Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.
Last updated
Programmers typically catch NullPointerException under three circumstances: The program contains a null pointer dereference. Catching the resulting exception was easier than fixing the underlying problem. The program explicitly throws a NullPointerException to signal an error condition. The code is part of a test harness that supplies unexpected input to the classes under test. Of these three circumstances, only the last is acceptable.
17 recorded CVEs are caused by CWE-395 (Use of NullPointerException Catch to Detect NULL Pointer Dereference). The highest-severity and most recent are shown first. 1 new CWE-395 CVE has been recorded so far in 2026 (2 in 2025).
Mutiple vulnerabilities in the Viridian interface
Mutiple vulnerabilities in the Viridian interface
Ollama Multi-Modal Model Image Processing NULL Pointer Dereference
Showing 12 of 17 recorded CWE-395 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-395 vulnerabilitiesWhat can happen when CWE-395 is exploited.
DoS: Resource Consumption (CPU)
Affects: Availability
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-395, grouped by where in the lifecycle they apply.
Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application.
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Illustrative examples from MITRE showing how the weakness appears in code.
The following code mistakenly catches a NullPointerException.
Vulnerable example
try {Common questions about CWE-395.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-395 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.