NULL Pointer Dereference

Description

This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.

Extended Description

A NULL pointer dereference happens when software fails to properly validate that a pointer points to a valid memory location before using it. This typically stems from missing or incorrect error checks after function calls that can return NULL, or from mishandling unexpected states in the code's logic. When the program then tries to read from or write to this NULL address, the system halts execution, leading to a crash, denial of service, or in some environments, a potential avenue for further exploitation. To prevent this, developers should adopt defensive programming practices. Always check pointers for NULL values after any operation that could potentially return one, especially system calls, memory allocations, or functions that fetch resources. Using static analysis tools can help catch these issues early, and implementing safe default behaviors or graceful error handling ensures the program remains stable even when unexpected NULL values are encountered.

Common Consequences 2

Scope: Availability

Impact: DoS: Crash, Exit, or Restart

NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.

Scope: IntegrityConfidentiality

Impact: Execute Unauthorized Code or CommandsRead MemoryModify Memory

In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.

Detection Methods 3

Automated Dynamic AnalysisModerate

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Manual Dynamic Analysis

Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 5

Phase: Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Phase: Requirements

Select a programming language that is not susceptible to these issues.

Phase: Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Effectiveness: Moderate

Phase: Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Phase: Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

Demonstrative Examples 4

ID : DX-1

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

Code Example:

Bad

/*routine that ensures user_supplied_addr is in the right format for conversion /

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (Unchecked Return Value), a NULL pointer dereference (NULL Pointer Dereference) would then occur in the call to strcpy().

Note that this code is also vulnerable to a buffer overflow (Improper Restriction of Operations within the Bounds of a Memory Buffer).

In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.

Code Example:Bad
Java
java

ID : DX-110

This Android application has registered to handle a URL when sent an intent:

Code Example:

Bad

Java

...* IntentFilter filter = new IntentFilter("com.example.URLHandler.openURL"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter);

java

java

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns.

Code Example:Bad
Go
go

If a user supplies a malformed request or violates the client policy, the Do method can return a nil response and a non-nil err.

This HandleRequest Function evaluates the close before checking the error. A deferred call's arguments are evaluated immediately, so the defer statement panics due to a nil response.

Observed Examples 24

CVE-2005-3274race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.

CVE-2002-1912large number of packets leads to NULL dereference

CVE-2005-0772packet with invalid error status value triggers NULL dereference

CVE-2009-4895Chain: race condition for an argument value, possibly resulting in NULL dereference

CVE-2020-29652ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.

CVE-2009-2692Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (Missing Initialization of a Variable) causes a crash because of a null pointer dereference (NULL Pointer Dereference).

CVE-2009-3547Chain: race condition (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) might allow resource to be released before operating on it, leading to NULL dereference (NULL Pointer Dereference)

CVE-2009-3620Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference

CVE-2009-2698Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference

CVE-2009-2692Chain: uninitialized function pointers can be dereferenced allowing code execution

CVE-2009-0949Chain: improper initialization of memory can lead to NULL dereference

CVE-2008-3597Chain: game server can access player data structures before initialization has happened leading to NULL dereference

CVE-2020-6078Chain: The return value of a function returning a pointer is not checked for success (Unchecked Return Value) resulting in the later use of an uninitialized variable (Missing Initialization of a Variable) and a null pointer dereference (NULL Pointer Dereference)

CVE-2008-0062Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (NULL Pointer Dereference) or dangling pointer (Expired Pointer Dereference), possibly crashing the system or causing heap corruption.

CVE-2008-5183Chain: unchecked return value can lead to NULL dereference

CVE-2004-0079SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.

CVE-2004-0365Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.

CVE-2003-1013Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.

CVE-2003-1000Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.

CVE-2004-0389Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.

CVE-2004-0119OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.

CVE-2004-0458Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.

CVE-2002-0401Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.

CVE-2001-1559Chain: System call returns wrong value (Return of Wrong Status Code), leading to a resultant NULL dereference (NULL Pointer Dereference).

References 6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

Null pointer / Null dereferencing

Wikipedia

15-07-2019

https://en.wikipedia.org/wiki/Null_pointer#Null_dereferencing

ID: REF-1031

Null Reference Creation and Null Pointer Dereference

Apple

https://developer.apple.com/documentation/xcode/null-reference-creation-and-null-pointer-dereference(2023-04-07)

ID: REF-1032

NULL Pointer Dereference [CWE-476]

ImmuniWeb

11-09-2012

https://www.immuniweb.com/vulnerability/null-pointer-dereference.html

ID: REF-1033

D3FEND: D3-NPC Null Pointer Checking

D3FEND

https://d3fend.mitre.org/technique/d3f:NullPointerChecking//(2025-09-08)

ID: REF-1484

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

C : UndeterminedC++ : UndeterminedJava : UndeterminedC# : UndeterminedGo : Undetermined

Modes of Introduction

Implementation

Alternate Terms

NPD

Common abbreviation for Null Pointer Dereference

null deref

Common abbreviation for Null Pointer Dereference

NPE

Common abbreviation for Null Pointer Exception

nil pointer dereference

used for access of nil in Go programs

Related Weaknesses

ChildOf:

Improper Adherence to Coding Standards (CWE-710)

ChildOf:

Improper Check for Unusual or Exceptional Conditions (CWE-754)

ChildOf:

Improper Check for Unusual or Exceptional Conditions (CWE-754)

Taxonomy Mapping

7 Pernicious Kingdoms
CLASP
PLOVER
OWASP Top Ten 2004
CERT C Secure Coding
Software Fault Patterns