Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-14324

Summary
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
Published At-01 Jul, 2026 | 14:09
Updated At-01 Jul, 2026 | 17:25
Rejected At-
Credits

Pipewire: raop rtsp null deref

RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:redhat
Assigner Org ID:53f830b8-0a3f-465b-8143-3b8a9948e749
Published At:01 Jul, 2026 | 14:09
Updated At:01 Jul, 2026 | 17:25
Rejected At:
▼CVE Numbering Authority (CNA)
Pipewire: raop rtsp null deref

RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
libkrun
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
pipewire
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
pipewire
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
pipewire0.2
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
pipewire
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
unknown
Problem Types
TypeCWE IDDescription
CWECWE-476NULL Pointer Dereference
Type: CWE
CWE ID: CWE-476
Description: NULL Pointer Dereference
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Red Hat severity rating
value:
Moderate
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

If AirPlay streaming is not required, unload or disable the module-raop-discover and module-raop-sink PipeWire modules.

Exploits

Credits

Red Hat would like to thank Tristan for reporting this issue.
Timeline
EventDate
Reported to Red Hat.2026-07-01 12:14:20
Made public.2026-07-01 00:00:00
Event: Reported to Red Hat.
Date: 2026-07-01 12:14:20
Event: Made public.
Date: 2026-07-01 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-14324
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2495903
issue-tracking
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-14324
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2495903
Resource:
issue-tracking
x_refsource_REDHAT
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert@redhat.com
Published At:01 Jul, 2026 | 15:17
Updated At:01 Jul, 2026 | 18:31

RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-476Secondarysecalert@redhat.com
CWE ID: CWE-476
Type: Secondary
Source: secalert@redhat.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://access.redhat.com/security/cve/CVE-2026-14324secalert@redhat.com
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=2495903secalert@redhat.com
N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-14324
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2495903
Source: secalert@redhat.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

129Records found

CVE-2026-6732
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.63% / 45.86%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 22:19
Updated-30 Jun, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libxml2: libxml2: denial of service via crafted xsd-validated document

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Action-Not Available
Vendor-Red Hat, Inc.libxml2 (XMLSoft)IBM Corporation
Product-libxml2hardened_imagesviosenterprise_linuxopenshift_container_platformjboss_core_servicesaixRed Hat Enterprise Linux 10Red Hat OpenShift Container Platform 4Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat JBoss Core ServicesRed Hat Hardened ImagesRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9
CWE ID-CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
CVE-2026-53176
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-9.8||CRITICAL
EPSS-0.74% / 50.00%
||
7 Day CHG+0.53%
Published-25 Jun, 2026 | 08:38
Updated-03 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN

In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative. isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t. The copy into the 8192-byte login->req_buf runs far out of bounds and faults, crashing the target node. The login phase precedes iSCSI authentication, so no credentials are required to reach this path. Reject any login PDU shorter than ISER_HEADERS_LEN before the subtraction, mirroring the existing early return on a failed work completion, so login_req_len can never go negative. The upper bound was already safe: a posted login buffer cannot deliver more than ISER_RX_PAYLOAD_SIZE, so the difference stays at or below MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing lower bound needs to be added.

Action-Not Available
Vendor-Red Hat, Inc.Linux Kernel Organization, Inc
Product-LinuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10
CWE ID-CWE-839
Numeric Range Comparison Without Minimum Check
CVE-2023-5215
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 50.31%
||
7 Day CHG~0.00%
Published-28 Sep, 2023 | 13:55
Updated-08 Nov, 2025 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libnbd: crash or misbehaviour when nbd server returns an unexpected block size

A flaw was found in libnbd. A server can reply with a block size larger than 2^63 (the NBD spec states the size is a 64-bit unsigned value). This issue could lead to an application crash or other unintended behavior for NBD clients that doesn't treat the return value of the nbd_get_size() function correctly.

Action-Not Available
Vendor-Red Hat, Inc.
Product-enterprise_linuxlibnbdRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 8 Advanced Virtualization
CWE ID-CWE-241
Improper Handling of Unexpected Data Type
CWE ID-CWE-252
Unchecked Return Value
CVE-2026-14258
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 15.93%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 09:24
Updated-01 Jul, 2026 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 10
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2026-6845
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-0.13% / 2.60%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 07:54
Updated-02 Jul, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Binutils: binutils: denial of service via crafted elf file

A flaw was found in binutils, specifically within the `readelf` utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.

Action-Not Available
Vendor-Red Hat, Inc.GNU
Product-binutilshardened_imagesenterprise_linuxopenshift_container_platformRed Hat Enterprise Linux 9Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10Red Hat Hardened ImagesRed Hat OpenShift Container Platform 4
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-7262
Matching Score-6
Assigner-PHP Group
ShareView Details
Matching Score-6
Assigner-PHP Group
CVSS Score-2.9||LOW
EPSS-0.78% / 51.44%
||
7 Day CHG+0.33%
Published-10 May, 2026 | 04:00
Updated-02 Jul, 2026 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NULL pointer dereference in SOAP apache:Map decoder with missing <value>

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element.  This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.

Action-Not Available
Vendor-Red Hat, Inc.The PHP Group
Product-phpPHPRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux AppStream (v. 10)Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux AppStream (v. 8)Red Hat Hardened Images
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-5745
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.16% / 5.82%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 14:57
Updated-03 May, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libarchive: a null pointer dereference vulnerability exists in the acl parser of libarchive

A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).

Action-Not Available
Vendor-libarchiveRed Hat, Inc.
Product-openshift_container_platformlibarchivehardened_imagesenterprise_linuxRed Hat Enterprise Linux 10Red Hat OpenShift Container Platform 4Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Hardened ImagesRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2024-8235
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.24% / 15.30%
||
7 Day CHG~0.00%
Published-30 Aug, 2024 | 16:16
Updated-08 Nov, 2025 | 07:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libvirt: crash of virtinterfaced via virconnectlistinterfaces()

A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to crash the virtinterfaced daemon.

Action-Not Available
Vendor-Red Hat, Inc.
Product-enterprise_linuxlibvirtRed Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8 Advanced VirtualizationRed Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 10
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2024-7006
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.52% / 71.45%
||
7 Day CHG~0.00%
Published-08 Aug, 2024 | 20:49
Updated-23 Jan, 2026 | 17:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libtiff: null pointer dereference in tif_dirinfo.c

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.LibTIFF
Product-enterprise_linuxenterprise_linux_server_ausenterprise_linux_for_power_little_endian_euslibtiffenterprise_linux_for_arm_64Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9Red Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8Red Hat Enterprise Linux 10Red Hat Enterprise Linux 7
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2010-2222
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.35% / 68.08%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 19:27
Updated-07 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The _ger_parse_control function in Red Hat Directory Server 8 and the 389 Directory Server allows attackers to cause a denial of service (NULL pointer dereference) via a crafted search query.

Action-Not Available
Vendor-Red Hat, Inc.
Product-389_directory_serverdirectory_serverRed Hat Directory Server
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-8114
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.22% / 12.07%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 14:14
Updated-30 Jun, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libssh: null pointer dereference in libssh kex session id calculation

A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

Action-Not Available
Vendor-libsshRed Hat, Inc.
Product-libsshRed Hat OpenShift Container Platform 4Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14873
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.30% / 66.91%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 15:04
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the __multadd function of the newlib libc library, prior to versions 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. This will trigger a null pointer dereference bug in case of a memory allocation failure.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14874
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.33% / 67.64%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 15:07
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the __i2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. The access of _ x[0] will trigger a null pointer dereference bug in case of a memory allocation failure.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14872
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.45% / 70.25%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 12:35
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The _dtoa_r function of the newlib libc library, prior to version 3.3.0, performs multiple memory allocations without checking their return value. This could result in NULL pointer dereference.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14876
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.33% / 67.64%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 15:08
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the __lshift function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. The access to b1 will trigger a null pointer dereference bug in case of a memory allocation failure.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14877
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.33% / 67.64%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 15:04
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the __mdiff function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate big integers, however no check is performed to verify if the allocation succeeded or not. The access to _wds and _sign will trigger a null pointer dereference bug in case of a memory allocation failure.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14871
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.01% / 58.80%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 15:43
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by REENT_CHECK_TM, REENT_CHECK_MISC, REENT_CHECK_MP and other newlib macros in versions prior to 3.3.0, does not check for memory allocation problems when the DEBUG flag is unset (as is the case in production firmware builds).

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14878
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.34% / 67.93%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 15:04
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. Accessing _x will trigger a null pointer dereference bug in case of a memory allocation failure.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-14875
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.29% / 66.80%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 15:08
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the __multiply function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. The access of _x[0] will trigger a null pointer dereference bug in case of a memory allocation failure.

Action-Not Available
Vendor-newlib_projectRed Hat, Inc.
Product-newlibnewlib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2024-31420
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.64% / 46.16%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 14:01
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cnv: dos through repeatedly calling vm-dump-metrics until virt handler crashes

A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the virtual machine.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Virtualization 4
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-4385
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.22% / 12.28%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 16:49
Updated-20 Nov, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: jfs: null pointer dereference in dbfree()

A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.

Action-Not Available
Vendor-Red Hat, Inc.Linux Kernel Organization, Inc
Product-linux_kernelRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2024-2496
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-0.25% / 16.28%
||
7 Day CHG~0.00%
Published-18 Mar, 2024 | 12:54
Updated-08 Nov, 2025 | 06:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libvirt: null pointer dereference in udevconnectlistallinterfaces()

A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8 Advanced VirtualizationRed Hat Enterprise Linux 8Red Hat Enterprise Linux 7
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-4478
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 33.50%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 14:22
Updated-30 Jun, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gnome-remote-desktop: freerdp: unauthenticated rdp packet causes segfault in freerdp leading to denial of service

A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. This issue causes the service to crash and remain defunct, resulting in a denial of service. It occurs pre-boot and is likely due to a NULL pointer dereference. Rebooting is required to recover the system.

Action-Not Available
Vendor-Red Hat, Inc.FreeRDP
Product-freerdpenterprise_linuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2019-10207
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.88% / 54.71%
||
7 Day CHG~0.00%
Published-25 Nov, 2019 | 13:51
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelkernel
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-32913
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.69% / 48.42%
||
7 Day CHG~0.00%
Published-14 Apr, 2025 | 13:37
Updated-29 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libsoup: null pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in content-disposition header

A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 8.4 Telecommunications Update ServiceRed Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRed Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 10Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 6Red Hat Enterprise Linux 9.0 Update Services for SAP SolutionsRed Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Telecommunications Update ServiceRed Hat Enterprise Linux 8.6 Update Services for SAP Solutions
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-31181
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.18% / 8.17%
||
7 Day CHG+0.01%
Published-27 Mar, 2025 | 15:09
Updated-26 Jun, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gnuplot: gnuplot segmentation fault on x11_graphics

A flaw was found in gnuplot. The X11_graphics() function may lead to a segmentation fault and cause a system crash.

Action-Not Available
Vendor-gnuplotRed Hat, Inc.
Product-enterprise_linuxgnuplotRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-52951
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.10%
||
7 Day CHG-0.04%
Published-24 Jun, 2026 | 16:28
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
drm/xe/dma-buf: handle empty bo and UAF races

In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: handle empty bo and UAF races There look to be some nasty races here when triggering the invalidate_mappings hook: 1) We do xe_bo_alloc() followed by the attach, before the actual full bo init step in xe_dma_buf_init_obj(). However the bo is visible on the attachments list after the attach. This is bad since exporter driver, say amdgpu, can at any time call back into our invalidate_mappings hook, with an empty/bogus bo, leading to potential bugs/crashes. 2) Similar to 1) but here we get a UAF, when the invalidate_mappings hook is triggered. For example, we get as far as xe_bo_init_locked() but this fails in some way. But here the bo will be freed on error, but we still have it attached from dma-buf pov, so if the invalidate_mappings is now triggered then the bo we access is gone and we trigger UAF and more bugs/crashes. To fix this, move the attach step until after we actually have a fully set up buffer object. Note that the bo is not published to userspace until later, so not sure what the comment "Don't publish the bo until we have a valid attachment", is referring to. We have at least two different customers reporting hitting a NULL ptr deref in evict_flags when importing something from amdgpu, followed by triggering the evict flow. Hit rate is also pretty low, which would hint at some kind of race, so something like 1) or 2) might explain this. v2: - Shuffle the order of the ops slightly (no functional change) - Improve the comment to better explain the ordering (Matt B) (cherry picked from commit af1f2ad0c59fe4e2f924c526f66e968289d77971)

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-LinuxRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2024-0841
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.30% / 21.49%
||
7 Day CHG-0.00%
Published-28 Jan, 2024 | 11:20
Updated-06 Nov, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: hugetlbfs: null pointer dereference in hugetlbfs_fill_super function

A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-enterprise_linuxlinux_kernelRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-6679
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.31% / 22.72%
||
7 Day CHG~0.00%
Published-11 Dec, 2023 | 18:31
Updated-21 Nov, 2025 | 06:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: null pointer dereference in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c

A null pointer dereference vulnerability was found in dpll_pin_parent_pin_set() in drivers/dpll/dpll_netlink.c in the Digital Phase Locked Loop (DPLL) subsystem in the Linux kernel. This issue could be exploited to trigger a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.Fedora ProjectLinux Kernel Organization, Inc
Product-fedoralinux_kernelenterprise_linuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-6535
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.55% / 72.06%
||
7 Day CHG~0.00%
Published-07 Feb, 2024 | 21:04
Updated-06 Nov, 2025 | 21:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: null pointer dereference in nvmet_tcp_execute_request

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-enterprise_linuxenterprise_linux_euscodeready_linux_builder_for_arm64_euscodeready_linux_builder_for_ibm_z_systems_euscodeready_linux_builder_eusenterprise_linux_for_real_time_for_nfventerprise_linux_for_arm_64_eusvirtualization_hostenterprise_linux_server_auscodeready_linux_builder_eus_for_power_little_endian_eusenterprise_linux_for_ibm_z_systems_eusenterprise_linux_for_power_little_endian_euslinux_kernelenterprise_linux_server_tusenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsenterprise_linux_for_real_timeRed Hat Enterprise Linux 9RHOL-5.8-RHEL-9Red Hat Enterprise Linux 6Red Hat Virtualization 4 for Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8.8 Extended Update Support
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-6683
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.26% / 66.05%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 19:01
Updated-25 Feb, 2026 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qemu: vnc: null pointer dereference in qemu_clipboard_request()

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.QEMU
Product-qemuenterprise_linuxRed Hat Enterprise Linux 6Red Hat Enterprise Linux 9Red Hat Enterprise Linux 8 Advanced VirtualizationRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-6536
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.54% / 71.80%
||
7 Day CHG~0.00%
Published-07 Feb, 2024 | 21:05
Updated-06 Nov, 2025 | 21:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: null pointer dereference in __nvmet_req_complete

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.Debian GNU/Linux
Product-enterprise_linuxenterprise_linux_euscodeready_linux_builder_for_arm64_euscodeready_linux_builder_for_ibm_z_systems_euscodeready_linux_builder_eusenterprise_linux_for_real_time_for_nfventerprise_linux_for_arm_64_eusvirtualization_hostenterprise_linux_server_ausdebian_linuxcodeready_linux_builder_eus_for_power_little_endian_eusenterprise_linux_for_ibm_z_systems_eusenterprise_linux_for_power_little_endian_euslinux_kernelenterprise_linux_server_tusenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsenterprise_linux_for_real_timeRed Hat Enterprise Linux 9RHOL-5.8-RHEL-9Red Hat Enterprise Linux 6Red Hat Virtualization 4 for Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8.8 Extended Update Support
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-5972
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7||HIGH
EPSS-0.28% / 19.36%
||
7 Day CHG~0.00%
Published-23 Nov, 2023 | 17:21
Updated-02 Aug, 2024 | 08:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: the nfta_inner_num and nfta_expr_name netlink attributes accessed without checking its presence in nft_inner.c

A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system.

Action-Not Available
Vendor-n/aFedora ProjectLinux Kernel Organization, IncRed Hat, Inc.
Product-fedoralinux_kernelRed Hat Enterprise Linux 9kernelRed Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Fedora
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-6176
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.25% / 16.09%
||
7 Day CHG-0.00%
Published-16 Nov, 2023 | 17:15
Updated-06 Nov, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: local dos vulnerability in scatterwalk_copychunks

A null pointer dereference flaw was found in the Linux kernel API for the cryptographic algorithm scatterwalk functionality. This issue occurs when a user constructs a malicious packet with specific socket configuration, which could allow a local user to crash the system or escalate their privileges on the system.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-enterprise_linuxlinux_kernelRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-2487
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.55% / 42.11%
||
7 Day CHG~0.00%
Published-18 Mar, 2025 | 16:25
Updated-30 Jun, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
389-ds-base: null pointer dereference leads to denial of service

A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Directory Server 12.4 EUS for RHEL 9Red Hat Directory Server 12
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-46195
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-9.8||CRITICAL
EPSS-0.68% / 47.68%
||
7 Day CHG+0.14%
Published-28 May, 2026 | 09:36
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
smb: client: validate dacloffset before building DACL pointers

In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelLinuxRed Hat Enterprise Linux BaseOS (v. 8)Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)Red Hat Enterprise Linux CRB (v. 8)Red Hat Enterprise Linux BaseOS (v. 9)Red Hat Enterprise Linux 7Red Hat Enterprise Linux Real Time for NFV (v. 9)Red Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Enterprise Linux NFV (v. 8)Red Hat Enterprise Linux 10Red Hat Enterprise Linux AppStream (v. 9)Red Hat Enterprise Linux RT (v. 8)Red Hat Enterprise Linux Real Time (v. 9)
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-47220
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.66% / 47.26%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 18:02
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.

Action-Not Available
Vendor-envoyproxyenvoyproxyRed Hat, Inc.
Product-envoyenvoyOpenShift Service Mesh 2OpenShift Service Mesh 3
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-42754
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.41% / 32.55%
||
7 Day CHG-0.00%
Published-05 Oct, 2023 | 18:25
Updated-06 Nov, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: ipv4: null pointer dereference in ipv4_send_dest_unreach()

A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.

Action-Not Available
Vendor-Linux Kernel Organization, IncFedora ProjectRed Hat, Inc.
Product-enterprise_linuxlinux_kernelfedoraRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-40546
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.43% / 34.88%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 16:29
Updated-20 Nov, 2025 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shim: out-of-bounds read printing error messages

A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.

Action-Not Available
Vendor-Red Hat, Inc.Fedora Project
Product-shimfedoraenterprise_linuxRed Hat Enterprise Linux 8.8 Extended Update SupportRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRed Hat Enterprise Linux 8.2 Telecommunications Update ServiceRed Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 8.4 Telecommunications Update ServiceRed Hat Enterprise Linux 9.0 Extended Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8.2 Advanced Update SupportRed Hat Enterprise Linux 9.2 Extended Update SupportRed Hat Enterprise Linux 8.2 Update Services for SAP SolutionsRed Hat Enterprise Linux 8
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-3772
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.45% / 36.30%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 15:47
Updated-07 Nov, 2025 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: xfrm: null pointer dereference in xfrm_update_ae_params()

A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.

Action-Not Available
Vendor-Linux Kernel Organization, IncFedora ProjectRed Hat, Inc.Debian GNU/Linux
Product-debian_linuxlinux_kernelfedoraenterprise_linuxenterprise_linux_for_real_time_for_nfventerprise_linux_for_real_timeRed Hat Enterprise Linux 9Red Hat Enterprise Linux 6Red Hat Virtualization 4 for Red Hat Enterprise Linux 8Red Hat Enterprise Linux 8Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8.8 Extended Update Support
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-3603
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.1||LOW
EPSS-0.77% / 51.03%
||
7 Day CHG~0.00%
Published-21 Jul, 2023 | 19:09
Updated-26 Sep, 2024 | 20:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Processing sftp server read may cause null dereference

A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued.

Action-Not Available
Vendor-libsshn/aRed Hat, Inc.Fedora Project
Product-libsshlibsshRed Hat Enterprise Linux 9Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Extra Packages for Enterprise Linux 7Fedora
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-3355
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.29% / 20.61%
||
7 Day CHG+0.02%
Published-28 Jun, 2023 | 00:00
Updated-05 Mar, 2025 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Null pointer dereference in submit_lookup_cmds() in drivers/gpu/drm/msm/msm_gem_submit.c

A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.

Action-Not Available
Vendor-n/aFedora ProjectLinux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelRed Hat Enterprise Linux 8FedoraRed Hat Enterprise Linux 7Red Hat Enterprise Linux 9kernelRed Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-32252
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-4.06% / 89.42%
||
7 Day CHG~0.00%
Published-24 Jul, 2023 | 15:19
Updated-27 Aug, 2024 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session null pointer dereference denial-of-service vulnerability

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_LOGOFF commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

Action-Not Available
Vendor-n/aNetApp, Inc.Fedora ProjectLinux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelh500sh410s_firmwareh700s_firmwareh300s_firmwareh500s_firmwareh410c_firmwareh410sh410ch300sh700sRed Hat Enterprise Linux 9kernelRed Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Fedora
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-39835
Matching Score-6
Assigner-Go Project
ShareView Details
Matching Score-6
Assigner-Go Project
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 28.88%
||
7 Day CHG+0.16%
Published-22 May, 2026 | 02:31
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

Action-Not Available
Vendor-golang.org/x/cryptoRed Hat, Inc.Go
Product-cryptogolang.org/x/crypto/sshRed Hat OpenStack Platform 16.2Red Hat Advanced Cluster Security for Kubernetes 4.9Zero Trust Workload Identity Manager - Tech PreviewRed Hat Openshift Data Foundation 4Red Hat Quay 3OpenShift API for Data ProtectionOpenShift PipelinesMulticluster Engine for KubernetesSecurity Profiles OperatorZero Trust Workload Identity ManagerBuilds for Red Hat OpenShiftRed Hat OpenShift GitOpsExternal Secrets Operator for Red Hat OpenShiftRed Hat OpenShift on AWScert-manager Operator for Red Hat OpenShiftRed Hat OpenShift AI (RHOAI)Confidential Compute AttestationRed Hat Edge Manager 1Red Hat OpenShift Dev SpacesRed Hat OpenStack Platform 18.0Red Hat Advanced Cluster Security for Kubernetes 4.10Red Hat Enterprise Linux 10Red Hat OpenShift Dev Workspaces OperatorRed Hat Advanced Cluster Management for Kubernetes 2Red Hat Enterprise Linux 9Red Hat Trusted Artifact SignerRed Hat Enterprise Linux 8Cryostat 4OpenShift ServerlessRed Hat Advanced Cluster Security 4Red Hat Ceph Storage 9Red Hat OpenShift for Windows ContainersRed Hat OpenShift Virtualization 4Red Hat OpenStack Platform 17.1Assisted Installer for Red Hat OpenShift Container Platform 2Red Hat OpenShift Container Platform 4
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-32248
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-4.06% / 89.42%
||
7 Day CHG~0.00%
Published-24 Jul, 2023 | 15:19
Updated-02 Aug, 2024 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tree connection null pointer dereference denial-of-service vulnerability

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the handling of SMB2_TREE_CONNECT and SMB2_QUERY_INFO commands. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

Action-Not Available
Vendor-n/aNetApp, Inc.Fedora ProjectLinux Kernel Organization, IncRed Hat, Inc.
Product-linux_kernelh500sh410sh410ch300sh700sRed Hat Enterprise Linux 9kernelRed Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Fedora
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-3106
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.28% / 19.47%
||
7 Day CHG~0.00%
Published-12 Jul, 2023 | 08:27
Updated-20 Nov, 2025 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel: netlink socket crash (null pointer deref) in netlink_dump function

A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely.

Action-Not Available
Vendor-Red Hat, Inc.Fedora ProjectLinux Kernel Organization, Inc
Product-fedoralinux_kernelRed Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat Enterprise Linux 9
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2018-16871
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.78% / 84.62%
||
7 Day CHG~0.00%
Published-30 Jul, 2019 | 16:19
Updated-05 Aug, 2024 | 10:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to 4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost.

Action-Not Available
Vendor-NetApp, Inc.Linux Kernel Organization, IncRed Hat, Inc.
Product-enterprise_linux_serverh300eenterprise_linux_server_eush500scloud_backupenterprise_linux_server_ausenterprise_linuxh410c_firmwareh300s_firmwareh410sh300sh300e_firmwaredeveloper_toolslinux_kernelh500emrg_realtimeenterprise_linux_workstationh410s_firmwareh500s_firmwareh500e_firmwareh700s_firmwareenterprise_linux_eush700eh410centerprise_linux_server_tush700e_firmwareh700senterprise_linux_desktopkernel:
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-2908
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.50% / 38.88%
||
7 Day CHG-0.01%
Published-30 Jun, 2023 | 00:00
Updated-03 Nov, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Libtiff: null pointer dereference in tif_dir.c

A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.

Action-Not Available
Vendor-n/aLibTIFFRed Hat, Inc.Fedora Project
Product-libtiffRed Hat Enterprise Linux 6Red Hat Enterprise Linux 9Red Hat Enterprise Linux 7FedoraLibtiffRed Hat Enterprise Linux 8
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-3238
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.67% / 83.91%
||
7 Day CHG+0.03%
Published-08 Jun, 2026 | 07:34
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Samba: denial of service against ad dc wins server

A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Container Platform 4Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6Red Hat OpenShift Container Platform 4Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2026-29785
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.66% / 47.00%
||
7 Day CHG+0.17%
Published-25 Mar, 2026 | 19:38
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NATS Server panic via malicious compression on leafnode port

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.

Action-Not Available
Vendor-nats-ioThe Linux FoundationRed Hat, Inc.
Product-nats-servernats-serverMulticluster Global Hub 1.4.5Multicluster Global Hub 1.6.2Red Hat OpenShift Container Platform 4Multicluster Global Hub 1.5.4
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CWE ID-CWE-476
NULL Pointer Dereference
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found