CWE-369
AllowedDivide By Zero
Abstraction: Base · Status: Draft
The product divides a value by zero.
577 vulnerabilities reference this CWE, most recent first.
GHSA-4C27-WWV3-V6H2
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2023-05-22 03:30A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2021-20243"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-4c27-wwv3-v6h2",
"modified": "2023-05-22T03:30:15Z",
"published": "2022-05-24T17:43:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20243"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/pull/3193"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928958"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4H39-WWJ7-HQ2M
Vulnerability from github – Published: 2024-07-05 09:33 – Updated: 2024-07-08 18:31In the Linux kernel, the following vulnerability has been resolved:
fbdev: savage: Handle err return when savagefb_check_var failed
The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero") checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn't handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.
{
"affected": [],
"aliases": [
"CVE-2024-39475"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-05T07:15:10Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn\u0027t handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.",
"id": "GHSA-4h39-wwj7-hq2m",
"modified": "2024-07-08T18:31:16Z",
"published": "2024-07-05T09:33:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39475"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HJR-56F9-J54W
Vulnerability from github – Published: 2025-01-21 12:30 – Updated: 2025-09-26 21:30In the Linux kernel, the following vulnerability has been resolved:
gve: guard XDP xmit NDO on existence of xdp queues
In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false.
In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL.
The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete.
{
"affected": [],
"aliases": [
"CVE-2024-57932"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T12:15:26Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XDP xmit NDO on existence of xdp queues\n\nIn GVE, dedicated XDP queues only exist when an XDP program is installed\nand the interface is up. As such, the NDO XDP XMIT callback should\nreturn early if either of these conditions are false.\n\nIn the case of no loaded XDP program, priv-\u003enum_xdp_queues=0 which can\ncause a divide-by-zero error, and in the case of interface down,\nnum_xdp_queues remains untouched to persist XDP queue count for the next\ninterface up, but the TX pointer itself would be NULL.\n\nThe XDP xmit callback also needs to synchronize with a device\ntransitioning from open to close. This synchronization will happen via\nthe GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,\nwhich waits for any RCU critical sections at call-time to complete.",
"id": "GHSA-4hjr-56f9-j54w",
"modified": "2025-09-26T21:30:27Z",
"published": "2025-01-21T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57932"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35f44eed5828cf1bc7e760d1993ed8549ba41c7b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cbe9eb2c39d09f3c8574febcfa39d8c09d0c7cb5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff7c2dea9dd1a436fc79d6273adffdcc4a7ffea3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4HR6-49G3-G573
Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2023-08-31 18:30Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.
{
"affected": [],
"aliases": [
"CVE-2023-4678"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T16:15:10Z",
"severity": "MODERATE"
},
"details": "Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.",
"id": "GHSA-4hr6-49g3-g573",
"modified": "2023-08-31T18:30:28Z",
"published": "2023-08-31T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4678"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4JM9-V433-WX3F
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2022-10-07 18:15WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.
{
"affected": [],
"aliases": [
"CVE-2019-1010315"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.",
"id": "GHSA-4jm9-v433-wx3f",
"modified": "2022-10-07T18:15:49Z",
"published": "2022-05-24T16:50:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010315"
},
{
"type": "WEB",
"url": "https://github.com/dbry/WavPack/issues/65"
},
{
"type": "WEB",
"url": "https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4062-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4M6C-V88J-QQXH
Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2025-02-27 15:31In the Linux kernel, the following vulnerability has been resolved:
fbdev: savage: Error out if pixclock equals zero
The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error.
Although pixclock is checked in savagefb_decode_var(), but it is not checked properly in savagefb_probe(). Fix this by checking whether pixclock is zero in the function savagefb_check_var() before info->var.pixclock is used as the divisor.
This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8.
{
"affected": [],
"aliases": [
"CVE-2024-26778"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T17:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn\u0027t check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo-\u003evar.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.",
"id": "GHSA-4m6c-v88j-qqxh",
"modified": "2025-02-27T15:31:49Z",
"published": "2024-04-03T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26778"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4Q34-PQWJ-3CV6
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-19 15:31In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()
Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug in: drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. and then in: drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); we'll get a division-by-zero.
The following log can reveal it:
divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
Fix this by checking the argument of ark_set_pixclock() first.
{
"affected": [],
"aliases": [
"CVE-2022-50102"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()\n\nSince the user can control the arguments of the ioctl() from the user\nspace, under special arguments that may result in a divide-by-zero bug\nin:\n drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info-\u003evar.pixclock) / hmul);\nwith hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0.\nand then in:\n drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par-\u003edac, 0, 1000000000 / pixclock);\nwe\u0027ll get a division-by-zero.\n\nThe following log can reveal it:\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nRIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline]\nRIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784\nCall Trace:\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189\n\nFix this by checking the argument of ark_set_pixclock() first.",
"id": "GHSA-4q34-pqwj-3cv6",
"modified": "2025-11-19T15:31:28Z",
"published": "2025-06-18T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50102"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0288fa799e273b08839037499d704dc7bdc13e9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/15661642511b2b192077684a89f42a8d95d54286"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/236c1502520b7b08955467ec2e50b3232e34f1f9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f1c4523f7a3aaabe7e53d3ebd378292947e95c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76b3f0a0b56e53a960a14624a0f48b3d94b5e7e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ebc5031958c1f3a2795e4533b4091d77c738d14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a249e1b89ca25e1c34bdf96154e3f6224a91a9af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9a66f23612b84617e04412169e155a4b92f632d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4R58-H5CF-8QGJ
Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-08 00:30A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2025-15564"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T22:16:01Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod\u003c...\u003e::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-4r58-h5cf-8qgj",
"modified": "2026-02-08T00:30:57Z",
"published": "2026-02-08T00:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15564"
},
{
"type": "WEB",
"url": "https://github.com/mapnik/mapnik/issues/4545"
},
{
"type": "WEB",
"url": "https://github.com/mapnik/mapnik"
},
{
"type": "WEB",
"url": "https://github.com/oneafter/1219/blob/main/repro"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344502"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344502"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.743386"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4RXG-5MF4-8HRC
Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2025-04-20 03:35tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.
{
"affected": [],
"aliases": [
"CVE-2017-7598"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-09T14:59:00Z",
"severity": "HIGH"
},
"details": "tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.",
"id": "GHSA-4rxg-5mf4-8hrc",
"modified": "2025-04-20T03:35:38Z",
"published": "2022-05-14T03:36:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7598"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201709-27"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3602-1"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3844"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97499"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4VF2-4XCG-65CX
Vulnerability from github – Published: 2021-05-21 14:21 – Updated: 2024-10-30 22:08Impact
An attacker can trigger a division by 0 in tf.raw_ops.Conv2D:
import tensorflow as tf
input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
strides = [1, 1, 1, 1]
padding = "SAME"
tf.raw_ops.Conv2D(input=input, filter=filter, strides=strides, padding=padding)
This is because the implementation does a division by a quantity that is controlled by the caller:
const int64 patch_depth = filter.dim_size(2);
if (in_depth % patch_depth != 0) { ... }
Patches
We have patched the issue in GitHub commit b12aa1d44352de21d1a6faaf04172d8c2508b42b.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29526"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T23:14:52Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can trigger a division by 0 in `tf.raw_ops.Conv2D`:\n\n```python\nimport tensorflow as tf\n\ninput = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)\nfilter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)\n\nstrides = [1, 1, 1, 1]\npadding = \"SAME\"\n \ntf.raw_ops.Conv2D(input=input, filter=filter, strides=strides, padding=padding)\n``` \n \nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/988087bd83f144af14087fe4fecee2d250d93737/tensorflow/core/kernels/conv_ops.cc#L261-L263) does a division by a quantity that is controlled by the caller:\n```cc\n const int64 patch_depth = filter.dim_size(2);\n if (in_depth % patch_depth != 0) { ... }\n```\n \n### Patches\nWe have patched the issue in GitHub commit [b12aa1d44352de21d1a6faaf04172d8c2508b42b](https://github.com/tensorflow/tensorflow/commit/b12aa1d44352de21d1a6faaf04172d8c2508b42b).\n \nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution \nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
"id": "GHSA-4vf2-4xcg-65cx",
"modified": "2024-10-30T22:08:50Z",
"published": "2021-05-21T14:21:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4vf2-4xcg-65cx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29526"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/b12aa1d44352de21d1a6faaf04172d8c2508b42b"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-454.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-652.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-163.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Division by 0 in `Conv2D`"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.