Total Tests:

CWE Glossary

CWE is a trademark of the MITRE Corporation.

Stay in Touch

Get exclusive updates and invitations to our events and webinars:

Your data will stay confidential Private and Confidential

NULL Pointer Dereference [CWE-476]

NULL Pointer Dereference weakness occurs where software dereferences a pointer with a value of NULL instead of a valid address.

NULL Pointer Dereference [CWE-476]

Created: September 11, 2012
Latest Update: December 28, 2020

Table of Content

  1. Description
  2. Potential impact
  3. Affected software
  4. Severity and CVSS Scoring
  5. Mitigations
  6. References
  7. Latest Related Security Advisories

Want to have an in-depth understanding of all modern aspects of
NULL Pointer Dereference [CWE-476]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. The NULL pointer dereference weakness occurs where application dereferences a pointer that is expected to be a valid address but instead is equal to NULL. The following C++ example causes a NULL pointer dereference error:

  1. // NULL Pointer Dereference [CWE-476] vulnerable code example
  2. // (c) HTB Research
  3. #include <stdio.h>
  4. int *ptr = NULL;
  5. int _tmain(int argc, _TINT* argv[])
  6. {
  7.         *ptr = 17;
  8.         return 0;
  9. }

Once executed, the application will throw an exception with code c0000005, as shown below:

Crash of application: NULL Pointer Dereference [CWE-476] example

The following C++ code demonstrates NULL pointer dereference error within the getaddrinfo() function when argv[2] is empty:

  1. // NULL Pointer Dereference [CWE-476] vulnerable code example
  2. // (c) HTB Research
  3. #undef UNICODE
  4. #include "StdAfx.h"
  5. #include <winsock2.h>
  6. #include <ws2tcpip.h>
  7. #include <stdio.h>
  8. #pragma comment (lib, "Ws2_32.lib")
  10. int __cdecl main(int argc, char **argv)
  11. {
  12.         WSADATA wsaData;
  13.         int iResult;
  14.         INT iRetval;
  16.         DWORD dwRetval;
  17.         int i = 1;
  18.         struct addrinfo *result = NULL;
  19.         struct addrinfo *ptr = NULL;
  20.         struct addrinfo hints;
  22.         if(argc<2){
  23.                 printf("usage: %s <proto> <hostname> <servicename>\n", argv[0]);
  24.                 return 1;
  25.         }
  27.         iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
  28.         if (iResult != 0) {
  29.                 printf("WSAStartup failed: %d\n", iResult);
  30.                 return 1;
  31.         }
  32.         ZeroMemory( &hints, sizeof(hints) );
  33.         hints.ai_family = AF_UNSPEC;
  34.         hints.ai_socktype = SOCK_STREAM;
  35.         hints.ai_protocol = IPPROTO_TCP;
  36.         dwRetval = getaddrinfo(argv[2], argv[3], &hints, &result);
  38.         if ( dwRetval != 0 ) {
  39.                 printf("getaddrinfo failed with error: %d\n", dwRetval);
  40.                 WSACleanup();
  41.                 return 1;
  42.         }
  43.         printf("getaddrinfo returned success\n");
  44.         return 0;
  45. }

The above code contains a logic error when checking against the number of input parameters in the if(argc<2) statement. As a result, NULL is passed as the first argument of the getaddrinfo() function instead of a valid address.

A number of flaws can cause NULL pointer dereference issues, including race condition, and programming omissions as demonstrated above.

2. Potential impact

In most cases, NULL pointer dereference errors result in the crash of application however, code execution is possible under certain circumstances. Depending on privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.

How to Detect NULL Pointer Dereference Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

3. Affected software

Software written in C/C++, Assembly or any other language that makes usage of pointers is potentially vulnerable to this type of weakness.

4. Severity and CVSS Scoring

Since NULL pointer dereference errors mostly result in application crash, they are usually scored with availability impact only. A common CVSS score for locally exploitable vulnerability in client application would look like this:
2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) – Low severity.

If a high-privileged application, such as driver or critical system service contains a NULL pointer dereference error, it should be scored with complete availability impact, since crash of such application may render system inaccessible:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) – Medium severity.

In cases of remote code execution, it is usually scored with medium or high access complexity metric:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - Critical severity.

We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

5. Mitigations

NULL pointer dereference issues frequently result from rarely encountered error conditions and are most likely to escape detection during testing. The best way to avoid appearance of this weakness is to follow programming best practices:

  • Perform sanity checks on all pointers that can be modified,
  • Check the results of the return value of functions to verify that this value is not NULL before using it,
  • Perform input validation on variables and data stores that may receive input from an external source,
  • Explicitly initialize variables during declaration or before the first usage,
  • Ensure that proper locking APIs are used to lock before the "if" statement and unlock after it when working with multi-threaded or otherwise asynchronous environment.

The following example demonstrates proper validation of pointer before freeing it:

  1. if (pointer1 != NULL) {
  2.         free(pointer1);
  3.         pointer1 = NULL;
  4. }

6. References

  1. CWE-476: NULL Pointer Dereference []
  2. Null-pointer dereference []

7. NULL Pointer Dereference Vulnerabilities, Exploits and Examples

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential