CWE-476
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
We have discovered 5,656,897 live websites that are affected by CWE-476.
CVEs
- Count - 67
CWE References
Website Distribution by Country
Number of websites using CWE-476 United States | 1,526,006 websites |
 Russia | 727,234 websites |
 France | 440,701 websites |
 Germany | 406,153 websites |
 British Virgin Islands | 283,010 websites |
 China | 188,086 websites |
 Netherlands | 186,824 websites |
 GB | 174,320 websites |
 Italy | 123,871 websites |
 Brazil | 119,879 websites |
Website Distribution by TLD
Number of websites using CWE-476| .com | 2,211,053 websites |
| .ru | 667,758 websites |
| .org | 243,001 websites |
| .net | 195,200 websites |
| .de | 185,749 websites |
| .fr | 160,336 websites |
| .nl | 144,426 websites |
| .com.br | 109,453 websites |
| .it | 106,514 websites |
| .co.uk | 102,963 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-476| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Apr, 2026 | CVE-2026-32894 | Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result | 9 |
| Apr, 2026 | CVE-2026-28388 | NULL Pointer Dereference When Processing a Delta CRL | 83,576 |
| Apr, 2026 | CVE-2026-28389 | Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo | 83,576 |
| Apr, 2026 | CVE-2026-28390 | Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo | 83,576 |
| Mar, 2026 | CVE-2026-27651 | NGINX ngx_mail_auth_http_module vulnerability | 3,104,928 |
| Jan, 2026 | CVE-2025-15468 | NULL dereference in SSL_CIPHER_find() function on unknown cipher ID | 53,570 |
| Jan, 2026 | CVE-2025-69421 | NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function | 78,528 |
| Dec, 2025 | CVE-2025-14180 | NULL Pointer Dereference in PDO quoting | 1,103,198 |
| Dec, 2025 | CVE-2025-64527 | Envoy crashes when JWT authentication is configured with the remote JWKS fetching | 2 |
| Oct, 2025 | CVE-2025-62409 | Envoy allows large requests and responses to cause TCP connection pool crash | 2 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-476| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Mar, 2026 | CVE-2026-27651 | NGINX ngx_mail_auth_http_module vulnerability | 3,104,928 |
| Jul, 2024 | CVE-2024-38477 | Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request | 1,244,888 |
| Dec, 2025 | CVE-2025-14180 | NULL Pointer Dereference in PDO quoting | 1,103,198 |
| Sep, 2021 | CVE-2021-34798 | NULL pointer dereference in httpd core | 845,815 |
| Jul, 2025 | CVE-2025-6491 | NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix | 569,347 |
| Feb, 2020 | CVE-2020-7062 | Null Pointer Dereference in PHP Session Upload Progress | 289,760 |
| Feb, 2021 | CVE-2021-21702 | Null Dereference in SoapClient | 221,760 |
| Apr, 2026 | CVE-2026-28388 | NULL Pointer Dereference When Processing a Delta CRL | 83,576 |
| Apr, 2026 | CVE-2026-28389 | Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo | 83,576 |
| Apr, 2026 | CVE-2026-28390 | Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo | 83,576 |
Websites affected by CWE-476
Top websites that are affected by CWE-476. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com |  Singapore | *** | |
| ************.org | Singapore | *** | |
| ****************.com | United States | *** | |
| *.me | British Virgin Islands | *** | |
| *****.org | United States | *** | |
| ******.com | British Virgin Islands | *** | |
| ****.*********.com | British Virgin Islands | *** | |
| *******.com | United States | *** | |
| ******.de | Germany | *** | |
| *******.org | United States | *** |