CWE-476— NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.— MITRE CWE catalog
4,963 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-476page 98 of 100
- CVE-2026-47335MEDIUMCVSS 5.5EG 5.52026-05-28
Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic.
- CVE-2026-47337LOWCVSS 3.3EG 3.32026-05-28
Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops.
- CVE-2026-4743MEDIUMCVSS 5.2EG 5.22026-03-24
NULL Pointer Dereference vulnerability in taurusxin ncmdump (src/utils modules). This vulnerability is associated with program files cJSON.Cpp. This issue affects ncmdump: before 1.4.0.
- CVE-2026-48066MEDIUMCVSS 5.7EG 5.72026-05-27
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This vi…
- CVE-2026-48139HIGHCVSS 7.5EG 7.52026-06-19
There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash. Successful exploitation requires an attacker to provide an unk…
- CVE-2026-48267MEDIUMCVSS 5.5EG 5.52026-07-06
DNG SDK versions 1.7.1 2536 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a den…
- CVE-2026-48829HIGHCVSS 7.5EG 7.52026-05-24
In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.
- CVE-2026-48985MEDIUMCVSS 5.5EG 5.52026-06-18
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads …
- CVE-2026-50315HIGHCVSS 7.8EG 7.82026-07-14
Null pointer dereference in Windows Image Acquisition allows an authorized attacker to elevate privileges locally.
- CVE-2026-50366MEDIUMCVSS 6.5EG 6.52026-07-14
Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network.
- CVE-2026-50673HIGHCVSS 7.8EG 7.82026-07-14
Null pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally.
- CVE-2026-50810MEDIUMCVSS 5.5EG 5.52026-07-07
A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service
- CVE-2026-50812MEDIUMCVSS 5.5EG 5.52026-07-08
A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to cause a denial of service. The issue occur…
- CVE-2026-52865MEDIUMCVSS 6.5EG 6.52026-07-15
When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to term…
- CVE-2026-52913MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: batman-adv: v: stop OGMv2 on disabled interface When a batadv_hard_iface is disabled, its mesh_iface pointer is set to NULL. However, batadv_v_ogm_send_meshif() may stil…
- CVE-2026-52922HIGHCVSS 7.5EG 7.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: batman-adv: dat: handle forward allocation error batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb for each DHT candidate, but does not check the…
- CVE-2026-52925MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: vrf: Fix a potential NPD when removing a port from a VRF RCU readers that identified a net device as a VRF port using netif_is_l3_slave() assume that a subsequent call t…
- CVE-2026-52929HIGHCVSS 7.5EG 7.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: sctp: stream: fully roll back denied add-stream state When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed str…
- CVE-2026-52938MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL pointer dereference in bpf_sk_storage_clone and diag paths bpf_selem_unlink_nofail() sets SDATA(selem)->smap to NULL before removing the selem from the sto…
- CVE-2026-52939MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND…
- CVE-2026-52941MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and smc_rx_recvmsg, unconditionally deref…
- CVE-2026-52951HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: handle empty bo and UAF races There look to be some nasty races here when triggering the invalidate_mappings hook: 1) We do xe_bo_alloc() followed by th…
- CVE-2026-52957HIGHCVSS 7.5EG 7.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential null-ptr-deref in decode_choose_args() A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself contains a CRUSH map. When decoding this…
- CVE-2026-52980MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_d…
- CVE-2026-52986CRITICALCVSS 9.8EG 9.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: don't use simple_strtoul Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request() with a new sip_p…
- CVE-2026-52997MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() Fix dualpi2_change() to correctly enforce updated limit and memlimit values after a configurat…
- CVE-2026-52998HIGHCVSS 7.5EG 7.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without ver…
- CVE-2026-53007MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of ice_set_ringparam() ice_set_ringparam nullifies tstamp_ring of temporary tx_rings, without clearing ICE_TX_RING_FL…
- CVE-2026-53012MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic [1] [2]. When an IPv6 nexthop is replaced with an IPv4 nexthop, the has_v4 flag of all groups c…
- CVE-2026-53028MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: usb: typec: Fix error pointer dereference The variable tps->partner is checked for an error pointer and then if it is, it sends an error message but does not return and …
- CVE-2026-53032MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in map_kptr_match_type for scalar regs Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr") refactored map_kptr_match_type() to b…
- CVE-2026-53034MEDIUMCVSS 5.5EG 5.52026-06-24
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix af_unix null-ptr-deref in proto update unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)`) _before_ it assigns a peer (`u…
- CVE-2026-53135MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs [Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking …
- CVE-2026-53144MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix NULL dereference in get_queue_ids() When usr_queue_id_array is NULL and num_queues is non-zero, get_queue_ids() returns NULL. The callers check only IS_E…
- CVE-2026-53152MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: mmc: dw_mmc-rockchip: Add missing private data for very old controllers The really old controllers (rk2928, rk3066, rk3188) do not support UHS speeds at all, and thus ne…
- CVE-2026-53158MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_r…
- CVE-2026-53163MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued syzbot triggered the following splat in remove_waiter() via FUTEX_CMP_REQUEUE_PI: KASAN: null-ptr-de…
- CVE-2026-53165HIGHCVSS 7.5EG 7.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio->mapping deref during error reporting When a buffered read fails, iomap_finish_folio_read() reports the error with fserror_report_io(fo…
- CVE-2026-53177MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer dereference PCIe errors detected by a Root Port or Downstream Port cause error recovery services to run on all subordinate devices regardless o…
- CVE-2026-53204MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires wh…
- CVE-2026-53214MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix a potential NPD in cleanup_prefix_route() addrconf_get_prefix_route() can return the fib6_null_entry sentinel entry which has a NULL fib6_table pointer. Theref…
- CVE-2026-53220MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebt_redirect_tg() dereferences br_port_get_rcu() return without a NULL check, causing a kernel panic when the bridge port has been rem…
- CVE-2026-53237MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: gpio: mvebu: fix NULL pointer dereference in suspend/resume mvebu_pwm_suspend() and mvebu_pwm_resume() are called for all GPIO banks during suspend/resume, but not all b…
- CVE-2026-53242HIGHCVSS 7.8EG 7.82026-06-25
In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams snd_pcm_drain() uses init_waitqueue_entry which does not clear entry.prev/next, and add_wa…
- CVE-2026-53271MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers smb2_oplock_break_noti() and smb2_lease_break_noti() read opinfo->conn into a local with neither RE…
- CVE-2026-53278MEDIUMCVSS 5.5EG 5.52026-06-26
In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Check whether the config array is allocated before destroying it __destroy_component_cfg() is called to free the configuration array. It uses the embedded 'gar…
- CVE-2026-53280MEDIUMCVSS 5.5EG 5.52026-06-26
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done() Local sashiko review pointed it out that group->domain could be NULL when a default domain fails …
- CVE-2026-53281HIGHCVSS 8.8EG 8.82026-06-26
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d ("iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE") fixed a NULL pointer dereferen…
- CVE-2026-53283MEDIUMCVSS 5.5EG 5.52026-06-26
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Bounds-check devid in __rlookup_amd_iommu() iommu_device_register() walks every device on the PCI bus via bus_for_each_dev() and calls amd_iommu_probe_device(…
- CVE-2026-53284HIGHCVSS 7.5EG 7.52026-06-26
In the Linux kernel, the following vulnerability has been resolved: btrfs: only release the dirty pages io tree after successful writes [WARNING] With extra warning on dirty extent buffers at umount (aka, the next patch in the series), t…
Map vulnerabilities like CWE-476 to your infrastructure
EchelonGraph correlates every CVE — across CWE-476 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →