CWE-476— NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.— MITRE CWE catalog
4,963 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-476page 96 of 100
- CVE-2026-43356MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: iio: imu: adis: Fix NULL pointer dereference in adis_init The adis_init() function dereferences adis->ops to check if the individual function pointers (write, read, rese…
- CVE-2026-43364MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking i…
- CVE-2026-43367MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix a few more NULL pointer dereference in device cleanup I found a few more paths that cleanup fails due to a NULL version pointer on unsupported hardware. Ad…
- CVE-2026-43369MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix NULL pointer dereference in device cleanup When GPU initialization fails due to an unsupported HW block IP blocks may have a NULL version pointer. During cl…
- CVE-2026-43401MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() The update_cpu_qos_request() function attempts to initialize the 'freq' variable by deref…
- CVE-2026-43408HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: ceph: add a bunch of missing ceph_path_info initializers ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ce…
- CVE-2026-43409MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. B…
- CVE-2026-43410MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled When the Remote System Update (RSU) isn't enabled in the First Stage Boot Loader (FSBL), the d…
- CVE-2026-43412MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are remo…
- CVE-2026-43413MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining c…
- CVE-2026-43416MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL c…
- CVE-2026-43421MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs link…
- CVE-2026-43424MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace co…
- CVE-2026-43431MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: xhci: Fix NULL pointer dereference when reading portli debugfs files Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs file…
- CVE-2026-43436MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed U…
- CVE-2026-43441HIGHCVSS 7.5EG 7.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() ex…
- CVE-2026-43443MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return value…
- CVE-2026-43444MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. (cherry picked from commit c24afed7de9ecce341825d8ab55a43a25…
- CVE-2026-43463MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just check…
- CVE-2026-43471MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer …
- CVE-2026-43473MEDIUMCVSS 5.5EG 5.52026-05-08
In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL …
- CVE-2026-43480MEDIUMCVSS 5.5EG 5.52026-05-13
In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition The acp3x_5682_init() function did not check the return value of clk_get(), which could le…
- CVE-2026-43496MEDIUMCVSS 5.5EG 5.52026-05-21
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeue…
- CVE-2026-43864LOWCVSS 2.5EG 2.52026-05-04
mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.
- CVE-2026-44316HIGHCVSS 7.5EG 7.52026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI …
- CVE-2026-44317MEDIUMCVSS 6.5EG 6.52026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traff…
- CVE-2026-44322HIGHCVSS 7.5EG 7.52026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream…
- CVE-2026-44323MEDIUMCVSS 4.3EG 4.32026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference …
- CVE-2026-44328HIGHCVSS 8.2EG 8.22026-05-27
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unc…
- CVE-2026-44512MEDIUMCVSS 5.5EG 5.52026-07-07
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. From 1.9.0 before 1.22.0, onnx.version_converter.convert_version() can dereference a null pointer in Upsample_6_7::adapt_upsample_6_7() in onnx/…
- CVE-2026-44602LOWCVSS 3.7EG 3.72026-05-07
Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
- CVE-2026-44638LOWCVSS 2.5EG 2.52026-05-14
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a wrong NULL check after an allocation call in sixel_decode_raw and sixel_decode causes a NULL pointer dereference whenever the allocation fa…
- CVE-2026-44710MEDIUMCVSS 4.6EG 4.62026-05-27
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strc…
- CVE-2026-45104HIGHCVSS 7.5EG 7.52026-05-27
MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule adde…
- CVE-2026-45151LOWCVSS 2.9EG 2.92026-05-29
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not r…
- CVE-2026-45541HIGHCVSS 7.5EG 7.52026-06-10
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. Whi…
- CVE-2026-45729MEDIUMCVSS 4.3EG 4.32026-06-01
Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process wit…
- CVE-2026-45834MEDIUMCVSS 5.5EG 5.52026-05-26
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
- CVE-2026-45835MEDIUMCVSS 5.5EG 5.52026-05-26
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
- CVE-2026-45836MEDIUMCVSS 5.5EG 5.52026-05-26
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
- CVE-2026-45838MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list h…
- CVE-2026-45842MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive co…
- CVE-2026-45845MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores…
- CVE-2026-45846MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path withou…
- CVE-2026-45848MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL sock in aa_sock_file_perm Deal with the potential that sock and sock-sk can be NULL during socket setup or teardown. This could lead to an oops. The f…
- CVE-2026-45857MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: scsi: csiostor: Fix dereference of null pointer rn The error exit path when rn is NULL ends up deferencing the null pointer rn via the use of the macro CSIO_INC_STATS. F…
- CVE-2026-45869MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed() In `probe()`, `request_irq()` is called before allocating/registering a `power_supply` hand…
- CVE-2026-45874MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: phy: freescale: imx8qm-hsio: fix NULL pointer dereference During the probe the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in …
- CVE-2026-45876MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: arm64/gcs: Fix error handling in arch_set_shadow_stack_status() alloc_gcs() returns an error-encoded pointer on failure, which comes from do_mmap(), not NULL. The curre…
- CVE-2026-45877MEDIUMCVSS 5.5EG 5.52026-05-27
In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are…
Map vulnerabilities like CWE-476 to your infrastructure
EchelonGraph correlates every CVE — across CWE-476 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →