This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
CWE-476 Base Stable
NULL Pointer Dereference
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.
Definition
What is CWE-476?
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.
A NULL pointer dereference happens when software fails to properly validate that a pointer points to a valid memory location before using it. This typically stems from missing or incorrect error checks after function calls that can return NULL, or from mishandling unexpected states in the code's logic. When the program then tries to read from or write to this NULL address, the system halts execution, leading to a crash, denial of service, or in some environments, a potential avenue for further exploitation.
To prevent this, developers should adopt defensive programming practices. Always check pointers for NULL values after any operation that could potentially return one, especially system calls, memory allocations, or functions that fetch resources. Using static analysis tools can help catch these issues early, and implementing safe default behaviors or graceful error handling ensures the program remains stable even when unexpected NULL values are encountered.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-476
-
race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
-
large number of packets leads to NULL dereference
-
packet with invalid error status value triggers NULL dereference
-
Chain: race condition for an argument value, possibly resulting in NULL dereference
-
ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
-
Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
-
Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
-
Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
- 2
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().
- 3
Note that this code is also vulnerable to a buffer overflow (CWE-119).
- 4
In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.
- 5
This Android application has registered to handle a URL when sent an intent:
Verwundbares Codebeispiel
Vulnerable C
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);
```
/*routine that ensures user_supplied_addr is in the right format for conversion */*
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-476
- Implementation For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
- Requirements Select a programming language that is not susceptible to these issues.
- Implementation Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
- Architecture and Design Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
- Implementation Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
Erkennungssignale
How to detect CWE-476
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Plexicus erkennt CWE-476 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-476?
Wie gravierend ist CWE-476?
Welche Sprachen oder Plattformen sind von CWE-476 betroffen?
Wie kann ich CWE-476 verhindern?
Wie erkennt und behebt Plexicus CWE-476?
Wo erfahre ich mehr über CWE-476?
Frequently asked questions
Was ist CWE-476?
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.
Wie gravierend ist CWE-476?
MITRE stuft die Exploit-Wahrscheinlichkeit als mittel ein — eine Ausnutzung ist realistisch, erfordert aber meist bestimmte Bedingungen.
Welche Sprachen oder Plattformen sind von CWE-476 betroffen?
MITRE lists the following affected platforms: C, C++, Java, C#, Go.
Wie kann ich CWE-476 verhindern?
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484]. Select a programming language that is not susceptible to these issues.
Wie erkennt und behebt Plexicus CWE-476?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-476 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-476?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/476.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-476
CWE-710 Parent
Improper Adherence to Coding Standards
This weakness occurs when developers don't consistently follow established coding standards and best practices, which can introduce…
CWE-1041 Sibling
Use of Redundant Code
This weakness occurs when a codebase contains identical or nearly identical logic duplicated across multiple functions, methods, or…
CWE-1044 Sibling
Architecture with Number of Horizontal Layers Outside of Expected Range
This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended…
CWE-1048 Sibling
Invokable Control Element with Large Number of Outward Calls
This weakness occurs when a single function, method, or callable code block makes an excessively high number of calls to other objects or…
CWE-1059 Sibling
Insufficient Technical Documentation
This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about…
CWE-1061 Sibling
Insufficient Encapsulation
This weakness occurs when a software component exposes too much of its internal workings, such as data structures or implementation logic.…
CWE-1065 Sibling
Runtime Resource Management Control Element in a Component Built to Run on Application Servers
This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead…
CWE-1066 Sibling
Missing Serialization Control Element
This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle…
CWE-1068 Sibling
Inconsistency Between Implementation and Documented Design
This weakness occurs when the actual code implementation deviates from the intended design described in its official documentation,…
Ressourcen
Further reading
- MITRE — offizielle CWE-476 https://cwe.mitre.org/data/definitions/476.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
- The CLASP Application Security Process https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
- Null pointer / Null dereferencing https://en.wikipedia.org/wiki/Null_pointer#Null_dereferencing
- Null Reference Creation and Null Pointer Dereference https://developer.apple.com/documentation/xcode/null-reference-creation-and-null-pointer-dereference
- NULL Pointer Dereference [CWE-476] https://www.immuniweb.com/vulnerability/null-pointer-dereference.html
- D3FEND: D3-NPC Null Pointer Checking https://d3fend.mitre.org/technique/d3f:NullPointerChecking//
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.