Total
4853 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-38121 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mld: avoid panic on init failure
In case of an error during init, in_hw_restart will be set, but it will
never get cleared.
Instead, we will retry to init again, and then we will act like we are in a
restart when we are actually not.
This causes (among others) to a NULL pointer dereference when canceling
rx_omi::finished_work, that was not even initialized, because we thought
that we are in hw_restart.
Set in_ ...
Show More |
|||||
| CVE-2025-38123 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: Fix napi rx poll issue
When driver handles the napi rx polling requests, the netdev might
have been released by the dellink logic triggered by the disconnect
operation on user plane. However, in the logic of processing skb in
polling, an invalid netdev is still being used, which causes a panic.
BUG: kernel NULL pointer dereference, address: 00000000000000f1
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:dev_gro_ ...
Show More |
|||||
| CVE-2025-38130 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/connector: only call HDMI audio helper plugged cb if non-null
On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb
with NULL as the callback function and codec_dev, as seen in its
hdmi_remove function.
The HDMI audio helper then happily tries calling said null function
pointer, and produces an Oops as a result.
Fix this by only executing the callback if fn is non-null. This means
the .plugged_cb and .plug ...
Show More |
|||||
| CVE-2025-38156 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()
devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init()
does not check for this case, which results in a NULL pointer
dereference.
Prevent null pointer dereference in mt7996_mmio_wed_init()
|
|||||
| CVE-2025-38155 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()
does not check for this case, which results in a NULL pointer
dereference.
Prevent null pointer dereference in mt7915_mmio_wed_init().
|
|||||
| CVE-2025-38134 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink()
As demonstrated by the fix for update_port_device_state,
commit 12783c0b9e2c ("usb: core: Prevent null pointer dereference in update_port_device_state"),
usb_hub_to_struct_hub() can return NULL in certain scenarios,
such as during hub driver unbind or teardown race conditions,
even if the underlying usb_device structure exists.
Plus, all other places t ...
Show More |
|||||
| CVE-2025-38144 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()
devm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()
does not check for this case, which results in a NULL pointer
dereference.
Add NULL check after devm_ioremap() to prevent this issue.
|
|||||
| CVE-2025-38149 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: phy: clear phydev->devlink when the link is deleted
There is a potential crash issue when disabling and re-enabling the
network port. When disabling the network port, phy_detach() calls
device_link_del() to remove the device link, but it does not clear
phydev->devlink, so phydev->devlink is not a NULL pointer. Then the
network port is re-enabled, but if phy_attach_direct() fails before
calling device_link_add(), the code ...
Show More |
|||||
| CVE-2025-38171 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
power: supply: max77705: Fix workqueue error handling in probe
The create_singlethread_workqueue() doesn't return error pointers, it
returns NULL. Also cleanup the workqueue on the error paths.
|
|||||
| CVE-2025-38274 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()
fpga_mgr_test_img_load_sgt() allocates memory for sgt using
kunit_kzalloc() however it does not check if the allocation failed.
It then passes sgt to sg_alloc_table(), which passes it to
__sg_alloc_table(). This function calls memset() on sgt in an attempt to
zero it out. If the allocation fails then sgt will be NULL and the
memset will trigger a NULL point ...
Show More |
|||||
| CVE-2025-38271 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: prevent a NULL deref in rtnl_create_link()
At the time rtnl_create_link() is running, dev->netdev_ops is NULL,
we must not use netdev_lock_ops() or risk a NULL deref if
CONFIG_NET_SHAPER is defined.
Use netif_set_group() instead of dev_set_group().
RIP: 0010:netdev_need_ops_lock include/net/netdev_lock.h:33 [inline]
RIP: 0010:netdev_lock_ops include/net/netdev_lock.h:41 [inline]
RIP: 0010:dev_set_group+0xc0/0x230 net ...
Show More |
|||||
| CVE-2025-38269 | 1 Linux | 1 Linux Kernel | 2025-11-20 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: exit after state insertion failure at btrfs_convert_extent_bit()
If insert_state() state failed it returns an error pointer and we call
extent_io_tree_panic() which will trigger a BUG() call. However if
CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then
we fallthrough and call cache_state() which will dereference the error
pointer, resulting in an invalid memory access.
So jump to the 'out' label af ...
Show More |
|||||
| CVE-2025-38281 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init
devm_kasprintf() can return a NULL pointer on failure,but this
returned value in mt7996_thermal_init() is not checked.
Add NULL check in mt7996_thermal_init(), to handle kernel NULL
pointer dereference error.
|
|||||
| CVE-2025-38255 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
While testing null_blk with configfs, echo 0 > poll_queues will trigger
following panic:
BUG: kernel NULL pointer dereference, address: 0000000000000010
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 ...
Show More |
|||||
| CVE-2025-38189 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()`
The following kernel Oops was recently reported by Mesa CI:
[ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588
[ 800.148619] Mem abort info:
[ 800.151402] ESR = 0x0000000096000005
[ 800.155141] EC = 0x25: DABT (current EL), IL = 32 bits
[ 800.160444] SET = 0, FnV = 0
[ 800.163488] EA = 0, S1PTW = 0 ...
Show More |
|||||
| CVE-2025-38192 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: clear the dst when changing skb protocol
A not-so-careful NAT46 BPF program can crash the kernel
if it indiscriminately flips ingress packets from v4 to v6:
BUG: kernel NULL pointer dereference, address: 0000000000000000
ip6_rcv_core (net/ipv6/ip6_input.c:190:20)
ipv6_rcv (net/ipv6/ip6_input.c:306:8)
process_backlog (net/core/dev.c:6186:4)
napi_poll (net/core/dev.c:6906:9)
net_rx_action (net/core/de ...
Show More |
|||||
| CVE-2025-38294 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix NULL access in assign channel context handler
Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle
(ar) gets accessed from the link VIF handle (arvif) for debug logging, This
is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL
access, avoid radio handle access by moving to the hardware debug logging
helper function (ath12k_hw_warn).
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE. ...
Show More |
|||||
| CVE-2025-38284 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: pci: configure manual DAC mode via PCI config API only
To support 36-bit DMA, configure chip proprietary bit via PCI config API
or chip DBI interface. However, the PCI device mmap isn't set yet and
the DBI is also inaccessible via mmap, so only if the bit can be accessible
via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to
32-bit DMA.
With NULL mmap address, kernel throws trace:
BUG: unabl ...
Show More |
|||||
| CVE-2025-38368 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe()
The returned value, pfsm->miscdev.name, from devm_kasprintf()
could be NULL.
A pointer check is added to prevent potential NULL pointer dereference.
This is similar to the fix in commit 3027e7b15b02
("ice: Fix some null pointer dereference issues in ice_ptp.c").
This issue is found by our static analysis tool.
|
|||||
| CVE-2025-38301 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
nvmem: zynqmp_nvmem: unbreak driver after cleanup
Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup")
changed the driver to expect the device pointer to be passed as the
"context", but in nvmem the context parameter comes from nvmem_config.priv
which is never set - Leading to null pointer exceptions when the device is
accessed.
|
|||||
| CVE-2025-38299 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()
ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(),
in the case the codec dai_name will be null.
Avoid a crash if the device tree is not assigning a codec
to these links.
[ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 1.181065] Mem abort info:
[ 1.181420] ESR = 0x0000000096000004
[ 1.181892] EC ...
Show More |
|||||
| CVE-2025-38381 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt()
The cs40l50_upload_owt() function allocates memory via kmalloc()
without checking for allocation failure, which could lead to a
NULL pointer dereference.
Return -ENOMEM in case allocation fails.
|
|||||
| CVE-2025-63744 | 1 Radare | 1 Radare2 | 2025-11-19 | N/A | 4.3 MEDIUM |
|
A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program.
|
|||||
| CVE-2025-63745 | 1 Radare | 1 Radare2 | 2025-11-19 | N/A | 5.5 MEDIUM |
|
A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data.
|
|||||
| CVE-2025-38402 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
idpf: return 0 size for RSS key if not supported
Returning -EOPNOTSUPP from function returning u32 is leading to
cast and invalid size value as a result.
-EOPNOTSUPP as a size probably will lead to allocation fail.
Command: ethtool -x eth0
It is visible on all devices that don't have RSS caps set.
[ 136.615917] Call Trace:
[ 136.615921] <TASK>
[ 136.615927] ? __warn+0x89/0x130
[ 136.615942] ? __alloc_frozen_pages_nop ...
Show More |
|||||
| CVE-2025-38398 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-qpic-snand: reallocate BAM transactions
Using the mtd_nandbiterrs module for testing the driver occasionally
results in weird things like below.
1. swiotlb mapping fails with the following message:
[ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)
[ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc
[ 87.999314] qcom_snand 79b000 ...
Show More |
|||||
| CVE-2025-38442 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
block: reject bs > ps block devices when THP is disabled
If THP is disabled and when a block device with logical block size >
page size is present, the following null ptr deref panic happens during
boot:
[ [13.2 mK AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07]
[ 13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380
<snip>
[ 13.025448] Call Trace:
[ 13.025692] <TASK>
[ 13.025895] block_r ...
Show More |
|||||
| CVE-2025-38433 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
riscv: fix runtime constant support for nommu kernels
the `__runtime_fixup_32` function does not handle the case where `val` is
zero correctly (as might occur when patching a nommu kernel and referring
to a physical address below the 4GiB boundary whose upper 32 bits are all
zero) because nothing in the existing logic prevents the code from taking
the `else` branch of both nop-checks and emitting two `nop` instructions.
This ...
Show More |
|||||
| CVE-2025-38454 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp()
Use pr_warn() instead of dev_warn() when 'pdev' is NULL to avoid a
potential NULL pointer dereference.
|
|||||
| CVE-2025-38452 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe()
Add check for the return value of rcar_gen4_ptp_alloc()
to prevent potential null pointer dereference.
|
|||||
| CVE-2025-38450 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()
Add a NULL check for msta->vif before accessing its members to prevent
a kernel panic in AP mode deployment. This also fix the issue reported
in [1].
The crash occurs when this function is triggered before the station is
fully initialized. The call trace shows a page fault at
mt7925_sta_set_decap_offload() due to accessing resources when ms ...
Show More |
|||||
| CVE-2025-38489 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again
Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has
accidentally removed the critical piece of commit c730fce7c70c
("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing
intermittent kernel panics in e.g. perf's on_switch() prog to reappear.
Restore the fix and add a comment.
|
|||||
| CVE-2025-38475 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix various oops due to inet_sock type confusion.
syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while
freeing inet_sk(sk)->inet_opt.
The address was freed multiple times even though it was read-only memory.
cipso_v4_sock_setattr() did nothing wrong, and the root cause was type
confusion.
The cited commit made it possible to create smc_sock as an INET socket.
The issue is that struct smc_sock does not ...
Show More |
|||||
| CVE-2025-38243 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix invalid inode pointer dereferences during log replay
In a few places where we call read_one_inode(), if we get a NULL pointer
we end up jumping into an error path, or fallthrough in case of
__add_inode_ref(), where we then do something like this:
iput(&inode->vfs_inode);
which results in an invalid inode pointer that triggers an invalid memory
access, resulting in a crash.
Fix this by making sure we don't do s ...
Show More |
|||||
| CVE-2025-37900 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix two issues in iommu_copy_struct_from_user()
In the review for iommu_copy_struct_to_user() helper, Matt pointed out that
a NULL pointer should be rejected prior to dereferencing it:
https://lore.kernel.org/all/[email protected]
And Alok pointed out a typo at the same time:
https://lore.kernel.org/all/[email protected]
Since both issues were copied from iom ...
Show More |
|||||
| CVE-2022-50218 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
iio: light: isl29028: Fix the warning in isl29028_remove()
The driver use the non-managed form of the register function in
isl29028_remove(). To keep the release order as mirroring the ordering
in probe, the driver should use non-managed form in probe, too.
The following log reveals it:
[ 32.374955] isl29028 0-0010: remove
[ 32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 ...
Show More |
|||||
| CVE-2025-38089 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
tianshuo han reported a remotely-triggerable crash if the client sends a
kernel RPC server a specially crafted packet. If decoding the RPC reply
fails in such a way that SVC_GARBAGE is returned without setting the
rq_accept_statp pointer, then that pointer can be dereferenced and a
value stored there.
If it's the first time the thread has processed an RPC, th ...
Show More |
|||||
| CVE-2022-50206 | 1 Linux | 1 Linux Kernel | 2025-11-19 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
arm64: fix oops in concurrently setting insn_emulation sysctls
emulation_proc_handler() changes table->data for proc_dointvec_minmax
and can generate the following Oops if called concurrently with itself:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
| Internal error: Oops: 96000006 [#1] SMP
| Call trace:
| update_insn_emulation_mode+0xc0/0x148
| emulation_proc_handler+0x64/0xb8
...
Show More |
|||||
| CVE-2025-38522 | 1 Linux | 1 Linux Kernel | 2025-11-18 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
sched/ext: Prevent update_locked_rq() calls with NULL rq
Avoid invoking update_locked_rq() when the runqueue (rq) pointer is NULL
in the SCX_CALL_OP and SCX_CALL_OP_RET macros.
Previously, calling update_locked_rq(NULL) with preemption enabled could
trigger the following warning:
BUG: using __this_cpu_write() in preemptible [00000000]
This happens because __this_cpu_write() is unsafe to use in preemptible
context.
rq i ...
Show More |
|||||
| CVE-2025-38517 | 1 Linux | 1 Linux Kernel | 2025-11-18 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()
alloc_tag_top_users() attempts to lock alloc_tag_cttype->mod_lock even
when the alloc_tag_cttype is not allocated because:
1) alloc tagging is disabled because mem profiling is disabled
(!alloc_tag_cttype)
2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype)
3) alloc tagging is enabled, but failed initialization
(!allo ...
Show More |
|||||