CWE-476: NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
🏆 CWE Top 25 Historical Ranking
Security Consequences
Scope
Impact
NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.
Scope
Impact
In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.
Mitigation Strategies
Phase
Description
Select a programming language that is not susceptible to these issues.
Phase
Description
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Effectiveness
ModeratePhase
Description
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Phase
Description
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().
In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.
This Android application has registered to handle a URL when sent an intent:
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns.
If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err.
Observed CVE Examples (23)
Chain: race condition for an argument value, possibly resulting in NULL dereference
View Detailsssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
View DetailsChain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
View DetailsChain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
View DetailsChain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
View DetailsChain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
View DetailsChain: uninitialized function pointers can be dereferenced allowing code execution
View DetailsChain: game server can access player data structures before initialization has happened leading to NULL dereference
View DetailsChain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
View DetailsChain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
View DetailsSSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
View DetailsNetwork monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.
View DetailsNetwork monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.
View DetailsChat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.
View DetailsServer allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.
View DetailsOS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.
View DetailsGame allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.
View DetailsNetwork monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.
View DetailsChain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-476: NULL Pointer Dereference?+
CWE-476: NULL Pointer Dereference is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product dereferences a pointer that it expects to be valid but is NULL.
Is CWE-476 in the CWE Top 25 Most Dangerous Software Weaknesses?+
Yes. CWE-476 ranked #11 in the CWE Top 25 for 2024, associated with 1,625 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.
What are the security consequences of NULL Pointer Dereference?+
If exploited, CWE-476 (NULL Pointer Dereference) it can compromise Availability, Integrity and Confidentiality, leading to outcomes such as DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory and Modify Memory.
How do you prevent or mitigate NULL Pointer Dereference?+
Recommended mitigations for CWE-476 include: Select a programming language that is not susceptible to these issues. Check the results of all functions that return a value and verify that the value is non-null before acting upon it. Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Which programming languages are affected by NULL Pointer Dereference?+
CWE-476 commonly affects C, C++, Java, C# and Go. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of NULL Pointer Dereference?+
MITRE documents real CVEs mapped to CWE-476, including CVE-2002-1912, CVE-2005-0772, CVE-2009-4895, CVE-2020-29652 and CVE-2009-2692. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-476 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.
Learn More
Search for vulnerabilities that exploit CWE-476
See how this weakness ranks against others
Understanding vulnerabilities vs weaknesses
How vulnerability severity is measured
Complete technical details and references