CVEbaza.plCWE DictionaryCWE-476
Common Weakness Enumeration

CWE-476

NULL Pointer Dereference

Category: BaseCVE: 6,337
Description

The product dereferences a pointer that it expects to be valid but is NULL.

CVE vulnerabilities with CWE-476 (6,337)
10.0
CVSS
CRITICAL
CVE-2026-24826

Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .

pub. 2026-01-27
10.0
CVSS
CRITICAL
CVE-2022-36648

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case.

pub. 2023-08-22
10.0
CVSS
CRITICAL
CVE-2020-14500

Secomea GateManager all versions prior to 9.2c, An attacker can send a negative value and overwrite arbitrary data.

pub. 2020-08-25
10.0
CVSS
HIGH
CVE-2010-2495

The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does not properly validate certain values associated with an interface, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change.

pub. 2010-09-08
9.8
CVSS
CRITICAL
CVE-2026-46195

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

pub. 2026-05-28
9.8
CVSS
CRITICAL
CVE-2026-31657

In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.

pub. 2026-04-24
9.8
CVSS
CRITICAL
CVE-2026-31436

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks. Fix this by completing d instead of found in the final list_for_each_entry_safe() loop.

pub. 2026-04-22
9.8
CVSS
CRITICAL
CVE-2024-55193

OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violation via the component /OpenImageIO/string_view.h.

pub. 2025-01-23
9.8
CVSS
CRITICAL
CVE-2024-40493

Null Pointer Dereference in `coap_client_exchange_blockwise2` function in Keith Cullen FreeCoAP 1.0 allows remote attackers to cause a denial of service and potentially execute arbitrary code via a specially crafted CoAP packet that causes `coap_msg_get_payload(resp)` to return a null pointer, which is then dereferenced in a call to `memcpy`.

pub. 2024-10-22
9.8
CVSS
CRITICAL
CVE-2024-38612

In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix invalid unregister error path The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() with genl_unregister_family() in this error path.

pub. 2024-06-19
9.8
CVSS
CRITICAL
CVE-2023-45924

libglxproto.c in OpenGL libglvnd bb06db5a was discovered to contain a segmentation violation via the function glXGetDrawableScreen(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server.

pub. 2024-03-27
9.8
CVSS
CRITICAL
CVE-2023-46427

An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-master, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), and obtain sensitive information via null pointer deference in gf_dash_setup_period component in media_tools/dash_client.c.

pub. 2024-03-09
9.8
CVSS
CRITICAL
CVE-2023-47003

An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted.

pub. 2023-11-16
9.8
CVSS
CRITICAL
CVE-2023-2840

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.

pub. 2023-05-22
9.8
CVSS
CRITICAL
CVE-2023-26463

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

pub. 2023-04-15
9.8
CVSS
CRITICAL
CVE-2023-23087

An issue was found in MojoJson v1.2.3 allows attackers to execute arbitary code via the destroy function.

pub. 2023-02-03
9.8
CVSS
CRITICAL
CVE-2021-4236

Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.

pub. 2022-12-27
9.8
CVSS
CRITICAL
CVE-2022-36227

In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."

pub. 2022-11-22
9.8
CVSS
CRITICAL
CVE-2022-30592

liblsquic/lsquic_qenc_hdl.c in LiteSpeed QUIC (aka LSQUIC) before 3.1.0 mishandles MAX_TABLE_CAPACITY.

pub. 2022-05-11
9.8
CVSS
CRITICAL
CVE-2021-1946

Null Pointer Dereference may occur due to improper validation while processing crafted SDP body in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile

pub. 2021-09-09
Showing 20 of 6,337 vulnerabilities
Information
ID: CWE-476
Type: Base
Vulnerabilities: 6,337
MITRE CWE ↗
← CWE Dictionary
CWE-476 — NULL Pointer Dereference | CWE Dictionary | CVEbaza.pl