...
Returning NULL rather than a zero-length array may can lead to vulnerabilities when the client code does not handle NULL properly. This can result in abnormal program termination when the calling function performs operations on NULL.
...
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
Java The CERT Oracle Secure Coding Standard for Java: MET10-J. For methods that return an array or collection prefer returning an empty array or collection over a null value
...