Null Pointer Dereference
Monthly
Adobe After Effects 25.6 and earlier suffers from a null pointer dereference that allows attackers to trigger application crashes by convincing users to open a specially crafted file. This local denial-of-service vulnerability requires user interaction but requires no special privileges, potentially disrupting creative workflows. No patch is currently available.
Substance 3D Designer 15.1.0 and earlier contains a null pointer dereference vulnerability that allows local attackers to crash the application by tricking users into opening malicious files. This denial-of-service attack requires user interaction but causes service disruption with no mitigation patch currently available.
Denial-of-service in Adobe Substance 3D Designer version 15.1.0 and earlier stems from a null pointer dereference vulnerability that crashes the application when a user opens a malicious file. The attack requires no special privileges and relies solely on user interaction to trigger the crash. No patch is currently available for this vulnerability.
Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.
Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial of service. [CVSS 6.8 MEDIUM]
FreeRDP proxy versions prior to 3.22.0 are vulnerable to denial of service when processing specially crafted RDP server responses that trigger a null pointer dereference in the logon information handler. An unauthenticated attacker controlling a malicious RDP server can crash the FreeRDP proxy by sending a LogonInfoV2 PDU with empty domain or username fields. This vulnerability has been patched in version 3.22.0 and later.
Open5GS versions up to 2.7.6 suffer from a null pointer dereference in the PGW S5U Address Handler component that can be triggered remotely without authentication, resulting in denial of service. Public exploit code exists for this vulnerability, and administrators should apply the available patch immediately.
Free5GC versions up to 4.1.0 are vulnerable to a null pointer dereference in the SMF component's SessionDeletionResponse function, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference vulnerability in the identityTriggerType function of pfcp_reports.go that allows remote attackers to cause denial of service without authentication. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference in the SMF's establishPfcpSession function that can be triggered remotely without authentication, causing a denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME.
Linux kernel null pointer dereference in the tracing subsystem causes a denial of service when synthetic events reference stacktrace fields from other synthetic events. Local users with tracing permissions can trigger a kernel crash by creating chained synthetic events that pass stacktrace data between them. No patch is currently available for this vulnerability.
A null pointer dereference vulnerability in the Linux kernel's be2net driver allows local users with low privileges to cause a denial of service by triggering a crash through improper parameter handling in the be_cmd_get_mac_from_list() function. The vulnerability occurs when the driver passes both a false pmac_id_valid flag and a NULL pointer to this function, causing the kernel to dereference the invalid pointer. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's net/sched act_ife module allows local users with low privileges to cause a denial of service through a kernel crash when the ife_encode() function fails to validate return values. The vulnerability affects the traffic control scheduling subsystem and requires local access to trigger.
Linux kernel UACCE subsystem is vulnerable to a null pointer dereference that causes a denial of service when queue release and device removal operations execute concurrently during system shutdown. A local attacker with standard user privileges can trigger this condition by forcing accelerator queue cleanup while the device is being removed, crashing the kernel. No patch is currently available.
The hp-bioscfg driver in the Linux kernel contains a null pointer dereference vulnerability triggered by an off-by-one error and missing NULL checks in the GET_INSTANCE_ID macro when accessing BIOS configuration sysfs attributes. Local users with unprivileged access can trigger a kernel panic by reading certain attribute files, causing denial of service during BIOS configuration operations. No patch is currently available for this vulnerability.
The Linux kernel's authencesn crypto module fails to validate minimum AAD (Associated Authenticated Data) length, allowing local attackers with unprivileged access to trigger a NULL pointer dereference and kernel panic by submitting specially crafted authentication requests with oversized AAD parameters. This denial-of-service vulnerability affects systems running vulnerable Linux kernel versions and requires local access to exploit. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)
In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay().
In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport.
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel.
Remote denial of service in Free5GC PCF versions up to 1.4.1 stems from a null pointer dereference in the SM Policy request handler, allowing unauthenticated attackers to crash the service from the network. Public exploit code exists for this vulnerability, and a patch is available to remediate the issue.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails.
The 3com 3c59x driver in the Linux kernel is susceptible to a null pointer dereference in the vortex_probe1() function when pdev is null, potentially causing a denial of service through system crash or hang. A local attacker with unprivileged access can trigger this condition during driver initialization. A patch is available to resolve this issue.
A NULL pointer dereference in the Linux kernel's Marvell Prestera driver occurs when devlink_alloc() fails to allocate memory, as the code does not validate the returned pointer before dereferencing it. A local attacker with unprivileged access can trigger a kernel crash by exhausting memory or forcing allocation failures. A patch is available to add proper NULL pointer validation before dereferencing the devlink object.
The Linux kernel idpf driver fails to properly handle initialization errors during driver load, leaving the system in an inconsistent state where subsequent resets trigger a null pointer dereference crash. Local users with administrative privileges can cause a denial of service by triggering conditions that cause the init_task to fail, such as rejected firmware operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id.
Free5GC SMF versions up to 4.1.0 contain a null pointer dereference in the PFCP UDP endpoint handler that can be triggered remotely without authentication, leading to denial of service. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can crash the session management function by sending specially crafted PFCP association release requests.
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
Null pointer dereference in TP-Link Tapo C220 v1 and C520WS v2 cameras allows adjacent network attackers to crash the HTTP service via malformed POST requests with excessive Content-Length headers. Attackers can sustain denial of service through repeated crashes despite automatic device restarts. EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. [CVSS 7.5 HIGH]
Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. [CVSS 5.9 MEDIUM]
Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. [CVSS 6.1 MEDIUM]
Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .
NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp.
NULL Pointer Dereference vulnerability in visualfc liteide (liteidex/src/3rdparty/libvterm/src modules). This vulnerability is associated with program files screen.C, state.C, vterm.C.
The vmwgfx driver in the Linux kernel crashes due to a null pointer dereference when KMS with 3D graphics is used on hardware version 10, which lacks GB Surfaces support. A local attacker with user-level privileges can trigger this vulnerability to cause a denial of service by crashing the display driver, resulting in a black screen. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's ASoC tlv320adcx140 audio driver contains a null pointer dereference in the adcx140_priv structure due to improper initialization of the snd_soc_component field, allowing local authenticated users to trigger a denial of service. An attacker with local access and user-level privileges can crash the audio subsystem by invoking the vulnerable code path. No patch is currently available for this medium-severity vulnerability.
A null pointer dereference in the Linux kernel's build ID library can cause a denial of service when reading files in sleepable contexts. Local users with standard privileges can trigger a kernel crash through the filemap_read_folio() code path. This vulnerability requires no user interaction and affects the availability of the system.
The Linux kernel mlx5e driver crashes with a null pointer dereference when profile change operations fail and rollback is unsuccessful, leaving the network device in an invalid state. A local attacker with standard user privileges can trigger a denial of service by attempting subsequent profile changes, such as through switchdev mode modifications, which will access the dangling null pointer and crash the system.
The Linux kernel's NVMe-TCP implementation fails to validate pointer initialization in nvmet_tcp_build_pdu_iovec(), allowing remote attackers to trigger NULL pointer dereferences and cause denial of service by sending H2C_DATA PDUs before completing proper command initialization. An unauthenticated network attacker can exploit this vulnerability to crash the kernel without requiring user interaction or special privileges.
A null pointer dereference in the Linux kernel's mlx5e driver allows local attackers with user privileges to cause a denial of service by triggering a kernel panic when eswitch mode configuration fails. The vulnerability occurs when mlx5e_priv structure is improperly dereferenced during profile attachment failures, particularly when switching to switchdev mode. A patch is available to resolve this issue by storing netdev directly instead of referencing the unstable mlx5e_priv structure.
iccDEV versions 2.3.1.1 and below are vulnerable to null pointer dereference in CIccProfileXml::ParseBasic() when processing maliciously crafted ICC color profiles, allowing remote attackers to trigger denial of service or data manipulation without user interaction. Public exploit code exists for this vulnerability, which affects applications using the iccDEV libraries for color profile handling. The vulnerability has been patched in version 2.3.1.2.
Null pointer dereference in iccDEV versions 2.3.1.1 and below allows remote attackers to trigger denial of service or data manipulation via maliciously crafted ICC color profile data, with public exploit code currently available. The vulnerability stems from unsafe handling of user-controllable input in the CIccTagXmlFloatNum<>::ParseXml() function and may enable code execution depending on application context. Upgrade to version 2.3.1.2 to remediate.
iccDEV versions 2.3.1.1 and below contain a null pointer dereference in the CIccXmlArrayType() function that allows remote attackers to trigger denial of service, data manipulation, or potentially achieve code execution through crafted ICC profile data. The vulnerability stems from unsafe handling of user-controlled input in binary structured data and has public exploit code available. Upgrade to version 2.3.1.2 or later to remediate.
The Linux kernel's idpf driver contains a NULL pointer dereference in its RSS LUT handling that can be triggered when ethtool commands access the RSS lookup table immediately after a soft reset. Local users with standard privileges can crash the system by performing queue count changes followed by ethtool operations on the affected network interface. A patch is available to properly manage RSS LUT state during soft resets based on queue count changes.
The Linux kernel's Ceph authentication handler fails to properly propagate errors from mon_handle_auth_done(), allowing the msgr2 protocol to proceed with session establishment even when authentication fails in secure mode. This can trigger a NULL pointer dereference in prepare_auth_signature(), causing a denial of service on systems using Ceph for storage or communication. Local attackers with privileges to interact with Ceph authentication can crash the kernel or cause system instability.
A null pointer dereference vulnerability in the Linux kernel's libceph library occurs when free_choose_arg_map() is called after a partial memory allocation failure, allowing a local attacker with low privileges to cause a denial of service. The vulnerability exists because the function does not validate pointers before dereferencing them during cleanup operations. A patch is available to add proper pointer checks and make the cleanup routine resilient to incomplete allocations.
The Linux kernel's idpf driver crashes with a NULL pointer dereference when ethtool RSS operations are performed before the network interface is brought up, affecting systems using this driver. A local attacker with unprivileged user access can trigger a denial of service by executing RSS configuration commands on a down interface. The vulnerability is resolved by initializing the RSS lookup table during vport creation rather than at interface startup.
The Linux kernel's network stack contains a null pointer dereference vulnerability in message handling that could cause a denial of service when the msg_get_inq field is improperly written by the callee function. Local attackers with basic privileges can trigger this condition by reusing kernel-internal msghdr structures, resulting in system crashes or service interruption. A patch is available to prevent writes to this input field and eliminate the unsafe branching logic.
The ocelot network driver in the Linux kernel is susceptible to a null pointer dereference crash when adding a network interface under a link aggregation group, affecting systems using the ocelot_vsc7514 frontend. A local attacker with unprivileged access can trigger this denial of service condition by performing specific network interface configuration operations. A patch is available that adds proper pointer validation before accessing port structures.
A null pointer dereference in the Linux kernel's idpf driver allows local attackers with user privileges to cause a denial of service by triggering improper netdevice state management during reset operations. The vulnerability occurs when the driver fails to properly detach and close network devices before deallocating vport resources, leaving pointers unprotected from concurrent callback access. A patch is available to resolve this issue by implementing proper device state synchronization during reset handling.
Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. [CVSS 7.5 HIGH]
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. [CVSS 2.9 LOW]
SIPp is vulnerable to a NULL pointer dereference that can be triggered by remote attackers sending malicious SIP messages during active calls, resulting in application crashes and denial of service. Under certain conditions, this vulnerability may also enable arbitrary code execution, potentially compromising system integrity and availability. No patch is currently available.
ImageMagick and Magick.NET versions 14.10.1 and below are vulnerable to denial of service attacks through a null pointer dereference in the MSL parser when processing malformed comment tags, exploitable by authenticated attackers without user interaction. Public exploit code exists for this vulnerability, and affected systems may crash or experience assertion failures depending on build configuration. No patch is currently available to address this medium-severity issue.
EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. [CVSS 7.4 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file des...
A null pointer dereference in the Linux kernel's socket error queue handling causes a denial of service when CONFIG_HARDENED_USERCOPY is enabled and applications attempt to retrieve error messages via recvmsg(). Local attackers with user privileges can trigger a kernel panic by reading from the socket error queue on affected systems running vulnerable kernel versions.
A null pointer dereference in the Linux kernel's QFQ packet scheduler (net/sched/sch_qfq) allows local attackers with user privileges to cause a denial of service by deactivating an inactive aggregate during qdisc reset operations. The vulnerability occurs when multiple QFQ qdisc instances share a leaf qdisc, causing incorrect state assumptions during cleanup. A patch is available to resolve this issue.
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. [CVSS 7.5 HIGH]
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. [CVSS 7.5 HIGH]
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). [CVSS 7.5 HIGH]
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. [CVSS 7.5 HIGH]
HarfBuzz::Shaper for Perl versions before 0.032 contain a null pointer dereference in the bundled HarfBuzz library that allows remote attackers to cause a denial of service without authentication or user interaction. The vulnerability affects applications using vulnerable versions of the library and results in service unavailability. No patch is currently available.
A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). [CVSS 5.5 MEDIUM]
A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. [CVSS 7.5 HIGH]
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing.
In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ...
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up.
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events.
In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid.
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL.
In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1].
In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939!
In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ...
Substance 3D Modeler versions 1.22.4 and earlier contain a null pointer dereference vulnerability that causes application crashes when processing specially crafted files. An attacker can exploit this denial-of-service condition by tricking users into opening a malicious project file, requiring no special privileges but user interaction to trigger the crash.
Substance 3D Modeler versions 1.22.4 and earlier contain a null pointer dereference flaw that causes application crashes when a user opens a specially crafted file. This local denial-of-service vulnerability requires user interaction and currently lacks a security patch. The medium severity issue (CVSS 5.5) impacts availability but does not compromise confidentiality or integrity.
Adobe Illustrator versions 29.8.3 and 30.0 and earlier are vulnerable to a null pointer dereference that enables local denial-of-service attacks when users open crafted files. An attacker can crash the application by supplying a malicious file, disrupting workflow for targeted users. No patch is currently available for this vulnerability.
Remote denial of service in Windows LSASS affects Windows 10 and 11 through a null pointer dereference that an unauthenticated attacker can trigger over the network. The vulnerability causes service unavailability but does not enable code execution or data theft. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a fix.
Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. [CVSS 6.2 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1].
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted.
In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL.
In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages.
Adobe After Effects 25.6 and earlier suffers from a null pointer dereference that allows attackers to trigger application crashes by convincing users to open a specially crafted file. This local denial-of-service vulnerability requires user interaction but requires no special privileges, potentially disrupting creative workflows. No patch is currently available.
Substance 3D Designer 15.1.0 and earlier contains a null pointer dereference vulnerability that allows local attackers to crash the application by tricking users into opening malicious files. This denial-of-service attack requires user interaction but causes service disruption with no mitigation patch currently available.
Denial-of-service in Adobe Substance 3D Designer version 15.1.0 and earlier stems from a null pointer dereference vulnerability that crashes the application when a user opens a malicious file. The attack requires no special privileges and relies solely on user interaction to trigger the crash. No patch is currently available for this vulnerability.
Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.
Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial of service. [CVSS 6.8 MEDIUM]
FreeRDP proxy versions prior to 3.22.0 are vulnerable to denial of service when processing specially crafted RDP server responses that trigger a null pointer dereference in the logon information handler. An unauthenticated attacker controlling a malicious RDP server can crash the FreeRDP proxy by sending a LogonInfoV2 PDU with empty domain or username fields. This vulnerability has been patched in version 3.22.0 and later.
Open5GS versions up to 2.7.6 suffer from a null pointer dereference in the PGW S5U Address Handler component that can be triggered remotely without authentication, resulting in denial of service. Public exploit code exists for this vulnerability, and administrators should apply the available patch immediately.
Free5GC versions up to 4.1.0 are vulnerable to a null pointer dereference in the SMF component's SessionDeletionResponse function, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference vulnerability in the identityTriggerType function of pfcp_reports.go that allows remote attackers to cause denial of service without authentication. Public exploit code exists for this vulnerability, and no patch is currently available.
Free5GC versions up to 4.1.0 contain a null pointer dereference in the SMF's establishPfcpSession function that can be triggered remotely without authentication, causing a denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME.
Linux kernel null pointer dereference in the tracing subsystem causes a denial of service when synthetic events reference stacktrace fields from other synthetic events. Local users with tracing permissions can trigger a kernel crash by creating chained synthetic events that pass stacktrace data between them. No patch is currently available for this vulnerability.
A null pointer dereference vulnerability in the Linux kernel's be2net driver allows local users with low privileges to cause a denial of service by triggering a crash through improper parameter handling in the be_cmd_get_mac_from_list() function. The vulnerability occurs when the driver passes both a false pmac_id_valid flag and a NULL pointer to this function, causing the kernel to dereference the invalid pointer. No patch is currently available for this issue.
A null pointer dereference in the Linux kernel's net/sched act_ife module allows local users with low privileges to cause a denial of service through a kernel crash when the ife_encode() function fails to validate return values. The vulnerability affects the traffic control scheduling subsystem and requires local access to trigger.
Linux kernel UACCE subsystem is vulnerable to a null pointer dereference that causes a denial of service when queue release and device removal operations execute concurrently during system shutdown. A local attacker with standard user privileges can trigger this condition by forcing accelerator queue cleanup while the device is being removed, crashing the kernel. No patch is currently available.
The hp-bioscfg driver in the Linux kernel contains a null pointer dereference vulnerability triggered by an off-by-one error and missing NULL checks in the GET_INSTANCE_ID macro when accessing BIOS configuration sysfs attributes. Local users with unprivileged access can trigger a kernel panic by reading certain attribute files, causing denial of service during BIOS configuration operations. No patch is currently available for this vulnerability.
The Linux kernel's authencesn crypto module fails to validate minimum AAD (Associated Authenticated Data) length, allowing local attackers with unprivileged access to trigger a NULL pointer dereference and kernel panic by submitting specially crafted authentication requests with oversized AAD parameters. This denial-of-service vulnerability affects systems running vulnerable Linux kernel versions and requires local access to exploit. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)
In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay().
In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport.
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL.
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel.
Remote denial of service in Free5GC PCF versions up to 1.4.1 stems from a null pointer dereference in the SM Policy request handler, allowing unauthenticated attackers to crash the service from the network. Public exploit code exists for this vulnerability, and a patch is available to remediate the issue.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails.
The 3com 3c59x driver in the Linux kernel is susceptible to a null pointer dereference in the vortex_probe1() function when pdev is null, potentially causing a denial of service through system crash or hang. A local attacker with unprivileged access can trigger this condition during driver initialization. A patch is available to resolve this issue.
A NULL pointer dereference in the Linux kernel's Marvell Prestera driver occurs when devlink_alloc() fails to allocate memory, as the code does not validate the returned pointer before dereferencing it. A local attacker with unprivileged access can trigger a kernel crash by exhausting memory or forcing allocation failures. A patch is available to add proper NULL pointer validation before dereferencing the devlink object.
The Linux kernel idpf driver fails to properly handle initialization errors during driver load, leaving the system in an inconsistent state where subsequent resets trigger a null pointer dereference crash. Local users with administrative privileges can cause a denial of service by triggering conditions that cause the init_task to fail, such as rejected firmware operations. No patch is currently available for this medium-severity vulnerability.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id.
Free5GC SMF versions up to 4.1.0 contain a null pointer dereference in the PFCP UDP endpoint handler that can be triggered remotely without authentication, leading to denial of service. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can crash the session management function by sending specially crafted PFCP association release requests.
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
Null pointer dereference in TP-Link Tapo C220 v1 and C520WS v2 cameras allows adjacent network attackers to crash the HTTP service via malformed POST requests with excessive Content-Length headers. Attackers can sustain denial of service through repeated crashes despite automatic device restarts. EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. [CVSS 7.5 HIGH]
Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. [CVSS 5.9 MEDIUM]
Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. [CVSS 6.1 MEDIUM]
Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .
NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp.
NULL Pointer Dereference vulnerability in visualfc liteide (liteidex/src/3rdparty/libvterm/src modules). This vulnerability is associated with program files screen.C, state.C, vterm.C.
The vmwgfx driver in the Linux kernel crashes due to a null pointer dereference when KMS with 3D graphics is used on hardware version 10, which lacks GB Surfaces support. A local attacker with user-level privileges can trigger this vulnerability to cause a denial of service by crashing the display driver, resulting in a black screen. No patch is currently available for this medium-severity vulnerability.
The Linux kernel's ASoC tlv320adcx140 audio driver contains a null pointer dereference in the adcx140_priv structure due to improper initialization of the snd_soc_component field, allowing local authenticated users to trigger a denial of service. An attacker with local access and user-level privileges can crash the audio subsystem by invoking the vulnerable code path. No patch is currently available for this medium-severity vulnerability.
A null pointer dereference in the Linux kernel's build ID library can cause a denial of service when reading files in sleepable contexts. Local users with standard privileges can trigger a kernel crash through the filemap_read_folio() code path. This vulnerability requires no user interaction and affects the availability of the system.
The Linux kernel mlx5e driver crashes with a null pointer dereference when profile change operations fail and rollback is unsuccessful, leaving the network device in an invalid state. A local attacker with standard user privileges can trigger a denial of service by attempting subsequent profile changes, such as through switchdev mode modifications, which will access the dangling null pointer and crash the system.
The Linux kernel's NVMe-TCP implementation fails to validate pointer initialization in nvmet_tcp_build_pdu_iovec(), allowing remote attackers to trigger NULL pointer dereferences and cause denial of service by sending H2C_DATA PDUs before completing proper command initialization. An unauthenticated network attacker can exploit this vulnerability to crash the kernel without requiring user interaction or special privileges.
A null pointer dereference in the Linux kernel's mlx5e driver allows local attackers with user privileges to cause a denial of service by triggering a kernel panic when eswitch mode configuration fails. The vulnerability occurs when mlx5e_priv structure is improperly dereferenced during profile attachment failures, particularly when switching to switchdev mode. A patch is available to resolve this issue by storing netdev directly instead of referencing the unstable mlx5e_priv structure.
iccDEV versions 2.3.1.1 and below are vulnerable to null pointer dereference in CIccProfileXml::ParseBasic() when processing maliciously crafted ICC color profiles, allowing remote attackers to trigger denial of service or data manipulation without user interaction. Public exploit code exists for this vulnerability, which affects applications using the iccDEV libraries for color profile handling. The vulnerability has been patched in version 2.3.1.2.
Null pointer dereference in iccDEV versions 2.3.1.1 and below allows remote attackers to trigger denial of service or data manipulation via maliciously crafted ICC color profile data, with public exploit code currently available. The vulnerability stems from unsafe handling of user-controllable input in the CIccTagXmlFloatNum<>::ParseXml() function and may enable code execution depending on application context. Upgrade to version 2.3.1.2 to remediate.
iccDEV versions 2.3.1.1 and below contain a null pointer dereference in the CIccXmlArrayType() function that allows remote attackers to trigger denial of service, data manipulation, or potentially achieve code execution through crafted ICC profile data. The vulnerability stems from unsafe handling of user-controlled input in binary structured data and has public exploit code available. Upgrade to version 2.3.1.2 or later to remediate.
The Linux kernel's idpf driver contains a NULL pointer dereference in its RSS LUT handling that can be triggered when ethtool commands access the RSS lookup table immediately after a soft reset. Local users with standard privileges can crash the system by performing queue count changes followed by ethtool operations on the affected network interface. A patch is available to properly manage RSS LUT state during soft resets based on queue count changes.
The Linux kernel's Ceph authentication handler fails to properly propagate errors from mon_handle_auth_done(), allowing the msgr2 protocol to proceed with session establishment even when authentication fails in secure mode. This can trigger a NULL pointer dereference in prepare_auth_signature(), causing a denial of service on systems using Ceph for storage or communication. Local attackers with privileges to interact with Ceph authentication can crash the kernel or cause system instability.
A null pointer dereference vulnerability in the Linux kernel's libceph library occurs when free_choose_arg_map() is called after a partial memory allocation failure, allowing a local attacker with low privileges to cause a denial of service. The vulnerability exists because the function does not validate pointers before dereferencing them during cleanup operations. A patch is available to add proper pointer checks and make the cleanup routine resilient to incomplete allocations.
The Linux kernel's idpf driver crashes with a NULL pointer dereference when ethtool RSS operations are performed before the network interface is brought up, affecting systems using this driver. A local attacker with unprivileged user access can trigger a denial of service by executing RSS configuration commands on a down interface. The vulnerability is resolved by initializing the RSS lookup table during vport creation rather than at interface startup.
The Linux kernel's network stack contains a null pointer dereference vulnerability in message handling that could cause a denial of service when the msg_get_inq field is improperly written by the callee function. Local attackers with basic privileges can trigger this condition by reusing kernel-internal msghdr structures, resulting in system crashes or service interruption. A patch is available to prevent writes to this input field and eliminate the unsafe branching logic.
The ocelot network driver in the Linux kernel is susceptible to a null pointer dereference crash when adding a network interface under a link aggregation group, affecting systems using the ocelot_vsc7514 frontend. A local attacker with unprivileged access can trigger this denial of service condition by performing specific network interface configuration operations. A patch is available that adds proper pointer validation before accessing port structures.
A null pointer dereference in the Linux kernel's idpf driver allows local attackers with user privileges to cause a denial of service by triggering improper netdevice state management during reset operations. The vulnerability occurs when the driver fails to properly detach and close network devices before deallocating vport resources, leaving pointers unprotected from concurrent callback access. A patch is available to resolve this issue by implementing proper device state synchronization during reset handling.
Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. [CVSS 7.5 HIGH]
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. [CVSS 2.9 LOW]
SIPp is vulnerable to a NULL pointer dereference that can be triggered by remote attackers sending malicious SIP messages during active calls, resulting in application crashes and denial of service. Under certain conditions, this vulnerability may also enable arbitrary code execution, potentially compromising system integrity and availability. No patch is currently available.
ImageMagick and Magick.NET versions 14.10.1 and below are vulnerable to denial of service attacks through a null pointer dereference in the MSL parser when processing malformed comment tags, exploitable by authenticated attackers without user interaction. Public exploit code exists for this vulnerability, and affected systems may crash or experience assertion failures depending on build configuration. No patch is currently available to address this medium-severity issue.
EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. [CVSS 7.4 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file des...
A null pointer dereference in the Linux kernel's socket error queue handling causes a denial of service when CONFIG_HARDENED_USERCOPY is enabled and applications attempt to retrieve error messages via recvmsg(). Local attackers with user privileges can trigger a kernel panic by reading from the socket error queue on affected systems running vulnerable kernel versions.
A null pointer dereference in the Linux kernel's QFQ packet scheduler (net/sched/sch_qfq) allows local attackers with user privileges to cause a denial of service by deactivating an inactive aggregate during qdisc reset operations. The vulnerability occurs when multiple QFQ qdisc instances share a leaf qdisc, causing incorrect state assumptions during cleanup. A patch is available to resolve this issue.
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. [CVSS 7.5 HIGH]
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. [CVSS 7.5 HIGH]
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). [CVSS 7.5 HIGH]
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. [CVSS 7.5 HIGH]
HarfBuzz::Shaper for Perl versions before 0.032 contain a null pointer dereference in the bundled HarfBuzz library that allows remote attackers to cause a denial of service without authentication or user interaction. The vulnerability affects applications using vulnerable versions of the library and results in service unavailability. No patch is currently available.
A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). [CVSS 5.5 MEDIUM]
A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. [CVSS 7.5 HIGH]
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing.
In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ...
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up.
In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events.
In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid.
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL.
In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1].
In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939!
In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ...
Substance 3D Modeler versions 1.22.4 and earlier contain a null pointer dereference vulnerability that causes application crashes when processing specially crafted files. An attacker can exploit this denial-of-service condition by tricking users into opening a malicious project file, requiring no special privileges but user interaction to trigger the crash.
Substance 3D Modeler versions 1.22.4 and earlier contain a null pointer dereference flaw that causes application crashes when a user opens a specially crafted file. This local denial-of-service vulnerability requires user interaction and currently lacks a security patch. The medium severity issue (CVSS 5.5) impacts availability but does not compromise confidentiality or integrity.
Adobe Illustrator versions 29.8.3 and 30.0 and earlier are vulnerable to a null pointer dereference that enables local denial-of-service attacks when users open crafted files. An attacker can crash the application by supplying a malicious file, disrupting workflow for targeted users. No patch is currently available for this vulnerability.
Remote denial of service in Windows LSASS affects Windows 10 and 11 through a null pointer dereference that an unauthenticated attacker can trigger over the network. The vulnerability causes service unavailability but does not enable code execution or data theft. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a fix.
Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. [CVSS 6.2 MEDIUM]
In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1].
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted.
In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL.
In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages.