CWE-476: NULL Pointer Dereference
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product dereferences a pointer that it expects to be valid but is NULL.
常见后果
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.
影响范围: Integrity Confidentiality
技术影响: Execute Unauthorized Code or Commands Read Memory Modify Memory
说明: In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.
潜在缓解措施
阶段: Implementation
描述: For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
阶段: Requirements
描述: Select a programming language that is not susceptible to these issues.
阶段: Implementation
描述: Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
有效性: Moderate
阶段: Architecture and Design
描述: Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
阶段: Implementation
描述: Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
检测方法
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
有效性: Moderate
方法: Manual Dynamic Analysis
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2005-3274
race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
参考: CVE-2002-1912
large number of packets leads to NULL dereference
参考: CVE-2005-0772
packet with invalid error status value triggers NULL dereference
参考: CVE-2009-4895
Chain: race condition for an argument value, possibly resulting in NULL dereference
参考: CVE-2020-29652
ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
参考: CVE-2009-2692
Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
参考: CVE-2009-3547
Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
参考: CVE-2009-3620
Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
参考: CVE-2009-2698
Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
参考: CVE-2009-2692
Chain: uninitialized function pointers can be dereferenced allowing code execution
参考: CVE-2009-0949
Chain: improper initialization of memory can lead to NULL dereference
参考: CVE-2008-3597
Chain: game server can access player data structures before initialization has happened leading to NULL dereference
参考: CVE-2020-6078
Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
参考: CVE-2008-0062
Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
参考: CVE-2008-5183
Chain: unchecked return value can lead to NULL dereference
参考: CVE-2004-0079
SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
参考: CVE-2004-0365
Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.
参考: CVE-2003-1013
Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.
参考: CVE-2003-1000
Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.
参考: CVE-2004-0389
Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.
参考: CVE-2004-0119
OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.
参考: CVE-2004-0458
Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.
参考: CVE-2002-0401
Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.
参考: CVE-2001-1559
Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Null Dereference | - |
| CLASP | - | Null-pointer dereference | - |
| PLOVER | - | Null Dereference (Null Pointer Dereference) | - |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE More Specific |
| CERT C Secure Coding | EXP34-C | Do not dereference null pointers | Exact |
| Software Fault Patterns | SFP7 | Faulty Pointer Use | - |