null pointer dereference in Windows Redirected Drive Buffering denies service to local authenticated users on Windows 11 version 26H1 (build 10.0.28000.0-10.0.28000.1835). An authorized attacker with local access can trigger the vulnerability to crash the affected system component, though code execution is not possible. Vendor-released patch available; no public exploit code identified at time of analysis.
Remote denial-of-service in Windows Local Security Authority Subsystem Service (LSASS) allows unauthenticated network attackers to crash Windows systems through null pointer dereference exploitation. Affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025) across multiple release channels. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and unauthenticated netwo
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
NULL pointer dereference in the Linux kernel's netfilter x_tables subsystem allows a local attacker with CAP_NET_ADMIN privileges to crash the system by loading an NFPROTO_UNSPEC-registered xt_match or xt_target (e.g., xt_devgroup) into an ARP nftables chain via nft_compat, triggering a kernel panic and complete availability loss. CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local-only, availability-only impact, and EPSS at 0.02% (7th percentile) indicates very low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV); vendor-released patches are available across multiple stable kernel branches.
NULL pointer dereference in the Linux kernel's net/sched cls_flow traffic classifier allows a local low-privileged attacker to crash the kernel (denial of service) by creating a flow filter on a shared traffic control block without a fully qualified baseclass. The crash occurs in flow_change() at net/sched/cls_flow.c:508, confirmed by a KASAN trace showing null-ptr-deref when block->q is dereferenced on a shared block where it is intentionally NULL. No active exploitation confirmed - not listed in CISA KEV - and EPSS stands at 0.02% (7th percentile), indicating negligible real-world exploitation probability at time of analysis.
NULL pointer dereference in the Linux kernel's cls_fw traffic classifier (net/sched/cls_fw.c) crashes the kernel when authenticated local users configure an old-method cls_fw filter on a shared tc block and traffic with a nonzero major skb mark is processed. The flaw exists because the old classification path in fw_classify() calls tcf_block_q() and dereferences q->handle, but shared blocks hold a NULL block->q pointer. The impact is limited to local denial of service (kernel panic); no confidentiality or integrity compromise is possible. EPSS is 0.02% (7th percentile), this vulnerability is not in CISA KEV, and no public exploit has been identified at time of analysis.
Nitro PDF Pro 14.41.1.4 for Windows crashes when processing maliciously crafted PDFs that invoke app.alert() with null arguments, causing denial of service through NULL pointer dereference in the JavaScript engine. Remote attackers can deliver weaponized PDF files requiring no authentication or user interaction beyond opening the document (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (2nd percentile), indicating low real-world targeting despite theoretical automation potential.
Nitro PDF Pro for Windows version 14.41.1.4 crashes when processing maliciously crafted XFA (XML Forms Architecture) packets due to a NULL pointer dereference, enabling remote denial-of-service attacks without authentication. An attacker can deliver a weaponized PDF containing the crafted XFA packet, causing the application to terminate when opened. EPSS exploitation probability is very low (0.01%, 2nd percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis. Despite CVSS 7.5 (High), real-world risk is limited to availability impact only - no code execution, data theft, or privilege escalation possible.
Authenticated teachers in Chamilo LMS can delete arbitrary student grades platform-wide through Insecure Direct Object Reference in gradebook result views. By manipulating delete_mark or resultdelete GET parameters, attackers bypass course-scope and ownership controls, enabling unauthorized grade deletion across all courses. Versions prior to 1.11.38 and 2.0.0-RC.3 lack server-side validation. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated access requirement with high integrity impact and low availability impact.
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.
Kernel crash via forged VCC pointer in the Linux kernel ATM networking subsystem (net/atm/sigd.c) allows a local low-privileged attacker who has assumed the ATM signaling daemon role to dereference arbitrary kernel memory, resulting in denial of service. The flaw affects Linux 2.6.12 through multiple current stable branches, with patches available for 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x, and 7.0-rc1. A public reproducer exists at a GitHub gist, though the EPSS score of 0.02% (7th percentile) and absence from CISA KEV reflect the niche ATM subsystem's limited real-world attack surface.
NULL pointer dereference in OpenSSL CMS EnvelopedData processing enables unauthenticated remote denial of service. Affects OpenSSL 1.0.2 through 3.6.x when processing attacker-controlled CMS messages with KeyTransportRecipientInfo using RSA-OAEP encryption. Missing optional parameters field in algorithm identifier triggers crash before authentication occurs. Applications calling CMS_decrypt() on untrusted input (S/MIME, CMS-based protocols) vulnerable. FIPS modules unaffected. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.
Null pointer dereference in OpenSSL 1.0.2 through 3.6 CMS EnvelopedData processing crashes applications before authentication when KeyAgreeRecipientInfo messages lack optional parameters field. Unauthenticated remote attackers can trigger denial of service against S/MIME processors and CMS-based protocol handlers calling CMS_decrypt() on untrusted input. FIPS modules unaffected. Vendor-released patches available for all affected branches (1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2). Low observed exploitation activity; no public exploit identified at time of analysis.
NULL pointer dereference in OpenSSL 1.0.2 through 3.6.x delta CRL processing enables remote denial-of-service attacks against applications performing X.509 certificate verification. Exploitation requires X509_V_FLAG_USE_DELTAS flag enabled, certificates with freshestCRL extension or base CRL with EXFLAG_FRESHEST flag, and attacker-supplied malformed delta CRL missing required CRL Number extension. Unauthenticated network-accessible attack with low complexity causes application crash. Impact limited to availability; memory disclosure and code execution ruled out by vendor. FIPS modules unaffected.
Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.
Null pointer dereference in Zephyr RTOS TCP stack during connection teardown allows authenticated remote attackers to cause denial of service. A race condition in tcp_recv() processing of SYN packets causes tcp_conn_search() to return NULL on a released connection, which is then dereferenced without validation in tcp_backlog_is_full(), resulting in a crash. The vulnerability requires low-privilege authentication and is moderately complex to trigger due to timing constraints (AC:H), but results in high availability impact.
NULL pointer dereference in Linux kernel NFSD export cache cleanup allows local denial of service when RCU readers in e_show() and c_show() concurrently access export path and client name objects while cache_clean removes entries and drops the last reference prematurely. The vulnerability stems from path_put() and auth_domain_put() executing before the RCU grace period completes, freeing sub-objects still in use by readers. A fix has been merged upstream that defers these cleanup operations to a dedicated workqueue after the RCU grace period, ensuring safe resource release in process context where sleeping is permitted.
Linux kernel memory management allows installation of PMD entries pointing to non-existent physical memory or causes NULL pointer dereferences in move_pages_huge_pmd() when handling huge zero page migrations via UFFDIO_MOVE. The vulnerability occurs because the function incorrectly handles NULL folio pointers for huge zero pages, either producing bogus page frame numbers on SPARSEMEM_VMEMMAP systems or dereferencing NULL on other memory models. Additionally, destination PMD entries lose special mapping metadata (pmd_special flag), causing subsequent page reference counting corruption. No CVSS score is available; no active exploitation reported.
Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.
NULL-pointer dereference in Linux kernel SPI subsystem allows local denial of service via sysfs attribute access. The SPI controller's per-CPU statistics structure is not allocated until after the controller registers with the driver core, creating a race window where sysfs attribute reads can trigger a kernel panic. This affects all Linux kernel versions with the vulnerable SPI statistics implementation; exploitation requires local system access to read sysfs files.
NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.
NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.
Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.
NULL pointer dereference in Linux kernel IPv6 SRv6 path processing allows local denial of service when __in6_dev_get() returns NULL due to missing IPv6 configuration or device unregistration. The vulnerability affects seg6_hmac_validate_skb() and ipv6_srh_rcv() functions which lacked NULL checks on the returned idev pointer, enabling a local attacker to crash the kernel by triggering these code paths on misconfigured or unregistering network devices.
Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.
Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.
Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.
Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.
NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.
Denial of service in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application by opening a crafted PDF containing a stamp annotation with missing appearance (AP) data. The vulnerability stems from insufficient validation before dereferencing annotation objects, triggering a null pointer exception. No public exploit code has been identified, and patch availability has not been confirmed from available advisory data.
NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.
Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.
Null pointer dereference in iccDEV versions prior to 2.3.1.6 causes denial of service when processing ICC color management profiles with malformed lookup table (LUT) structures. The vulnerability exists in IccTagLut.cpp where CIccApplyCLUT member access occurs without null validation, allowing local attackers to crash applications that parse untrusted color profiles. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service via null-pointer dereference in iccDEV prior to version 2.3.1.6 allows local attackers to crash the application by processing a crafted ICC color profile embedded in a TIFF file. The vulnerability exists in the CIccTagLut16::Write() function and requires local file system access but no authentication or user interaction. No public exploit code or active exploitation has been confirmed; the issue is considered moderate severity due to denial-of-service impact only (no code execution or data compromise).
Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.
LibJWT versions 3.0.0 through 3.2.x are vulnerable to denial of service through a NULL pointer dereference in RSA-PSS JWK parsing. When processing specially crafted JWK files that substitute integers for expected string values, the library fails to validate input types, causing a crash. This affects applications that import RSA-PSS keys from JWK files, particularly those handling untrusted key sources. No public exploit code has been identified; patch 3.3.0 resolves the issue.
Ella Core crashes when processing NAS Authentication Response and Authentication Failure messages with missing Information Elements, enabling unauthenticated attackers on the adjacent network to trigger denial of service affecting all connected subscribers. The vulnerability stems from a null pointer dereference in message handling logic (CWE-476) and carries a CVSS 6.5 score reflecting high availability impact with low attack complexity. Vendor-released patch available via GitHub release v1.7.0.
Ella Core suffers a null pointer dereference vulnerability in its NGAP LocationReport message handler that causes the process to panic and crash, enabling unauthenticated network-adjacent attackers to trigger denial of service affecting all connected mobile subscribers. The vulnerability (CVE-2026-33903, CVSS 6.5) stems from missing input validation guards and has a vendor-released patch available in version 1.7.0; no public exploit code or active exploitation has been identified at time of analysis.
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.
Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.
NVMe/TCP targets are vulnerable to unauthenticated denial of service when a remote attacker sends a CONNECT command with an invalid CNTLID, triggering a kernel panic on the exposed system. The vulnerability exploits a null pointer dereference that allows any network-accessible attacker to crash the target without authentication. No patch is currently available for this high-severity flaw.
This vulnerability affects multiple Linux kernel HID (Human Interface Device) drivers that lack proper validation checks when processing raw event callbacks from unclaimed HID devices. An attacker could connect a malicious or broken HID device to trigger a NULL pointer dereference in affected drivers, causing a kernel crash and denial of service. The vulnerability was identified as a gap in security hardening following a similar fix applied to the appleir driver, and patches are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.
A race condition in the Linux kernel's i801 I2C driver causes a kernel NULL pointer dereference and panic during boot when multiple udev threads concurrently access the ACPI I/O handler region. The vulnerability affects Linux kernel versions running the i2c_i801 driver on systems with Intel i801 chipsets. An attacker with local access or the ability to trigger concurrent device enumeration during boot can crash the system, resulting in denial of service.
A NULL pointer dereference vulnerability exists in the Linux kernel's DRM client subsystem within the drm_client_modeset_probe function. When memory allocation for the 'modes' variable fails via kcalloc, the error handling path incorrectly attempts to destroy a NULL pointer, leading to a kernel panic or denial of service. This affects all Linux kernel versions containing this vulnerable code path in the DRM display driver subsystem.
A null pointer dereference vulnerability exists in the Linux kernel's ice network driver that crashes the system during ethtool offline loopback tests. The vulnerability affects Linux kernel versions running the ice driver (Intel Ethernet Controller driver), and an attacker with local access and CAP_NET_ADMIN privileges can trigger a kernel panic (denial of service) by executing ethtool loopback self-tests. No active exploitation or public POC has been reported; patches are available in stable kernel releases.
A NULL pointer dereference vulnerability exists in the Linux kernel's HID pidff (PID force feedback) driver due to incomplete clearing of conditional effect bits from the ffbit field. This affects all Linux kernel versions using the vulnerable pidff driver code. An attacker with local access to a system with a connected force feedback HID device could trigger a kernel panic, causing a denial of service. No CVSS score, EPSS score, or active KEV status is currently available, but three stable kernel commits addressing this issue have been merged, indicating the vulnerability has been formally patched.
A null pointer dereference vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that can cause a kernel crash when userspace attempts to destroy a hardware context that has been automatically suspended. The vulnerability affects all Linux kernel versions with the vulnerable amdxdna driver code path; an unprivileged local user with access to the driver's ioctl interface can trigger a denial of service by issuing a destroy context command on a suspended context, causing the kernel to crash when accessing a NULL mailbox channel pointer. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability is classified as a denial of service with straightforward triggering conditions.
A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.
A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
A null-pointer dereference vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling local read errors. When a READ_COMPLETED_WITH_ERROR event occurs in drbd_request_endio(), a NULL peer_device pointer is passed to the __req_mod() function, which then unconditionally dereferences it in drbd_set_out_of_sync(), causing a kernel panic or system crash. This affects all Linux kernel versions with the vulnerable DRBD code, and while not actively exploited in the wild, it can be triggered by a local user or administrator through normal disk I/O error conditions, resulting in denial of service.
A NULL pointer dereference vulnerability exists in the Linux kernel's mac80211 mesh networking subsystem (CVE-2026-23279), specifically in the mesh_rx_csa_frame() function which fails to validate the presence of the Mesh Channel Switch Parameters IE before dereferencing it. A remote attacker with an established mesh peer link can trigger a kernel panic by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes matching Mesh ID and configuration elements but omits the required Channel Switch Parameters IE. This vulnerability affects all Linux kernel versions since v3.13 (January 2014) and requires no special authentication beyond the default open mesh peering, making it a trivial denial-of-service vector against systems with mesh networking enabled.
Denial-of-service attacks against multiple Apple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) result from improper null pointer handling that allows attackers in privileged network positions to crash affected systems. An attacker exploiting this CWE-476 vulnerability can render devices unavailable without user interaction. No patch is currently available, requiring users to apply mitigations until updates are released.
NATS server with leafnode clustering enabled is vulnerable to a denial-of-service crash triggered by remote attackers who exploit null pointer dereference in the compression negotiation handler prior to authentication. Any attacker capable of connecting to a leafnode-configured NATS server can trigger a server panic, causing service disruption. A patch is available to remediate this high-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register The call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind, which uses dev_get_drvdata to retrieve the mtk_dsi struct, so this structure needs to be stored inside the driver data before invoking it. As drvdata is currently uninitialized it leads to a crash when registering the DSI DRM encoder right after acquiring the mode_config.idr_mutex, blocking all subsequent DRM operations. Fixes the following crash during mediatek-drm probe (tested on Xiaomi Smart Clock x04g): Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 [...] Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib drm_dma_helper drm_kms_helper panel_simple [...] Call trace: drm_mode_object_add+0x58/0x98 (P) __drm_encoder_init+0x48/0x140 drm_encoder_init+0x6c/0xa0 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper] mtk_dsi_bind+0x34/0x13c [mediatek_drm] component_bind_all+0x120/0x280 mtk_drm_bind+0x284/0x67c [mediatek_drm] try_to_bring_up_aggregate_device+0x23c/0x320 __component_add+0xa4/0x198 component_add+0x14/0x20 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm] mipi_dsi_attach+0x2c/0x50 panel_simple_dsi_probe+0x4c/0x9c [panel_simple] mipi_dsi_drv_probe+0x1c/0x28 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __device_attach_driver+0xbc/0x17c bus_for_each_drv+0x88/0xf0 __device_attach+0x9c/0x1cc device_initial_probe+0x54/0x60 bus_probe_device+0x34/0xa0 device_add+0x5b0/0x800 mipi_dsi_device_register_full+0xdc/0x16c mipi_dsi_host_register+0xc4/0x17c mtk_dsi_probe+0x10c/0x260 [mediatek_drm] platform_probe+0x5c/0xa4 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1f8 bus_for_each_dev+0x7c/0xe0 driver_attach+0x24/0x30 bus_add_driver+0x11c/0x240 driver_register+0x68/0x130 __platform_register_drivers+0x64/0x160 mtk_drm_init+0x24/0x1000 [mediatek_drm] do_one_initcall+0x60/0x1d0 do_init_module+0x54/0x240 load_module+0x1838/0x1dc0 init_module_from_file+0xd8/0xf0 __arm64_sys_finit_module+0x1b4/0x428 invoke_syscall.constprop.0+0x48/0xc8 do_el0_svc+0x3c/0xb8 el0_svc+0x34/0xe8 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 52800022 941004ab 2a0003f3 37f80040 (29005a80)
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix missing NULL checks for kstrdup() 1. Replace "of_find_node_by_path("/")" with "of_root" to avoid multiple calls to "of_node_put()". 2. Fix a potential kernel oops during early boot when memory allocation fails while parsing CPU model from device tree.
In the Linux kernel, the following vulnerability has been resolved: i2c: cp2615: fix serial string NULL-deref at probe The cp2615 driver uses the USB device serial string as the i2c adapter name but does not make sure that the string exists. Verify that the device has a serial number before accessing it to avoid triggering a NULL-pointer dereference (e.g. with malicious devices).
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL deref in bond_debug_rlb_hash_show rlb_clear_slave intentionally keeps RLB hash-table entries on the rx_hashtbl_used_head list with slave set to NULL when no replacement slave is available. However, bond_debug_rlb_hash_show visites client_info->slave without checking if it's NULL. Other used-list iterators in bond_alb.c already handle this NULL-slave state safely: - rlb_update_client returns early on !client_info->slave - rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance compare slave values before visiting - lb_req_update_subnet_clients continues if slave is NULL The following NULL deref crash can be trigger in bond_debug_rlb_hash_show: [ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) [ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 [ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 [ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 [ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 [ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 [ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 [ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 [ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 [ 1.295897] Call Trace: [ 1.296134] seq_read_iter (fs/seq_file.c:231) [ 1.296341] seq_read (fs/seq_file.c:164) [ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) [ 1.296658] vfs_read (fs/read_write.c:572) [ 1.296981] ksys_read (fs/read_write.c:717) [ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Add a NULL check and print "(none)" for entries with no assigned slave.
A NULL pointer dereference in the Linux kernel ARM SCMI firmware driver allows local authenticated users to trigger a denial of service by causing the system to crash. The vulnerability exists in the __scmi_event_handler_get_ops helper function, which can return NULL instead of the expected ERR_PTR on failure, causing downstream code to dereference a NULL pointer when handling unsupported SCMI events. The flaw was introduced in commit b5daf93b809d1 and affects multiple stable kernel versions; patches are available in Linux 6.18.20, 6.19.10, and 7.0.
A null pointer dereference in the i915 GPU driver's graphics translation table (GT) submission logic causes kernel panic and denial of service when the i915 firmware binaries are absent and the system attempts to suspend. Local authenticated attackers with normal user privileges can trigger this crash by initiating system suspend on affected Intel graphics systems without required firmware, resulting in denial of service. No public exploit code identified at time of analysis; EPSS score of 0.02% indicates low exploitation probability in practice.
A denial-of-service vulnerability in the Linux kernel's Btrfs filesystem implementation allows local authenticated attackers to cause filesystem corruption and crashes through a race condition during subvolume creation and lookup. When a newly created Btrfs subvolume's dentry cache is dropped before the BTRFS_ROOT_ORPHAN_CLEANUP flag is set, concurrent orphan cleanup operations can fail with ENOENT, creating negative dentries that prevent subvolume deletion and cause filesystem aborts. EPSS score of 0.02% indicates this is a low-probability exploitation scenario requiring specific timing and configuration conditions, though the impact is severe for affected systems. No public exploit code is identified at time of analysis.
Denial of service in Linux kernel af_key module allows local authenticated attackers to crash the system via buffer overflow in pfkey_send_migrate() function. The vulnerability occurs because pfkey_send_migrate() fails to validate address family parameters before passing them to set_ipsecrequest(), causing truncation that overfills the socket buffer and triggers kernel panic in skb_put(). EPSS score of 0.02% indicates minimal real-world exploitation risk despite moderate CVSS severity.
Null pointer dereference in the Linux kernel Bluetooth L2CAP implementation allows local authenticated attackers to cause a kernel panic and denial of service via the l2cap_sock_ready_cb function during L2CAP connection initialization. The vulnerability occurs when a socket pointer is dereferenced without null validation, triggering a KASAN null-ptr-deref exception that crashes the kernel. EPSS score of 0.02% indicates low real-world exploitation probability despite the moderate CVSS score; no public exploit code or active KEV listing has been identified at time of analysis.
Kernel panic via null pointer dereference in the tracing subsystem occurs when boot-time trigger registration fails and kthread creation does not succeed, allowing deferred trigger frees to accumulate indefinitely and crash the system. Local authenticated attackers can trigger this by specifying malformed trace event parameters on the kernel command line, resulting in denial of service. EPSS exploitation probability is 0.02% (very low) despite moderate CVSS score, suggesting this requires specific boot-time configuration and local access.
Memory exhaustion and kernel crash in Linux kernel's ksmbd SMB server allows remote unauthenticated denial of service via crafted lock requests. The smb2_lock() function contains three critical error-handling defects: memory leaks when vfs_lock_file() returns unexpected errors, stale error propagation in UNLOCK operations, and NULL pointer dereference during rollback when smb_flock_init() allocation fails. CVSS vector indicates network-accessible, low-complexity exploitation requiring no authentication. EPSS score of 0.02% (7th percentile) suggests minimal observed scanning activity, and no KEV listing confirms no widespread exploitation detected. However, the network attack vector (AV:N) and high availability impact (A:H) make this a realistic DoS risk for systems running ksmbd. Vendor patches available across stable kernel series 5.15-6.19.
Denial of service via null pointer dereference in Linux kernel DAMON sysfs module allows local privileged users to crash the system by setting nr_contexts to zero while DAMON is running, then issuing state-change commands that dereference an empty contexts array without bounds checking. EPSS exploitation probability is minimal at 0.02%, reflecting the requirement for local privileged access and active DAMON configuration.
Null pointer dereference in Linux kernel DAMON sysfs interface allows local authenticated users to cause denial of service by setting nr_contexts to zero while DAMON is running, triggering dereference of uninitialized context array pointers in damon_sysfs_repeat_call_fn(). The vulnerability requires local access and low-level privileges (non-root user with sysfs write access), with an EPSS exploitation probability of 0.02% indicating low real-world attack likelihood despite the straightforward trigger mechanism.
Use-after-free in Linux kernel's XFS filesystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or information disclosure. The vulnerability occurs in the XFS Active Item List (AIL) push mechanism where log items can be freed by background reclaim processes while still being dereferenced by tracepoints. Vendor patches are available for kernel versions 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability in the wild, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Race condition in Linux kernel ext4 filesystem allows denial of service through kernel panic when fast commit feature processes incompletely initialized journal inodes. Affects Linux kernel versions from 3.11 through multiple stable branches (5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x) prior to patched versions released in early 2025. Vendor patches available across all affected stable branches. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit code identified at time of analysis. CVSS 8.8 reflects authenticated network attack vector, though real-world risk limited to systems where attackers have filesystem write access and ext4 fast commit is enabled.
Null pointer dereference in Linux kernel DAMON subsystem allows local authenticated attackers to cause denial of service when memory allocation failures occur during online parameter updates. The vulnerability affects DAMON's context commit mechanism (damon_commit_ctx), which can partially corrupt kernel state if internal memory allocation fails, potentially leading to NULL pointer dereference in damos_commit_dests(). While real-world impact is rare due to the low probability of allocation failure, the severe consequence of kernel panic necessitates this fix.
Kernel panic in the Linux netfs subsystem's netfs_limit_iter() function crashes systems when a process writes a core dump to a 9P-mounted filesystem. The function handles only ITER_FOLIOQ, ITER_BVEC, and ITER_XARRAY iterator types, triggering a hard BUG() when __kernel_write() supplies an ITER_KVEC iterator via netfs_unbuffered_write(), producing a local denial of service via kernel panic. No public exploit code exists and no active exploitation has been identified; this is a no public exploit identified at time of analysis scenario with EPSS at 0.02% (5th percentile), indicating minimal widespread exploitation interest.
NULL pointer dereference in the Linux kernel's netfs subsystem crashes the kernel when retrying unbuffered writes on filesystems that omit the prepare_write stream operation, such as 9P. A local low-privilege user who can write to such a mounted filesystem and induce a get_user_pages() -EFAULT failure can trigger a kernel panic, causing a denial of service. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible observed exploitation probability; the vulnerability is not listed in CISA KEV.
Use-after-free and descriptor management error in Linux kernel's Intel IDXD DMA engine driver allows NULL pointer dereferences, double completion, or descriptor leaks. The llist_abort_desc() function completes the wrong descriptor object due to a loop cursor bug introduced in commit aa8d18becc0c. Patches released for kernel 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no active exploitation or public exploit code identified. Despite CVSS 9.8 critical rating with network vector, the actual attack surface requires local access to DMA engine subsystems, making the CVSS vector likely inaccurate or context-dependent.
Denial of service in PowerDNS Recursor via null pointer dereference in the zoneToCache function when processing zone data from a malicious authoritative server. Affects Recursor 5.2.0 through 5.4.0 and requires high privileges and non-standard network conditions to exploit, resulting in service availability impact but not data compromise. Patch available from vendor.
Null pointer dereference in PowerDNS Recursor allows remote attackers to trigger a denial of service by sending crafted DNS replies that bypass a missing consistency check. The vulnerability affects Recursor versions 5.2.0 through 5.2.8, 5.3.0 through 5.3.5, and 5.4.0, with CVSS 5.9 reflecting high availability impact but requiring special network conditions (AC:H). No public exploit code identified at time of analysis.
Denial of service in PowerDNS Recursor occurs when processing a malicious Response Policy Zone (RPZ) from an authoritative server, triggering a null pointer dereference due to missing validation logic. Versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 are affected. An authenticated remote attacker controlling an authoritative nameserver can crash the Recursor service by sending a specially crafted RPZ response, requiring high privilege level (PR:H) and complex attack conditions (AC:H) as mitigating factors.
The readelf utility in binutils is vulnerable to denial of service through null pointer dereference when processing specially crafted ELF files. A local attacker with limited privileges can trigger excessive resource consumption or program crashes by convincing a user to process a malicious ELF binary, affecting Red Hat Enterprise Linux 6, 7, 8, and 10. No public exploit code or active exploitation has been confirmed at this time.
Denial of service via null pointer dereference in Firefox's Audio/Video Playback component allows remote attackers to crash the browser without user interaction. The vulnerability affects Firefox versions prior to 150 and requires only a network connection to trigger, resulting in availability loss but not code execution or data compromise. No active exploitation has been confirmed at time of analysis.
Null pointer dereference in Firebird SQL server causes remote denial-of-service when unauthenticated attackers send malformed op_crypt_key_callback packets. Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 are affected. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitation requiring no authentication or user interaction, allowing attackers who know only the server's IP and port to crash database services. The integrity impact rating (I:L) suggests potential for limited data corruption alongside the high availability impact. Vendor-released patches are available in versions 5.0.4, 4.0.7, and 3.0.14. No public exploit code or CISA KEV listing identified at time of analysis, though the low attack complexity makes weaponization straightforward.
Remote unauthenticated denial of service in Firebird SQL database server versions prior to 6.0.0/5.0.4/4.0.7/3.0.14 allows attackers to crash the database by sending a malformed op_slice network packet that triggers a null pointer dereference in the SDL_info() function. Attack requires only network access to the database port with no authentication (CVSS AV:N/AC:L/PR:N). No public exploit code identified at time of analysis, and EPSS data not available for this recent CVE. Fixed versions released by vendor across all maintained branches.
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option is specified without an argument. This results in a segmentation fault and process crash.
Null pointer dereference in Windows Redirected Drive Buffering denies service to local authenticated users on Windows 11 version 26H1 (build 10.0.28000.0-10.0.28000.1835). An authorized attacker with local access can trigger the vulnerability to crash the affected system component, though code execution is not possible. Vendor-released patch available; no public exploit code identified at time of analysis.
Remote denial-of-service in Windows Local Security Authority Subsystem Service (LSASS) allows unauthenticated network attackers to crash Windows systems through null pointer dereference exploitation. Affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025) across multiple release channels. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and unauthenticated netwo
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
NULL pointer dereference in the Linux kernel's netfilter x_tables subsystem allows a local attacker with CAP_NET_ADMIN privileges to crash the system by loading an NFPROTO_UNSPEC-registered xt_match or xt_target (e.g., xt_devgroup) into an ARP nftables chain via nft_compat, triggering a kernel panic and complete availability loss. CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local-only, availability-only impact, and EPSS at 0.02% (7th percentile) indicates very low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV); vendor-released patches are available across multiple stable kernel branches.
NULL pointer dereference in the Linux kernel's net/sched cls_flow traffic classifier allows a local low-privileged attacker to crash the kernel (denial of service) by creating a flow filter on a shared traffic control block without a fully qualified baseclass. The crash occurs in flow_change() at net/sched/cls_flow.c:508, confirmed by a KASAN trace showing null-ptr-deref when block->q is dereferenced on a shared block where it is intentionally NULL. No active exploitation confirmed - not listed in CISA KEV - and EPSS stands at 0.02% (7th percentile), indicating negligible real-world exploitation probability at time of analysis.
NULL pointer dereference in the Linux kernel's cls_fw traffic classifier (net/sched/cls_fw.c) crashes the kernel when authenticated local users configure an old-method cls_fw filter on a shared tc block and traffic with a nonzero major skb mark is processed. The flaw exists because the old classification path in fw_classify() calls tcf_block_q() and dereferences q->handle, but shared blocks hold a NULL block->q pointer. The impact is limited to local denial of service (kernel panic); no confidentiality or integrity compromise is possible. EPSS is 0.02% (7th percentile), this vulnerability is not in CISA KEV, and no public exploit has been identified at time of analysis.
Nitro PDF Pro 14.41.1.4 for Windows crashes when processing maliciously crafted PDFs that invoke app.alert() with null arguments, causing denial of service through NULL pointer dereference in the JavaScript engine. Remote attackers can deliver weaponized PDF files requiring no authentication or user interaction beyond opening the document (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (2nd percentile), indicating low real-world targeting despite theoretical automation potential.
Nitro PDF Pro for Windows version 14.41.1.4 crashes when processing maliciously crafted XFA (XML Forms Architecture) packets due to a NULL pointer dereference, enabling remote denial-of-service attacks without authentication. An attacker can deliver a weaponized PDF containing the crafted XFA packet, causing the application to terminate when opened. EPSS exploitation probability is very low (0.01%, 2nd percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis. Despite CVSS 7.5 (High), real-world risk is limited to availability impact only - no code execution, data theft, or privilege escalation possible.
Authenticated teachers in Chamilo LMS can delete arbitrary student grades platform-wide through Insecure Direct Object Reference in gradebook result views. By manipulating delete_mark or resultdelete GET parameters, attackers bypass course-scope and ownership controls, enabling unauthorized grade deletion across all courses. Versions prior to 1.11.38 and 2.0.0-RC.3 lack server-side validation. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated access requirement with high integrity impact and low availability impact.
Remote unauthenticated attackers can crash GnuTLS servers by sending malformed TLS handshake messages containing invalid Pre-Shared Key binder values, triggering a NULL pointer dereference. Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images are affected. Vendor patches are available. EPSS score of 0.08% (24th percentile) suggests low current exploitation probability despite network-accessible attack vector. SSVC framework classifies this as automatable with partial technical impact but no known exploitation, making this a medium-priority patching target focused on preventing service disruption rather than data breach.
Kernel crash via forged VCC pointer in the Linux kernel ATM networking subsystem (net/atm/sigd.c) allows a local low-privileged attacker who has assumed the ATM signaling daemon role to dereference arbitrary kernel memory, resulting in denial of service. The flaw affects Linux 2.6.12 through multiple current stable branches, with patches available for 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x, and 7.0-rc1. A public reproducer exists at a GitHub gist, though the EPSS score of 0.02% (7th percentile) and absence from CISA KEV reflect the niche ATM subsystem's limited real-world attack surface.
NULL pointer dereference in OpenSSL CMS EnvelopedData processing enables unauthenticated remote denial of service. Affects OpenSSL 1.0.2 through 3.6.x when processing attacker-controlled CMS messages with KeyTransportRecipientInfo using RSA-OAEP encryption. Missing optional parameters field in algorithm identifier triggers crash before authentication occurs. Applications calling CMS_decrypt() on untrusted input (S/MIME, CMS-based protocols) vulnerable. FIPS modules unaffected. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.
Null pointer dereference in OpenSSL 1.0.2 through 3.6 CMS EnvelopedData processing crashes applications before authentication when KeyAgreeRecipientInfo messages lack optional parameters field. Unauthenticated remote attackers can trigger denial of service against S/MIME processors and CMS-based protocol handlers calling CMS_decrypt() on untrusted input. FIPS modules unaffected. Vendor-released patches available for all affected branches (1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2). Low observed exploitation activity; no public exploit identified at time of analysis.
NULL pointer dereference in OpenSSL 1.0.2 through 3.6.x delta CRL processing enables remote denial-of-service attacks against applications performing X.509 certificate verification. Exploitation requires X509_V_FLAG_USE_DELTAS flag enabled, certificates with freshestCRL extension or base CRL with EXFLAG_FRESHEST flag, and attacker-supplied malformed delta CRL missing required CRL Number extension. Unauthenticated network-accessible attack with low complexity causes application crash. Impact limited to availability; memory disclosure and code execution ruled out by vendor. FIPS modules unaffected.
Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.
Libarchive's archive_acl_from_text_nl() function fails to validate malformed ACL strings before dereferencing pointers, allowing local attackers to crash applications that process untrusted archives via specially crafted ACL fields. This NULL pointer dereference results in denial of service with high availability impact. CVSS 5.5 reflects local attack vector and user interaction requirement; no public exploit code or active exploitation confirmed at analysis time.
Null pointer dereference in Zephyr RTOS TCP stack during connection teardown allows authenticated remote attackers to cause denial of service. A race condition in tcp_recv() processing of SYN packets causes tcp_conn_search() to return NULL on a released connection, which is then dereferenced without validation in tcp_backlog_is_full(), resulting in a crash. The vulnerability requires low-privilege authentication and is moderately complex to trigger due to timing constraints (AC:H), but results in high availability impact.
NULL pointer dereference in Linux kernel NFSD export cache cleanup allows local denial of service when RCU readers in e_show() and c_show() concurrently access export path and client name objects while cache_clean removes entries and drops the last reference prematurely. The vulnerability stems from path_put() and auth_domain_put() executing before the RCU grace period completes, freeing sub-objects still in use by readers. A fix has been merged upstream that defers these cleanup operations to a dedicated workqueue after the RCU grace period, ensuring safe resource release in process context where sleeping is permitted.
Linux kernel memory management allows installation of PMD entries pointing to non-existent physical memory or causes NULL pointer dereferences in move_pages_huge_pmd() when handling huge zero page migrations via UFFDIO_MOVE. The vulnerability occurs because the function incorrectly handles NULL folio pointers for huge zero pages, either producing bogus page frame numbers on SPARSEMEM_VMEMMAP systems or dereferencing NULL on other memory models. Additionally, destination PMD entries lose special mapping metadata (pmd_special flag), causing subsequent page reference counting corruption. No CVSS score is available; no active exploitation reported.
Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.
NULL-pointer dereference in Linux kernel SPI subsystem allows local denial of service via sysfs attribute access. The SPI controller's per-CPU statistics structure is not allocated until after the controller registers with the driver core, creating a race window where sysfs attribute reads can trigger a kernel panic. This affects all Linux kernel versions with the vulnerable SPI statistics implementation; exploitation requires local system access to read sysfs files.
NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.
NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.
Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.
NULL pointer dereference in Linux kernel IPv6 SRv6 path processing allows local denial of service when __in6_dev_get() returns NULL due to missing IPv6 configuration or device unregistration. The vulnerability affects seg6_hmac_validate_skb() and ipv6_srh_rcv() functions which lacked NULL checks on the returned idev pointer, enabling a local attacker to crash the kernel by triggering these code paths on misconfigured or unregistering network devices.
Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.
Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.
Linux kernel NULL pointer dereference in the x86 PMU NMI handler on AMD EPYC systems causes denial of service when perf event unthrottling races with PMU rescheduling. The vulnerability stems from commit 7e772a93eb61 moving event pointer initialization later in x86_pmu_enable(), allowing the unthrottle path to set active_mask bits without populating the corresponding events[] array entries, leading to NULL pointer dereference when subsequent PMC overflow interrupts fire. No public exploit code identified at time of analysis; patch fixes are available in upstream Linux kernel stable branches.
Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.
NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.
Denial of service in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application by opening a crafted PDF containing a stamp annotation with missing appearance (AP) data. The vulnerability stems from insufficient validation before dereferencing annotation objects, triggering a null pointer exception. No public exploit code has been identified, and patch availability has not been confirmed from available advisory data.
NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.
Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.
Null pointer dereference in iccDEV versions prior to 2.3.1.6 causes denial of service when processing ICC color management profiles with malformed lookup table (LUT) structures. The vulnerability exists in IccTagLut.cpp where CIccApplyCLUT member access occurs without null validation, allowing local attackers to crash applications that parse untrusted color profiles. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service via null-pointer dereference in iccDEV prior to version 2.3.1.6 allows local attackers to crash the application by processing a crafted ICC color profile embedded in a TIFF file. The vulnerability exists in the CIccTagLut16::Write() function and requires local file system access but no authentication or user interaction. No public exploit code or active exploitation has been confirmed; the issue is considered moderate severity due to denial-of-service impact only (no code execution or data compromise).
Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.
LibJWT versions 3.0.0 through 3.2.x are vulnerable to denial of service through a NULL pointer dereference in RSA-PSS JWK parsing. When processing specially crafted JWK files that substitute integers for expected string values, the library fails to validate input types, causing a crash. This affects applications that import RSA-PSS keys from JWK files, particularly those handling untrusted key sources. No public exploit code has been identified; patch 3.3.0 resolves the issue.
Ella Core crashes when processing NAS Authentication Response and Authentication Failure messages with missing Information Elements, enabling unauthenticated attackers on the adjacent network to trigger denial of service affecting all connected subscribers. The vulnerability stems from a null pointer dereference in message handling logic (CWE-476) and carries a CVSS 6.5 score reflecting high availability impact with low attack complexity. Vendor-released patch available via GitHub release v1.7.0.
Ella Core suffers a null pointer dereference vulnerability in its NGAP LocationReport message handler that causes the process to panic and crash, enabling unauthenticated network-adjacent attackers to trigger denial of service affecting all connected mobile subscribers. The vulnerability (CVE-2026-33903, CVSS 6.5) stems from missing input validation guards and has a vendor-released patch available in version 1.7.0; no public exploit code or active exploitation has been identified at time of analysis.
Libssh versions used across Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 are vulnerable to a null pointer dereference when processing malformed 'longname' fields in SFTP SSH_FXP_NAME messages, allowing unauthenticated remote attackers to trigger denial of service through application crashes. The attack requires user interaction and high attack complexity (CVSS 3.1, CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) but affects a widely deployed SSH library; no public exploit identified at time of analysis.
Linux kernel ICMP tag validation routines fail to check for NULL protocol handler pointers before dereferencing them, causing kernel panics in softirq context when processing fragmentation-needed errors with unregistered protocol numbers and ip_no_pmtu_disc hardened mode enabled. The vulnerability affects multiple Linux kernel versions across stable branches (6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc5), with an EPSS score of 0.02% (7th percentile) indicating low real-world exploitation probability. No public exploit code or active exploitation has been confirmed; the fix requires adding a NULL pointer check in icmp_tag_validation() before accessing icmp_strict_tag_validation.
Linux kernel mac80211 mesh networking crashes on NULL pointer dereference when processing Channel Switch Announcement (CSA) action frames lacking Mesh Configuration IE, allowing adjacent WiFi attackers to trigger kernel panic (DoS) via crafted frames. Affects multiple stable kernel versions (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5 and earlier); EPSS exploitation probability is 0.02% (low), no public exploit identified, and upstream fixes are available across all affected release branches.
NVMe/TCP targets are vulnerable to unauthenticated denial of service when a remote attacker sends a CONNECT command with an invalid CNTLID, triggering a kernel panic on the exposed system. The vulnerability exploits a null pointer dereference that allows any network-accessible attacker to crash the target without authentication. No patch is currently available for this high-severity flaw.
This vulnerability affects multiple Linux kernel HID (Human Interface Device) drivers that lack proper validation checks when processing raw event callbacks from unclaimed HID devices. An attacker could connect a malicious or broken HID device to trigger a NULL pointer dereference in affected drivers, causing a kernel crash and denial of service. The vulnerability was identified as a gap in security hardening following a similar fix applied to the appleir driver, and patches are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's bridge networking module when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When Neighbor Discovery (ND) suppression is enabled on a bridge, an ICMPv6 packet reaching the bridge causes the kernel to dereference a NULL pointer in the nd_tbl structure, resulting in a kernel panic and denial of service. This affects all Linux kernel versions with this code path, and while no CVSS score or EPSS data is currently available, the vulnerability is readily triggered through network packet receipt on systems with specific boot configurations.
A race condition in the Linux kernel's i801 I2C driver causes a kernel NULL pointer dereference and panic during boot when multiple udev threads concurrently access the ACPI I/O handler region. The vulnerability affects Linux kernel versions running the i2c_i801 driver on systems with Intel i801 chipsets. An attacker with local access or the ability to trigger concurrent device enumeration during boot can crash the system, resulting in denial of service.
A NULL pointer dereference vulnerability exists in the Linux kernel's DRM client subsystem within the drm_client_modeset_probe function. When memory allocation for the 'modes' variable fails via kcalloc, the error handling path incorrectly attempts to destroy a NULL pointer, leading to a kernel panic or denial of service. This affects all Linux kernel versions containing this vulnerable code path in the DRM display driver subsystem.
A null pointer dereference vulnerability exists in the Linux kernel's ice network driver that crashes the system during ethtool offline loopback tests. The vulnerability affects Linux kernel versions running the ice driver (Intel Ethernet Controller driver), and an attacker with local access and CAP_NET_ADMIN privileges can trigger a kernel panic (denial of service) by executing ethtool loopback self-tests. No active exploitation or public POC has been reported; patches are available in stable kernel releases.
A NULL pointer dereference vulnerability exists in the Linux kernel's HID pidff (PID force feedback) driver due to incomplete clearing of conditional effect bits from the ffbit field. This affects all Linux kernel versions using the vulnerable pidff driver code. An attacker with local access to a system with a connected force feedback HID device could trigger a kernel panic, causing a denial of service. No CVSS score, EPSS score, or active KEV status is currently available, but three stable kernel commits addressing this issue have been merged, indicating the vulnerability has been formally patched.
A null pointer dereference vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) that can cause a kernel crash when userspace attempts to destroy a hardware context that has been automatically suspended. The vulnerability affects all Linux kernel versions with the vulnerable amdxdna driver code path; an unprivileged local user with access to the driver's ioctl interface can trigger a denial of service by issuing a destroy context command on a suspended context, causing the kernel to crash when accessing a NULL mailbox channel pointer. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability is classified as a denial of service with straightforward triggering conditions.
A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.
A lifecycle management vulnerability in the Linux kernel's USB NCM (Network Control Model) gadget function causes the network device to outlive its parent gadget device, resulting in NULL pointer dereferences and dangling sysfs symlinks when the USB gadget is disconnected. This affects all Linux kernel versions with the vulnerable USB gadget NCM implementation, and an attacker with local access to trigger USB gadget bind/unbind cycles can cause a kernel panic (denial of service). No CVSS vector, EPSS score, or active KEV status is available, but patches are confirmed available in the Linux stable tree.
A NULL pointer dereference vulnerability exists in the Linux kernel's event tracing subsystem, specifically in the trigger_data_free() function which fails to validate NULL pointers before dereferencing the data->cmd_ops field. This affects all Linux kernel versions where the vulnerable tracing code is present, and can be exploited by local attackers with appropriate privileges to cause a denial of service through kernel panic. The vulnerability was discovered through automated code review rather than active exploitation in the wild, and patches have been committed to stable kernel branches.
A NULL pointer dereference vulnerability exists in the Linux kernel's IPv6 routing code within the ip6_rt_get_dev_rcu() function, triggered when a slave device is being un-slaved from a Virtual Routing and Forwarding (VRF) context. The vulnerability affects all Linux kernel versions with the affected code path and can be exploited to cause a kernel panic and denial of service. This issue was introduced by commit 4832c30d5458 which removed the fallback to loopback device handling, and multiple stable kernel branches have received patches to restore the NULL pointer check and fallback logic.
A kernel panic vulnerability exists in Linux IPv6 nexthop handling where standalone IPv6 nexthop objects created with loopback devices are misclassified as reject routes, causing the nhc_pcpu_rth_output field to remain unallocated. When an IPv4 route subsequently references this nexthop, a NULL pointer dereference in __mkroute_output() triggers a kernel panic, resulting in denial of service. All Linux kernel versions with IPv6 nexthop support are affected, and the vulnerability is remotely triggerable by unprivileged users with network configuration capabilities.
A NULL pointer dereference vulnerability exists in the Linux kernel's VXLAN implementation when IPv6 is disabled via the 'ipv6.disable=1' boot parameter. When an IPv6 packet is injected into a VXLAN interface, the route_shortcircuit() function attempts to call neigh_lookup() on an uninitialized nd_tbl (neighbor discovery table), causing a kernel panic and denial of service. This affects all Linux distributions shipping vulnerable kernel versions, and while no CVSS score or EPSS data is provided, the presence of six stable kernel commits and reproducible crash conditions indicates high practical impact.
A null pointer dereference vulnerability exists in the Linux kernel's ATM LANE module (lec_arp_clear_vccs function) where multiple ARP entries can share the same virtual circuit connection (VCC). When a VCC is closed, the kernel iterates through ARP entries and clears associated VCC pointers; if multiple entries share the same VCC, the first iteration frees the vpriv structure and sets it to NULL, causing subsequent iterations to crash when attempting to dereference the now-NULL pointer. A local attacker can trigger this denial of service condition through crafted ATM socket operations, as demonstrated by existing syzkaller reproducers.
A null-pointer dereference vulnerability exists in the Linux kernel's DRBD (Distributed Replicated Block Device) subsystem when handling local read errors. When a READ_COMPLETED_WITH_ERROR event occurs in drbd_request_endio(), a NULL peer_device pointer is passed to the __req_mod() function, which then unconditionally dereferences it in drbd_set_out_of_sync(), causing a kernel panic or system crash. This affects all Linux kernel versions with the vulnerable DRBD code, and while not actively exploited in the wild, it can be triggered by a local user or administrator through normal disk I/O error conditions, resulting in denial of service.
A NULL pointer dereference vulnerability exists in the Linux kernel's mac80211 mesh networking subsystem (CVE-2026-23279), specifically in the mesh_rx_csa_frame() function which fails to validate the presence of the Mesh Channel Switch Parameters IE before dereferencing it. A remote attacker with an established mesh peer link can trigger a kernel panic by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes matching Mesh ID and configuration elements but omits the required Channel Switch Parameters IE. This vulnerability affects all Linux kernel versions since v3.13 (January 2014) and requires no special authentication beyond the default open mesh peering, making it a trivial denial-of-service vector against systems with mesh networking enabled.
Denial-of-service attacks against multiple Apple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) result from improper null pointer handling that allows attackers in privileged network positions to crash affected systems. An attacker exploiting this CWE-476 vulnerability can render devices unavailable without user interaction. No patch is currently available, requiring users to apply mitigations until updates are released.
NATS server with leafnode clustering enabled is vulnerable to a denial-of-service crash triggered by remote attackers who exploit null pointer dereference in the compression negotiation handler prior to authentication. Any attacker capable of connecting to a leafnode-configured NATS server can trigger a server panic, causing service disruption. A patch is available to remediate this high-severity vulnerability.