Null Pointer Dereference

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local user to trigger a kernel oops, resulting in a denial of service. The flaw resides specifically in Ubuntu's out-of-tree SAUCE patches for AF_INET/AF_INET6 socket mediation - mainline Linux kernel builds are unaffected. No active exploitation is confirmed (not in CISA KEV), no public exploit has been identified at time of analysis, and the CVSS score of 3.3 (Low) accurately reflects the constrained impact: local access only, no confidentiality or integrity loss, and limited availability degradation.

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash the kernel via the AppArmor notification handling path. The flaw exists exclusively in Ubuntu-specific SAUCE patches layered on top of the upstream Linux kernel, meaning only Ubuntu kernels carrying these versions are affected - not upstream Linux or other distributions. No public exploit code or active exploitation has been identified at time of analysis; the impact is limited to a kernel oops (availability loss, CVSS A:L), with no confidentiality or integrity impact.

NULL pointer dereference in pam_usb prior to 0.8.7 allows a physically present attacker to crash the PAM authentication stack by inserting a USB device whose serial, vendor, or model metadata fields are absent. The module in src/device.c passes return values from udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks, despite the GIO/UDisks2 API explicitly documenting that these accessors can return NULL for devices not exposing those fields. The result is undefined behavior - typically a SIGSEGV - that terminates the authentication process. No public exploit has been identified at time of analysis and no active exploitation is confirmed.

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently stripped by standard distribution build flags, enabling a local denial-of-service against authentication subsystems. Any allocation failure in xmalloc(), xrealloc(), or xstrdup() returns NULL, which every caller then dereferences unconditionally - the intended abort-before-dereference guarantee exists only in debug builds, not in Debian, Fedora, or Arch Linux packages that define -DNDEBUG via CFLAGS. A local attacker who can induce memory pressure at authentication time causes the PAM module to crash, locking all users out of sudo and login for the duration of the crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP request whose URL path begins with /status or /sysinfo. The server tries to load WOSHttpStatusModule.dll to service those paths and calls WOSBin_LoadHttpModule, but that DLL ships missing from the installation, so the resolved function pointer is NULL and the code invokes a function at address 0, terminating the process (CWE-476). The flaw was discovered and reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and it is not on the CISA KEV list, with availability-only impact (CVSS 7.5).

Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering a NULL pointer dereference. The function WOSSysInfoGetDeviceInterface() in WOSCommonUtil.dll returns NULL whenever no user is logged into the Server Agent Management Console, and callers such as WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference that pointer without checking it, causing a process crash. There is no public exploit identified at time of analysis and the issue affects only availability (CVSS 7.5).

Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.

NULL pointer dereference in GPAC MP4Box crashes the application when parsing specially crafted truncated MP4 files, resulting in a denial-of-service condition. The vulnerability triggers in the gf_media_map_esd function (media_tools/isom_tools.c, line ~1364) when an invalid or unknown stsd (Sample Table Sample Description) entry leaves codec, mime, or profile descriptor fields uninitialized - the function then calls strlen() on a NULL pointer, producing a segmentation fault (SEGV). A publicly available exploit code exists demonstrating the crash, though EPSS at 0.02% (6th percentile) signals negligible widespread exploitation probability and the vulnerability is not listed in CISA KEV.

Remote denial of service in IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server (versions 3.7.4 through 4.4.7 Fix Pack 1) allows an unauthenticated network attacker to crash the asperahttpd service via a NULL pointer dereference. Exploitation requires no credentials and no user interaction, yielding a complete loss of availability for the affected transfer service. There is no public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact.

Unauthenticated denial of service in GNU SASL before version 2.2.3 occurs through a NULL pointer dereference in the DIGEST-MD5 authentication mechanism. Remote attackers can crash both client and server applications by sending a malformed authentication token that lacks an equals sign character, causing the getsubopt.c parser to dereference a NULL pointer.

Denial of service in HAX CMS NodeJS (npm/@haxtheweb/haxcms-nodejs) allows any authenticated user to crash the entire Node.js server process with a single crafted HTTP POST to the createSite endpoint. The crash stems from a null pointer dereference (CWE-476) in HAXCMSFile.save(), where tmpFile.originalname is undefined, causing an unhandled TypeError that terminates the process immediately. Because HAX CMS permits open account self-registration, an attacker can create their own account and trigger the crash without needing to compromise existing credentials, making the effective barrier to exploitation very low despite the PR:L CVSS designation. No public exploit identified at time of analysis beyond the PoC included in the GitHub security advisory.

Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.

NULL pointer dereference in Samsung's open-source Walrus WebAssembly runtime crashes the parser when processing malformed WASM binaries, resulting in denial of service. The vulnerability exists in the WASMBinaryReader component (WASMParser.cpp) at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9, where multiple error-handling code paths fail to return early, allowing execution to continue past invalid state and dereference null pointers. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

NULL pointer dereference in OpenHarmony v6.0 and prior enables a local low-privileged attacker to crash the system or an affected process, causing a denial-of-service condition. The vulnerability is confined to local exploitation with no confidentiality or integrity impact, as reflected in the CVSS:3.1 score of 3.3 (Low). No public exploit code has been identified at time of analysis, and no active exploitation has been reported.

NULL pointer dereference in Samsung Open Source Walrus's WebAssembly binary parser causes application-level denial of service when a crafted .wasm module containing deeply nested instructions is loaded. The vulnerability affects the Walrus runtime at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9 (CPE: cpe:2.3:a:samsung_open_source:walrus) and is classified CVSS 5.5 Medium with a local attack vector requiring user interaction. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; an upstream fix is available in GitHub PR #409 but a tagged release version has not been independently confirmed.

Null pointer dereference in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.3-dev allows authenticated remote attackers to trigger denial of service via crafted NGAP UERadioCapabilityCheckResponse messages. The vulnerability exists in ngap/dispatcher.go where insufficient null pointer validation permits exploitation through the 5G network interface. Public exploit code exists (GitHub issue #675), and vendor-released patch v2.2.0 is available via PR #666, which also addresses multiple related security issues in NGAP message handling and mobile identity parsing.

Remote denial of service in omec-project AMF versions up to 2.1.3-dev allows authenticated attackers to crash the Access and Mobility Management Function via crafted NGAP messages that trigger null pointer dereference in ngap/handler.go. Public exploit code exists (GitHub issue #674). Affects OMEC 5G core network deployments. Patched in version 2.2.0 via PR #666, which addresses multiple security issues including malformed SUCI handling and missing null checks across NGAP message parsing.

Null pointer dereference in OMEC Project AMF versions up to 2.1.3-dev allows remote authenticated attackers to trigger denial of service via crafted NGAP messages to the RANConfiguration function. The vulnerability (CVE-2026-8781) affects the Access and Mobility Management Function component of the Open Mobile Evolved Core, a critical element in 5G networks. Publicly available exploit code exists (GitHub issue #673), but CVSS 2.1 (Low) reflects limited availability impact and low-privilege authentication requirement. Vendor-released patch: version 2.2.0 (GitHub PR #666).

The qs Node.js library (versions 6.11.1 through 6.15.1) crashes with a synchronous TypeError when stringify is called with both arrayFormat: 'comma' and encodeValuesOnly: true on arrays containing null or undefined elements. Applications using these non-default options together will experience request failures (typically 500 errors in web frameworks) when processing user input with null array values. The vulnerability was introduced in commit 4c4b23d (PR #463, January 2023) and patched in v6.15.2 (commit 21f80b3). No public exploit or CISA KEV listing identified at time of analysis, though exploitation requires only crafting JSON input with null array elements.

libsixel versions prior to 1.8.7-r2 crash on memory allocation failure in sixel_decode_raw and sixel_decode functions due to incorrect NULL pointer validation, allowing local attackers to trigger denial of service under low-memory conditions. The vulnerability affects any application using libsixel's public decoding APIs when system memory pressure causes malloc to fail.

Remote unauthenticated attackers can crash F5 BIG-IP and BIG-IP Next Traffic Management Microkernel (TMM) processes via undisclosed malformed HTTP/2 requests when virtual servers are configured with both an HTTP/2 profile and iRules using HTTP::redirect or HTTP::respond commands. Exploitation requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N) and results in complete service disruption. Vendor patch available via F5 K000159034. EPSS data not provided, but the specific configuration requirement limits exposure to organizations using HTTP/2 with custom iRule redirects or responses.

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0.

Illustrator versions 29.8.6, 30.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service over an adjacent network.

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service locally.

Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service over an adjacent network.

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service over a network.

Null pointer dereference in Windows Storport Miniport Driver allows remote attackers to trigger denial of service over a network with user interaction. The vulnerability affects Windows Server 2025 and exists in the storage port driver architecture, requiring the attacker to send a specially crafted network request that causes the driver to dereference a null pointer, resulting in service interruption or system instability. No public exploit code or active exploitation has been confirmed.

Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 2.6.0 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Denial of service in Siemens industrial networking equipment allows remote unauthenticated attackers to crash affected devices via specially crafted IPv4 packets, requiring manual restart for recovery. This vulnerability affects over 200 Siemens industrial automation products including SCALANCE switches/routers, SIMATIC PLCs, SINAMICS drives, and RUGGEDCOM devices. CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network-accessible attack vector requiring low complexity and no privileges (AV:N/AC:L/PR:N). No public exploit code or CISA KEV listing identified at time of analysis, though the straightforward network-based attack and widespread product exposure warrant priority patching for operational technology environments where uptime is critical.

Null pointer dereference in Apple operating systems (iOS, iPadOS, macOS Tahoe, tvOS) allows local network attackers to cause denial of service by sending crafted input that bypasses validation. The vulnerability affects all versions prior to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and tvOS 26.5. No code execution or data compromise is possible; impact is limited to availability disruption on affected devices.

Null pointer dereference in Open5GS Session Management Function (SMF) up to version 2.7.7 allows authenticated remote attackers to cause denial of service by manipulating the smf_nsmf_handle_create_data_in_hsmf function. Publicly available exploit code exists, and the project has been notified but has not yet released a patch.

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE field, enabling denial of service against connection pooling infrastructure. The vulnerability requires an attacker to control or compromise a PostgreSQL backend server or intercept server responses on the network, making exploitation conditional on non-default network topology or server compromise. CVSS score of 5.9 reflects high availability impact but limited attack surface due to medium complexity (AC:H).

{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks `_, ok = UESubsData.EeSubscriptionCollection[subsId]` and sets a `404` problem-details on the miss path, but then continues to `UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos` -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable. This endpoint requires a valid `nudr-dr` OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding. Validated against the UDR container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/udr:v4.2.1` - Runtime UDR commit: `754d23b0` - Docker validation date: 2026-03-22 - UDR endpoint: `http://10.100.200.11:8000` Precondition (one authenticated EE-subscription create allocates UE state): ```go if !ok { udrSelf.UESubsCollection.Store(ueId, new(udr_context.UESubsData)) value, _ = udrSelf.UESubsCollection.Load(ueId) } ... UESubsData.EeSubscriptionCollection[newSubscriptionID] = new(udr_context.EeSubscriptionCollection) ``` Vulnerable handler (delete on amf-subscriptions): the `ok` miss path sets `pd` but does not return, so the very next line dereferences the nil entry: ```go _, ok = UESubsData.EeSubscriptionCollection[subsId] if !ok { pd = util.ProblemDetailsNotFound("SUBSCRIPTION_NOT_FOUND") } if UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos == nil { pd = util.ProblemDetailsNotFound("AMFSUBSCRIPTION_NOT_FOUND") } ``` When `subsId` is absent, `UESubsData.EeSubscriptionCollection[subsId]` is nil, and `.AmfSubscriptionInfos` panics with `runtime error: invalid memory address or nil pointer dereference`. Code evidence (paths in `free5gc/udr`): - Precondition route + handler (EE-subscription create that allocates UE state): - `NFs/udr/internal/sbi/api_datarepository.go:600` - `NFs/udr/internal/sbi/api_datarepository.go:602` - `NFs/udr/internal/sbi/api_datarepository.go:2528` - `NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:25` - `NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:30` - `NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:38` - Vulnerable delete route + dispatch: - `NFs/udr/internal/sbi/api_datarepository.go:2161` - `NFs/udr/internal/sbi/api_datarepository.go:2172` - Panic root cause (nil deref): - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:62` - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:64` - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:69` Reproduced end-to-end against the running UDR at `http://10.100.200.11:8000`. 1. Restart UDR (clean state): ``` docker restart udr ``` 2. Obtain a valid `nudr-dr` token from NRF: ``` curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr' ``` 3. Create one EE subscription to populate `UESubsCollection` for `ueId=x`: ``` curl -i -sS -X POST \ 'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/context-data/ee-subscriptions' \ -H 'Authorization: Bearer <valid_nudr_dr_jwt>' \ -H 'Content-Type: application/json' \ --data '{}' ``` ``` HTTP/1.1 201 Created ``` 4. Trigger the panic with a nonexistent `subsId`: ``` curl -i -sS -X DELETE \ 'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \ -H 'Authorization: Bearer <valid_nudr_dr_jwt>' ``` ``` HTTP/1.1 500 Internal Server Error Content-Length: 0 ``` 5. UDR container logs (`docker logs udr`) confirm the nil-pointer panic at `event_amf_subscription_info_document.go:69` inside `RemoveAmfSubscriptionsInfoProcedure`: ``` [ERRO][UDR][GIN] panic: runtime error: invalid memory address or nil pointer dereference github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure .../event_amf_subscription_info_document.go:69 github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo .../api_datarepository.go:2172 [INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions | ``` NULL pointer dereference (CWE-476) in an authenticated UDR data-repository handler, caused by improper handling of the missing-subsId branch (CWE-754): the handler sets a problem-details value but does not return, then dereferences the same missing map entry. This is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can: - Trigger a reliable, repeatable nil-deref panic on the `amf-subscriptions` delete route after one preparatory POST that allocates UE state for the chosen `ueId`. - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended `404 SUBSCRIPTION_NOT_FOUND` response would have. No Confidentiality impact (the response is `500` with empty body; no UE data is returned to the attacker via the panic). No persistent Integrity impact from the panic itself (the EE subscription created during the precondition is in-memory state owned by UDR's intended data-repository semantics, and is not corrupted by the delete-time panic). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running). Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/919 Upstream fix: https://github.com/free5gc/udr/pull/60

{afId}/transactions/{transId}/applications/{appId}` handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns `err != nil` together with a nil `*ProblemDetails`. The handler's `errPfdData != nil` branch builds its own `problemDetailsErr` correctly, but immediately after it reads `problemDetails.Cause` (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into `HTTP 500`, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable. The HTTP request itself in v4.2.1 is reachable without an `Authorization` header because the underlying NEF `3gpp-pfd-management` route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end. Validated against the NEF container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/nef:v4.2.1` - Runtime NEF commit: `5ce35eab` - Docker validation date: 2026-03-21 (container log timestamp `2026-03-21T03:06:36Z`) - NEF endpoint: `http://10.100.200.19:8000` Vulnerable handler logic in `PatchIndividualApplicationPFDManagement` (paraphrased): ```go pdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID) switch { case problemDetails != nil: ... case errPfdData != nil: problemDetailsErr := &models.ProblemDetails{ Status: http.StatusInternalServerError, Detail: "Query to UDR failed", } c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause) // <-- nil deref c.JSON(int(problemDetailsErr.Status), problemDetailsErr) return } ``` In the `errPfdData != nil` branch, `problemDetails` is by construction nil (otherwise the first `case` would have matched). Reading `problemDetails.Cause` panics with `runtime error: invalid memory address or nil pointer dereference`. The intended value is presumably `problemDetailsErr.Cause` -- the locally constructed problem-details struct. Code evidence (paths in `free5gc/nef`): - Patch handler core path: - `NFs/nef/internal/sbi/processor/pfd.go:563` - `NFs/nef/internal/sbi/processor/pfd.go:610` - Panic site (nil-deref on `problemDetails.Cause`): - `NFs/nef/internal/sbi/processor/pfd.go:622` - Route exposure / dispatch: - `NFs/nef/internal/sbi/api_pfd.go:168` - `NFs/nef/internal/sbi/api_pfd.go:188` Reproduced end-to-end against the running NEF at `http://10.100.200.19:8000`. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF's UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures. 1. Create an AF context (no Authorization header): ``` curl -i -X POST 'http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions' \ -H 'Content-Type: application/json' \ --data '{"afAppId":"app-nef-npd3","anyUeInd":true}' ``` 2. Create a PFD-management transaction: ``` curl -i -X POST 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions' \ -H 'Content-Type: application/json' \ --data '{"pfdDatas":{"appnpd3":{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":["permit in ip from 10.68.28.39 80 to any"]}}}}}' ``` 3. Make UDR access fail (lab simulation): ``` docker stop nrf ``` 4. Trigger the panic with one PATCH: ``` curl -i -X PATCH 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3' \ -H 'Content-Type: application/json' \ --data '{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":[]}}}' ``` ``` HTTP/1.1 500 Internal Server Error Content-Length: 0 ``` 5. NEF container logs (`docker logs --since 2026-03-21T03:06:36Z nef`) confirm the nil-deref panic at `pfd.go:622` inside `PatchIndividualApplicationPFDManagement`: ``` [INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3] [ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference github.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement .../pfd.go:622 github.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement .../api_pfd.go:188 [INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 | ``` 6. Restore for further testing: ``` docker start nrf ``` NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the `errPfdData != nil` branch reads `problemDetails.Cause` even though `problemDetails` is nil by construction in that branch (the prior `case` already matched the non-nil case). The intended target was the locally constructed `problemDetailsErr.Cause`. Gin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns `500` (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing. No Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment. Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/925 Upstream fix: https://github.com/free5gc/nef/pull/22

{"ascReqData":{"suppFeat":"1","notifUri":"http://127.0.0.1:9999/appsess","ueIpv4":"10.60.0.3","dnn":"internet","medComponents":{"1":{"medCompN":1,"afAppId":"app1"}}}}' ``` ``` HTTP/1.1 500 Internal Server Error ``` 3. Control comparison -- same request shape but `suppFeat="0"` -> normal `201 Created`: ``` curl -i -X POST 'http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <valid_npcf_policyauthorization_jwt>' \ --data '{"ascReqData":{"suppFeat":"0","notifUri":"http://127.0.0.1:9999/appsess","ueIpv4":"10.60.0.3","dnn":"internet","medComponents":{"1":{"medCompN":1,"afAppId":"app1"}}}}' ``` ``` HTTP/1.1 201 Created ``` 4. PCF container logs show the panic stack landing in `provisioningOfTrafficRoutingInfo` with `routeReq = 0x0`: ``` [ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference github.com/free5gc/pcf/internal/sbi/processor.provisioningOfTrafficRoutingInfo(..., 0x0, ...) .../policyauthorization.go:1740 github.com/free5gc/pcf/internal/sbi/processor.(*Processor).postAppSessCtxProcedure .../policyauthorization.go:288 github.com/free5gc/pcf/internal/sbi/processor.(*Processor).HandlePostAppSessionsContext .../policyauthorization.go:139 github.com/free5gc/pcf/internal/sbi.(*Server).HTTPPostAppSessions .../api_policyauthorization.go:119 [INFO][PCF][GIN] | 500 | POST | /npcf-policyauthorization/v1/app-sessions | ``` NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the create path passes `routeReq` straight into `provisioningOfTrafficRoutingInfo` without a nil check, even though `medComp.AfRoutReq` is optional and is nil for the demonstrated valid input shape. The control experiment with `suppFeat="0"` proves the request shape itself is otherwise valid. Gin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any authenticated POST against this endpoint with `suppFeat="1"` and `medComponents.*.AfAppId` set but `AfRoutReq` absent returns `HTTP 500` with empty body and a stack trace in PCF logs. Any party that holds (or can obtain) a valid `npcf-policyauthorization` token can repeatedly drive this code path to sustain a per-request panic-DoS on the app-session create endpoint, with each panic costing more CPU + log writes than the intended controlled response would have. No Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/879 Upstream fix: https://github.com/free5gc/pcf/pull/65

{ "supi":"imsi-208930000000003", "pduSessionId":1, "dnn":"internet-bad", "sliceInfo":{"sst":1,"sd":"010203"}, "servingNetwork":{"mcc":"208","mnc":"93"}, "accessType":"3GPP_ACCESS", "notificationUri":"http://smf.free5gc.org:8000/npcf-smpolicycontrol/v1/notify" }' ``` Observed response: `HTTP 500 Internal Server Error` with empty body. PCF container logs show: ``` [INFO][PCF][SMpolicy] Handle CreateSmPolicy [ERRO][PCF][Consumer] openapi error: 404, Not Found [ERRO][PCF][GIN] panic: runtime error: invalid memory address or nil pointer dereference ...HandleCreateSmPolicyRequest at smpolicy.go:82... ``` The Gin recovery middleware catches the panic (the captured stack trace runs inside `ginRecover.func2.1`), so the PCF process keeps serving other requests; the realized impact is per-request `HTTP 500` on this endpoint whenever the downstream lookup fails. NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the UDR-failure branch logs the OpenAPI error but does not return, then dereferences the nil response struct. The intended behavior is to return a controlled `4xx`/`5xx` `ProblemDetails` and stop processing. Gin recovery catches the panic, so the PCF process is NOT killed and other endpoints continue serving. The realized impact is per-request: any unauthenticated POST that drives the downstream UDR lookup to a `404` returns `HTTP 500` (with empty body and a stack trace in PCF logs) instead of a controlled error response. No Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation. The endpoint remains reachable to unauthenticated attackers via the route-group auth gap separately tracked in free5gc/free5gc#844. Affected: free5gc v4.2.1 (originally reported against v4.1.0; same defect present). Upstream issue: https://github.com/free5gc/free5gc/issues/803 Upstream fix: https://github.com/free5gc/pcf/pull/62

Local denial-of-service in the Linux kernel's mpi3mr SCSI driver causes a system crash via NULL pointer dereference during resource cleanup. An authenticated local user on a system using MPI3-based storage controllers can trigger a kernel panic by inducing the error path where queue creation fails: the driver frees reply or request queue memory but subsequently attempts to memset the now-freed (NULL) pointer, crashing the system. No public exploit exists and EPSS sits at 0.02% (7th percentile), indicating low real-world exploitation probability at time of analysis.

NULL pointer dereference in the Linux kernel's UFS host controller driver crashes the kernel when ufshcd_mcq_req_to_hwq() returns NULL during MCQ command completion, allowing an authenticated local user on affected hardware to trigger a denial of service. The vulnerability is confined to the SCSI UFS subsystem's ufshcd_add_command_trace() function and impacts systems with UFS storage operating in Multi-Circular Queue mode - primarily ARM64 embedded and mobile platforms using MediaTek UFS controllers. No public exploit has been identified at time of analysis, and EPSS at 0.02% (5th percentile) reflects the highly constrained attack surface.

Null pointer dereference in the Linux kernel's rxrpc and AFS subsystems allows a local authenticated attacker to trigger a kernel denial of service. The rxrpc_kernel_lookup_peer() function can return either NULL or an error pointer on failure, but its AFS callers only tested for NULL - leaving unchecked error pointer values that, when dereferenced, cause a kernel panic. No public exploit has been identified and EPSS probability sits at 0.02%, indicating low observed exploitation interest; however, the availability impact is rated High by CVSS due to the potential for full system crash.

Denial of service in the Linux kernel's drm/amdkfd (AMD GPU Kernel Fusion Driver) subsystem allows a local authenticated user to crash the kernel via a NULL pointer dereference. The flaw originates in the error handling path of the queue update routine, where a buffer object (bo) is not unreserved upon failure, leaving the subsystem in an inconsistent state that triggers a null dereference. No active exploitation is known; EPSS is 0.02% (5th percentile), and the impact is limited strictly to availability - confidentiality and integrity are unaffected.

Null pointer dereference in the Linux kernel's ASoC AMD ACP machine-common driver can be triggered by a local authenticated user to crash the kernel, resulting in a denial of service. The functions acp_card_rt5682_init() and acp_card_rt5682s_init() in sound/soc/amd/acp/acp-mach-common.c fail to validate the return value of clk_get(), allowing an invalid error pointer to be dereferenced by downstream clock core functions. No public exploit code exists and no active exploitation has been confirmed; EPSS probability stands at 0.02% (5th percentile), reflecting very low real-world exploitation likelihood.

Null pointer dereference in Linux kernel bonding driver crashes systems running with IPv6 disabled (ipv6.disable=1) when IPv6 Neighbor Solicitation packets arrive on bonded interfaces with ARP/NS validation enabled. Affects Linux kernel versions 5.18+ up to 6.19.9/7.0, with vendor patches available across stable branches (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation or public POC has been identified, but the high CVSS 7.5 reflects trivial remote triggering (AV:N/AC:L/PR:N) for denial-of-service in affected configurations.

NULL pointer dereference in the Linux kernel's ALSA USB-audio Scarlett2 mixer quirk allows a local low-privileged user to crash the kernel (denial of service) by presenting a malformed USB descriptor with zero endpoints. Affected systems running unpatched kernels from the initial commit onward through stable branches 6.1.x, 6.6.x, 6.12.x, 6.18.x, and 6.19.x are exposed whenever the USB-audio driver enumerates a crafted or emulated Scarlett2-type device. No active exploitation is confirmed (not in CISA KEV) and no public exploit identified at time of analysis; the EPSS score of 0.03% (8th percentile) confirms very low real-world exploitation probability.

NULL pointer dereference in the Linux kernel's xhci USB host controller debugfs interface allows a local low-privileged user to crash the kernel (denial of service) by reading portli debugfs files. The flaw surfaces when xhci's max_ports count exceeds the number of ports covered by Supported Protocol capabilities - producing NULL rhub pointers - which the portli read handler dereferences without checking. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible broad exploitation interest; the vulnerability is not listed in CISA KEV.

NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.

NULL pointer dereference in the Linux kernel's hisi_sas SCSI driver crashes systems when a local user triggers a host scan via sysfs. Authenticated local users with low privileges can write to the sysfs scan interface, causing kernel oops due to a channel iteration bug introduced in commit 37c4e72b0651 - the driver supports only one channel (channel 0) but its max_channel is set to 1, causing sas_user_scan() to attempt scanning channel 1 where no valid SAS device structure exists. The result is a denial-of-service via kernel NULL pointer dereference at sas_find_dev_by_rphy(). No public exploit or CISA KEV listing has been identified; EPSS is 0.02% (5th percentile), consistent with low-likelihood opportunistic exploitation.

NULL pointer dereference in the Linux kernel's ASoC QCOM QDSP6 subsystem crashes systems built on Qualcomm SA8775P and SC8280XP SoCs during ADSP protection-domain restart cycles. The crash occurs because the q6apm-audio .remove callback prematurely deletes Runtime Descriptions (RTDs) containing q6apm DAI components during ASoC teardown, leaving those components still linked to the sound card and triggering a kernel oops on the subsequent rebind. Impact is limited to availability (kernel panic/denial of service); no public exploit has been identified at time of analysis, and EPSS at 0.02% reflects very low widespread exploitation probability.

NULL pointer dereference in the Linux kernel's stratix10-rsu firmware driver triggers a kernel panic (denial of service) on Intel/Altera SoCFPGA Stratix 10 systems running kernel 6.19.x when RSU is disabled in the First Stage Boot Loader. A local authenticated user can cause a full system crash by triggering the svc_normal_to_secure_thread kernel thread, which dereferences an already-freed service channel pointer. No public exploit identified at time of analysis; EPSS score of 0.02% at the 5th percentile reflects the narrow hardware-specific exposure.

Kernel crash (page fault) in the Linux kernel's kprobes subsystem allows a local authenticated user to trigger a system denial-of-service by removing a module containing kprobe probes after ftrace has been killed due to prior errors. The affected code path in kprobes_module_callback does not check the kprobe_ftrace_disabled flag set by ftrace_kill(), causing invalid memory access traceable via KASAN at address fffffbfff805000d. No active exploitation has been confirmed; EPSS is 0.02% (5th percentile), reflecting the niche preconditions required.

Memory corruption in the Linux kernel's Ceph filesystem client allows local authenticated users to trigger kernel crashes and potentially escalate privileges. The vulnerability stems from missing zero-initialization of ceph_path_info structures before passing them to ceph_mdsc_build_path(), causing subsequent ceph_mdsc_free_path_info() calls to attempt freeing uninitialized or corrupted memory pointers. Multiple code paths in ceph_open() and related functions are affected, introduced by commit 15f519e9f883. Patches are available for kernel versions 6.12.78, 6.18.19, 6.19.9, and 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, with no public exploit code or CISA KEV listing at time of analysis.

NULL pointer dereference in the Linux kernel's intel_pstate cpufreq driver crashes systems booted with the 'nosmt' parameter when CPU QoS requests are processed for SMT sibling threads. On 'nosmt'-booted systems, all_cpu_data[cpu] is NULL for disabled SMT siblings; update_cpu_qos_request() dereferences cpudata->pstate.turbo_freq before validating the policy pointer, producing a kernel panic and local denial of service. EPSS at 0.02% (4th percentile) reflects very low exploitation probability, no public exploit code has been identified, and no CISA KEV listing exists at time of analysis.

A NULL pointer dereference in Linux kernel AMD GPU driver cleanup code causes local denial of service when GPU initialization fails on systems with unsupported AMD hardware blocks. Local authenticated users with low privileges can trigger kernel crashes during device teardown sequences. The vulnerability affects multiple stable kernel versions (6.18.16-6.18.19, 6.19.6-6.19.9) with patches available from upstream. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no active exploitation or public exploits are confirmed. Real-world impact is limited to systems with specific AMD GPU hardware experiencing initialization failures, making this primarily a reliability issue rather than a direct security threat.

Null pointer dereference in Linux kernel's AMD DRM driver causes system crash during device cleanup on unsupported hardware. The flaw (CWE-476) affects multiple 6.18.x and 6.19.x kernel versions, allowing local authenticated users to trigger denial of service through AMD GPU driver initialization or cleanup operations. Patches available via kernel stable tree commits with EPSS score of 0.02% indicating minimal exploitation likelihood. No active exploitation or public POC identified at time of analysis.

NULL pointer dereference in Linux kernel's ublk driver allows local authenticated users to crash the system by sending UBLK_CMD_UPDATE_SIZE to a device before it starts or after it stops. The vulnerability exists in ublk_ctrl_set_size() which unconditionally dereferences ub->ub_disk without validating the device state, triggering a kernel panic and causing a denial of service. Patches are available from the Linux kernel maintainers for versions 6.18.20, 6.19.9, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, consistent with the local-only attack vector and absence from CISA KEV.

A NULL pointer dereference in the Linux kernel's adis_init() function causes kernel crashes when initializing ADIS IMU drivers (adis16480, adis16490, adis16545). The function attempts to dereference adis->ops without first verifying it is non-NULL, triggering denial of service on affected systems during device probe. Exploitation requires local access with low privileges (CVSS AV:L/AC:L/PR:L). EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available across multiple stable kernel versions (6.19.9, 6.18.19, 7.0).

NULL pointer dereference in the Linux kernel's AMD display driver (DRM subsystem) allows local authenticated users to crash the system via dcn401_init_hw() function. Affects kernel 6.12 through 7.0-rc6, specifically the DCN 4.01 hardware sequencer in amdgpu driver. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is very low (0.02%, 4th percentile), indicating minimal real-world threat despite moderate CVSS score. Not listed in CISA KEV, and no public exploit code identified at time of analysis.

Null pointer dereference in Linux kernel's Qualcomm SM8450 interconnect driver causes local denial of service during device probe. The vulnerability affects Linux kernel 6.19.x through 7.0-rc6 on Qualcomm SM8450 platforms when the interconnect driver initializes. Upstream patches are available (commits 77d22bf3fc5d and dbbd550d7c8d). EPSS score of 0.02% indicates very low observed exploitation probability, and no active exploitation or public POC has been identified. Real-world risk is limited to local authenticated users on affected Qualcomm SoC platforms during driver initialization.

Kernel NULL pointer dereference in Linux kernel's BPF verifier allows local authenticated users to trigger a denial of service. The vulnerability stems from improper handling of nullable PTR_TO_BUF pointers in check_mem_access(), where map iterator callbacks can dereference NULL ctx->key or ctx->value pointers without validation, causing a kernel crash. Affects Linux kernel versions 5.17 through 7.0-rc4, with patches available across stable branches (5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, and no evidence of public exploit code or active exploitation exists. Local access with low privileges required makes this a targeted risk rather than widespread threat.

NULL pointer dereference in Linux kernel ACPI processor module allows local authenticated attackers to crash the system. The flaw occurs in acpi_processor_errata_piix4() when device lookup logic overwrites a valid pointer with NULL, triggering a crash when accessed by dev_dbg(). Vendor-released patches are available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS exploitation probability is very low (0.02%, 7th percentile), and no public exploit or active exploitation has been identified. The vulnerability requires local access with low privileges (CVSS AV:L/PR:L), making it a lower priority than network-exposed flaws despite the high availability impact.

Null-pointer dereference in the Linux kernel DRM panel driver (jdi_panel_dsi_remove function) allows local authenticated attackers to cause a denial of service by triggering device removal when the jdi structure is NULL. The vulnerability exists because the function checks for NULL but fails to return early, allowing subsequent code to dereference the NULL pointer. CVSS score is 5.5 (local attack vector, low complexity); EPSS indicates low exploitation probability (0.02%, 5th percentile), and no public exploit code or active exploitation has been confirmed.

Local denial-of-service in Linux kernel's Rockchip RGA media driver allows authenticated users with low privileges to crash the system through NULL pointer dereference. The vulnerability affects kernel versions 6.8+ containing the Rockchip RGA driver, where rga_buf_init() fails to validate ERR_PTR returns from rga_get_frame() before dereferencing frame size. Vendor patches available across stable branches (6.12.75, 6.18.16, 6.19.6). EPSS score 0.02% (5th percentile) indicates minimal real-world exploitation likelihood, consistent with local-only attack vector requiring authenticated access.

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Null pointer dereference in PHP 8.2.x causes denial of service through remote attacks requiring user interaction and persistent attack timing. CVE-2026-7259 is one of eight vulnerabilities patched in PHP 8.2.31, with a low CVSS score (2.1) reflecting the attack complexity and limited availability impact, though the null pointer dereference class (CWE-476) can escalate in severity depending on code context. No public exploit code or active exploitation has been identified at time of analysis.

PHP 8.2.31 addresses a null pointer dereference vulnerability (CVE-2026-7262) that can cause denial of service through remote network access without authentication. The vulnerability has a low CVSS score of 2.9 due to attack complexity factors, but the vendor has released PHP 8.2.31 as an immediate security patch addressing this and seven related CVEs. All PHP 8.2 users should upgrade to mitigate the impact.

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Tor before version 0.4.9.7 crashes due to a NULL pointer dereference when CERT cells are received out of order, causing denial of service against relay nodes and clients. Remote unauthenticated attackers on the network can trigger this crash by sending malformed cell sequences, disabling affected Tor instances. No active exploitation confirmed, but the vulnerability affects core protocol handling in all affected versions.

In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening.

Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.

Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.

In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL.

In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.

A race condition in the Linux kernel's chips-media wave5 video decoder driver allows local authenticated users to trigger a NULL pointer dereference during concurrent instance creation/destruction, potentially leading to high confidentiality, integrity, and availability impact. The vulnerability affects kernel versions from commit 9707a6254a8a onwards until patched in 6.18.16, 6.19.6, and 7.0. Fixed via interrupt handler refactoring with proper locking. EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, and no public exploit code or CISA KEV listing exists, suggesting limited real-world exploitation despite the high CVSS 7.8 score.

In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.

Denial of service in the Linux kernel's net subsystem via deadlock in skb_may_tx_timestamp() when socket timestamp completion occurs in interrupt context while sk_callback_lock is write-locked, affecting local attackers with user privileges on systems with network drivers that complete TX timestamps from dedicated interrupt handlers.

Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.

Resource management flaws in the Linux kernel MediaTek MDP driver allow local authenticated attackers with low privileges to trigger memory corruption via improper error handling during device probe initialization, potentially escalating to kernel code execution. Multiple stable kernel branches (5.10.x through 7.0) are affected, with vendor patches released across all maintained versions. No active exploitation confirmed (EPSS 0.02%, not in CISA KEV), though the local attack vector and low complexity suggest straightforward exploitation once local access is achieved.

In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.

Null pointer dereference in Linux kernel UDP-Lite implementation crashes systems when udp_lib_init_sock() fails during socket initialization. Affects mainline 6.18+ through 6.19.5 and stable 7.0. Remote unauthenticated attackers can trigger denial of service by sending crafted UDP-Lite packets that exploit unhandled initialization errors in udplite_sk_init() and udplitev6_sk_init(), causing NULL pointer access in __udp_enqueue_schedule_skb(). Vendor patches available for 6.18.16, 6.19.6, and 7.0 stable trees. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation is confirmed at time of analysis.

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]

Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.

Denial of service via null pointer dereference in Linux kernel's pstore persistent storage subsystem occurs when the vmap() function fails but the persistent_ram_vmap() function incorrectly returns success if a non-zero offset is present, allowing subsequent buffer access to dereference invalid memory and cause system crashes. Affects Linux kernel versions prior to 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit identified at time of analysis, but vendor-released patches are available across multiple stable branches.

In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().

Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.