This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
CWE-476 Base Estable
NULL Pointer Dereference
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.
Definición
What is CWE-476?
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.
A NULL pointer dereference happens when software fails to properly validate that a pointer points to a valid memory location before using it. This typically stems from missing or incorrect error checks after function calls that can return NULL, or from mishandling unexpected states in the code's logic. When the program then tries to read from or write to this NULL address, the system halts execution, leading to a crash, denial of service, or in some environments, a potential avenue for further exploitation.
To prevent this, developers should adopt defensive programming practices. Always check pointers for NULL values after any operation that could potentially return one, especially system calls, memory allocations, or functions that fetch resources. Using static analysis tools can help catch these issues early, and implementing safe default behaviors or graceful error handling ensures the program remains stable even when unexpected NULL values are encountered.
Impacto en el mundo real
Real-world CVEs caused by CWE-476
-
race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
-
large number of packets leads to NULL dereference
-
packet with invalid error status value triggers NULL dereference
-
Chain: race condition for an argument value, possibly resulting in NULL dereference
-
ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
-
Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
-
Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
-
Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
- 2
If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().
- 3
Note that this code is also vulnerable to a buffer overflow (CWE-119).
- 4
In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.
- 5
This Android application has registered to handle a URL when sent an intent:
Ejemplo de código vulnerable
Vulnerable C
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);
```
/*routine that ensures user_supplied_addr is in the right format for conversion */*
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);} Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-476
- Implementation For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
- Requirements Select a programming language that is not susceptible to these issues.
- Implementation Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
- Architecture and Design Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
- Implementation Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
Señales de detección
How to detect CWE-476
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Plexicus detecta automáticamente CWE-476 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-476?
¿Qué gravedad tiene CWE-476?
¿Qué lenguajes o plataformas se ven afectados por CWE-476?
¿Cómo puedo prevenir CWE-476?
¿Cómo detecta y corrige Plexicus CWE-476?
¿Dónde puedo aprender más sobre CWE-476?
Frequently asked questions
¿Qué es CWE-476?
This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior.
¿Qué gravedad tiene CWE-476?
MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.
¿Qué lenguajes o plataformas se ven afectados por CWE-476?
MITRE lists the following affected platforms: C, C++, Java, C#, Go.
¿Cómo puedo prevenir CWE-476?
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484]. Select a programming language that is not susceptible to these issues.
¿Cómo detecta y corrige Plexicus CWE-476?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-476 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-476?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/476.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-476
CWE-710 Padre
Improper Adherence to Coding Standards
This weakness occurs when developers don't consistently follow established coding standards and best practices, which can introduce…
CWE-1041 Hermano
Use of Redundant Code
This weakness occurs when a codebase contains identical or nearly identical logic duplicated across multiple functions, methods, or…
CWE-1044 Hermano
Architecture with Number of Horizontal Layers Outside of Expected Range
This occurs when a software system is built with either too many or too few distinct architectural layers, falling outside a recommended…
CWE-1048 Hermano
Invokable Control Element with Large Number of Outward Calls
This weakness occurs when a single function, method, or callable code block makes an excessively high number of calls to other objects or…
CWE-1059 Hermano
Insufficient Technical Documentation
This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about…
CWE-1061 Hermano
Insufficient Encapsulation
This weakness occurs when a software component exposes too much of its internal workings, such as data structures or implementation logic.…
CWE-1065 Hermano
Runtime Resource Management Control Element in a Component Built to Run on Application Servers
This weakness occurs when an application built to run on a managed application server bypasses the server's high-level APIs and instead…
CWE-1066 Hermano
Missing Serialization Control Element
This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle…
CWE-1068 Hermano
Inconsistency Between Implementation and Documented Design
This weakness occurs when the actual code implementation deviates from the intended design described in its official documentation,…
Recursos
Further reading
- MITRE — CWE-476 oficial https://cwe.mitre.org/data/definitions/476.html
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
- The CLASP Application Security Process https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
- Null pointer / Null dereferencing https://en.wikipedia.org/wiki/Null_pointer#Null_dereferencing
- Null Reference Creation and Null Pointer Dereference https://developer.apple.com/documentation/xcode/null-reference-creation-and-null-pointer-dereference
- NULL Pointer Dereference [CWE-476] https://www.immuniweb.com/vulnerability/null-pointer-dereference.html
- D3FEND: D3-NPC Null Pointer Checking https://d3fend.mitre.org/technique/d3f:NullPointerChecking//
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.