free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)

Summary free5GC's UDR nudr-dr DELETE /subscription-data/ueId/servingPlmnId/ee-subscriptions/subsId/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks , ok =...

free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Summary free5GC's NEF PATCH /3gpp-pfd-management/v1/afId/transactions/transId/applications/appId handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil ProblemDetails. The handler's errPfdData != nil branch...

GHSA-J59F-X285-69JX free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Summary free5GC's NEF PATCH /3gpp-pfd-management/v1/afId/transactions/transId/applications/appId handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil ProblemDetails. The handler's errPfdData != nil branch...

CVE-2026-43410

A flaw was found in the Linux kernel's stratix10-rsu firmware driver. When the Remote System Update RSU is not enabled in the First Stage Boot Loader FSBL, the driver attempts to access an already-freed channel. This can lead to a NULL pointer dereference, causing a kernel panic and resulting in ...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the provisioningOfTrafficRoutingInfo function when a POST request to the app-session creation endpoint includes suppFeat set to "1" and a medComponents entry with afAppId present b...

free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

Summary free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" enabling traffic-routing feature negotiation and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls...

GHSA-WR8J-6CHW-GM6P free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference

Summary free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler HandleCreateSmPolicyRequest panics with a nil-pointer dereference when a downstream OpenAPI consumer call UDR lookup returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The...

gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers

Summary CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates returns an empty slice with no error,...

GHSA-7C37-GX6W-8VC5 gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers

Summary CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates returns an empty slice with no error,...

EUVD-2026-28564

In the Linux kernel, the following vulnerability has been resolved: drm: renesas: rz-du: mipidsi: fix kernel panic when rebooting for some panels Since commit 56de5e305d4b "clk: renesas: r9a07g044: Add MSTOP for RZ/G2L" we may get the following kernel panic, for some panels, when rebooting:...

CVE-2026-43416

In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current-mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current-mm, similarly to commit 20afc60f892d "x86,...

CVE-2026-41584

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity a "zero"...

CVE-2026-43416

In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current-mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current-mm, similarly to commit 20afc60f892d "x86,...

CVE-2026-43410

In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled When the Remote System Update RSU isn't enabled in the First Stage Boot Loader FSBL, the driver encounters a NULL pointer dereference when excute...

UBUNTU-CVE-2026-43410

In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled When the Remote System Update RSU isn't enabled in the First Stage Boot Loader FSBL, the driver encounters a NULL pointer dereference when excute...

UBUNTU-CVE-2026-43416

In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current-mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current-mm, similarly to commit 20afc60f892d "x86,...

CVE-2026-41584 ZEBRA: rk Identity Point Panic in Transaction Verification

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity a "zero"...

CVE-2026-43424

The CVE concerns the Linux kernel USB gadget f_tcm nexus handling. The tpg->tpg_nexus pointer used by the BOT command/data paths can be NULL during race windows (before nexus is established or after it’s dropped). Dereferencing tv_nexus->tvn_se_sess without a NULL check leads to a kernel pa...

CVE-2026-43424 usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ftcm: Fix NULL pointer dereferences in nexus handling The tpg-tpgnexus pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends...

CVE-2026-43416

In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current-mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current-mm, similarly to commit 20afc60f892d "x86,...