I'm still learning so much about this. It was 100% kernel code, so I was wrong here and why this was a much bigger issue. The flaw was a named pipe execution. And well makes sense to be using "real" addresses in this context.

It is a logic error NOT a null deref!