LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-476

CWE-476

NULL Pointer Dereference

Base EXPLOIT LIKELIHOOD: MEDIUM

What it is

The product dereferences a pointer that it expects to be valid but is NULL.

Impact

AvailabilityDoS: Crash, Exit, or Restart
Integrity, ConfidentialityExecute Unauthorized Code or Commands, Read Memory, Modify Memory

Mitigations

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.
  • [Implementation] Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
  • [Architecture and Design] Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
  • [Implementation] Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

Real-world CVE examples

  • CVE-2024-41130 — C++ library for LLM inference has NULL pointer dereference if a read operation fails
  • CVE-2005-3274 — race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
  • CVE-2002-1912 — large number of packets leads to NULL dereference
  • CVE-2005-0772 — packet with invalid error status value triggers NULL dereference
  • CVE-2009-4895 — Chain: race condition for an argument value, possibly resulting in NULL dereference
  • CVE-2020-29652 — ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
  • CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer derefer
  • CVE-2009-3547 — Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
  • CVE-2009-3620 — Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
  • CVE-2009-2698 — Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
  • CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer derefer
  • CVE-2009-0949 — Chain: improper initialization of memory can lead to NULL dereference

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top