CWE-476: NULL Pointer DereferenceWeakness ID: 476 Vulnerability Mapping:
ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities Abstraction: BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
Description The product dereferences a pointer that it expects to be valid but is NULL. | ![Diagram for CWE-476](https://cdn.statically.io/img/cwe.mitre.org/data/images/CWE-476-Diagram.png) |
Alternate Terms
NPD: | Common abbreviation for Null Pointer Dereference |
null deref: | Common abbreviation for Null Pointer Dereference |
NPE: | Common abbreviation for Null Pointer Exception |
nil pointer dereference: | used for access of nil in Go programs |
Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Availability
| Technical Impact: DoS: Crash, Exit, or Restart NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation. | | Integrity Confidentiality
| Technical Impact: Execute Unauthorized Code or Commands; Read Memory; Modify Memory In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution. | |
Potential Mitigations
Phase: Implementation If all pointers that could have been modified are checked for NULL before use, nearly all NULL pointer dereferences can be prevented. |
Phase: Requirements Select a programming language that is not susceptible to these issues. |
Phase: Implementation Check the results of all functions that return a value and verify that the value is non-null before acting upon it. Note: Checking the return value of the function will typically be sufficient, however beware of race conditions ( CWE-362) in a concurrent environment. This solution does not handle the use of improperly initialized variables ( CWE-665). |
Phase: Architecture and Design Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values. |
Phase: Implementation Explicitly initialize all variables and other data stores, either during declaration or just before the first usage. |
Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) Nature | Type | ID | Name |
---|
ChildOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 754 | Improper Check for Unusual or Exceptional Conditions | ChildOf | Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 710 | Improper Adherence to Coding Standards | CanFollow | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 252 | Unchecked Return Value | CanFollow | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | CanFollow | Variant - a weakness
that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 789 | Memory Allocation with Excessive Size Value | CanFollow | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1325 | Improperly Controlled Sequential Memory Allocation |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Software Development" (CWE-699) Nature | Type | ID | Name |
---|
MemberOf | Category - a CWE entry that contains a set of other entries that share a common characteristic. | 465 | Pointer Issues |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003) Nature | Type | ID | Name |
---|
ChildOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 754 | Improper Check for Unusual or Exceptional Conditions |
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase. Likelihood Of Exploit Demonstrative Examples Example 1 While there are no complete fixes aside from conscientious programming, the following steps will go a long way to ensure that NULL pointer dereferences do not occur.
if (pointer1 != NULL) {
/* make use of pointer1 */
/* ... */
}
When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished. Example 2 This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer. (bad code) Example Language: C
void host_lookup(char *user_supplied_addr){
struct hostent *hp; in_addr_t *addr; char hostname[64]; in_addr_t inet_addr(const char *cp);
/*routine that ensures user_supplied_addr is in the right format for conversion */
validate_addr_form(user_supplied_addr); addr = inet_addr(user_supplied_addr); hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET); strcpy(hostname, hp->h_name);
}
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy(). Note that this code is also vulnerable to a buffer overflow (CWE-119). Example 3 In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method. (bad code) Example Language: Java
String cmd = System.getProperty("cmd"); cmd = cmd.trim();
Example 4 This Android application has registered to handle a URL when sent an intent: (bad code) Example Language: Java
...
IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter);
...
public class UrlHandlerReceiver extends BroadcastReceiver {
@Override public void onReceive(Context context, Intent intent) {
if("com.example.URLHandler.openURL".equals(intent.getAction())) { String URL = intent.getStringExtra("URLToOpen"); int length = URL.length();
...
}
}
}
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called. Example 5 Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns. (bad code) Example Language: Go
func HandleRequest(client http.Client, request *http.Request) (*http.Response, error) {
response, err := client.Do(request)
defer response.Body.Close()
if err != nil {
return nil, err
} ...
}
If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err. This HandleRequest Function evaluates the close before checking the error. A deferred call's arguments are evaluated immediately, so the defer statement panics due to a nil response. Observed Examples Reference | Description |
| race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking. |
| large number of packets leads to NULL dereference |
| packet with invalid error status value triggers NULL dereference |
| Chain: race condition for an argument value, possibly resulting in NULL dereference |
| ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers. |
| Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function ( CWE-456) causes a crash because of a null pointer dereference ( CWE-476). |
| Chain: race condition ( CWE-362) might allow resource to be released before operating on it, leading to NULL dereference ( CWE-476) |
| Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference |
| Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference |
| Chain: uninitialized function pointers can be dereferenced allowing code execution |
| Chain: improper initialization of memory can lead to NULL dereference |
| Chain: game server can access player data structures before initialization has happened leading to NULL dereference |
| Chain: The return value of a function returning a pointer is not checked for success ( CWE-252) resulting in the later use of an uninitialized variable ( CWE-456) and a null pointer dereference ( CWE-476) |
| Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference ( CWE-476) or dangling pointer ( CWE-825), possibly crashing the system or causing heap corruption. |
| Chain: unchecked return value can lead to NULL dereference |
| SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. |
| Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. |
| Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. |
| Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference. |
| Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference. |
| OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection. |
| Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. |
| Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference. |
| Chain: System call returns wrong value ( CWE-393), leading to a resultant NULL dereference ( CWE-476). |
Weakness Ordinalities Ordinality | Description |
Resultant | (where the weakness is a quality issue that might indirectly make it easier to introduce security-relevant weaknesses or make them more difficult to detect) NULL pointer dereferences are frequently resultant from rarely encountered error conditions and race conditions, since these are most likely to escape detection during the testing phases. |
Detection Methods
Automated Dynamic Analysis This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. |
Manual Dynamic Analysis Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself. |
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities) | Reason: Acceptable-Use | Rationale: This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. | Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
7 Pernicious Kingdoms | | | Null Dereference |
CLASP | | | Null-pointer dereference |
PLOVER | | | Null Dereference (Null Pointer Dereference) |
OWASP Top Ten 2004 | A9 | CWE More Specific | Denial of Service |
CERT C Secure Coding | EXP34-C | Exact | Do not dereference null pointers |
Software Fault Patterns | SFP7 | | Faulty Pointer Use |
References Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | 7 Pernicious Kingdoms | | | Contributions |
---|
Contribution Date | Contributor | Organization |
---|
2024-02-29 (CWE 4.15, 2024-07-16) | Abhi Balakrishnan | | Provided diagram to improve CWE usability | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Eric Dalci | Cigital | updated Time_of_Introduction | 2008-08-01 | | KDM Analytics | added/updated white box definitions | 2008-09-08 | CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities | 2008-11-24 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2009-05-27 | CWE Content Team | MITRE | updated Demonstrative_Examples | 2009-10-29 | CWE Content Team | MITRE | updated Relationships | 2009-12-28 | CWE Content Team | MITRE | updated Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Weakness_Ordinalities | 2010-02-16 | CWE Content Team | MITRE | updated Potential_Mitigations, Relationships | 2010-06-21 | CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Detection_Factors, Potential_Mitigations | 2010-09-27 | CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, Relationships | 2010-12-13 | CWE Content Team | MITRE | updated Relationships | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2011-06-27 | CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | 2011-09-13 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2012-05-11 | CWE Content Team | MITRE | updated Observed_Examples, Related_Attack_Patterns, Relationships | 2014-02-18 | CWE Content Team | MITRE | updated Demonstrative_Examples | 2014-07-30 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2015-12-07 | CWE Content Team | MITRE | updated Relationships | 2017-01-19 | CWE Content Team | MITRE | updated Relationships | 2017-11-08 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings, White_Box_Definitions | 2019-01-03 | CWE Content Team | MITRE | updated Relationships | 2019-06-20 | CWE Content Team | MITRE | updated Relationships | 2019-09-19 | CWE Content Team | MITRE | updated References, Relationships | 2020-02-24 | CWE Content Team | MITRE | updated References | 2020-06-25 | CWE Content Team | MITRE | updated Common_Consequences | 2020-08-20 | CWE Content Team | MITRE | updated Relationships | 2020-12-10 | CWE Content Team | MITRE | updated Relationships | 2021-03-15 | CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples | 2021-07-20 | CWE Content Team | MITRE | updated Relationships | 2022-04-28 | CWE Content Team | MITRE | updated Alternate_Terms | 2022-06-28 | CWE Content Team | MITRE | updated Relationships | 2022-10-13 | CWE Content Team | MITRE | updated Alternate_Terms, Applicable_Platforms, Observed_Examples | 2023-04-27 | CWE Content Team | MITRE | updated Demonstrative_Examples, Detection_Factors, References, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes, Relationships | 2023-10-26 | CWE Content Team | MITRE | updated Observed_Examples | 2024-07-16 (CWE 4.15, 2024-07-16) | CWE Content Team | MITRE | updated Alternate_Terms, Demonstrative_Examples, Description, Diagram, Potential_Mitigations, Relationships, Weakness_Ordinalities |
More information is available — Please edit the custom filter or select a different filter.
|