Common Weakness Enumeration

CWE-369

Allowed

Divide By Zero

Abstraction: Base · Status: Draft

The product divides a value by zero.

577 vulnerabilities reference this CWE, most recent first.

GHSA-9MHR-6WXF-G8F3

Vulnerability from github – Published: 2022-05-17 01:17 – Updated: 2025-04-12 13:03
VLAI
Details

epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-06T23:59:00Z",
    "severity": "MODERATE"
  },
  "details": "epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted packet.",
  "id": "GHSA-9mhr-6wxf-g8f3",
  "modified": "2025-04-12T13:03:15Z",
  "published": "2022-05-17T01:17:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6505"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12577"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=94e97e45cf614c7bb8fe90c23df52910246b2c95"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94e97e45cf614c7bb8fe90c23df52910246b2c95"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40197"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2016/07/28/3"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3648"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92163"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036480"
    },
    {
      "type": "WEB",
      "url": "http://www.wireshark.org/security/wnpa-sec-2016-41.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MWP-3938-CJ9R

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

video: fbdev: i740fb: Check the argument of i740_calc_vclk()

Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug.

If the user provides an improper 'pixclock' value that makes the argumet of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a divide-by-zero bug in: drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX)));

The following log can reveal it:

divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189

Fix this by checking the argument of i740_calc_vclk() first.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: i740fb: Check the argument of i740_calc_vclk()\n\nSince the user can control the arguments of the ioctl() from the user\nspace, under special arguments that may result in a divide-by-zero bug.\n\nIf the user provides an improper \u0027pixclock\u0027 value that makes the argumet\nof i740_calc_vclk() less than \u0027I740_RFREQ_FIX\u0027, it will cause a\ndivide-by-zero bug in:\n    drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX)));\n\nThe following log can reveal it:\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nRIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline]\nRIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline]\nRIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742\nCall Trace:\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189\n\nFix this by checking the argument of i740_calc_vclk() first.",
  "id": "GHSA-9mwp-3938-cj9r",
  "modified": "2025-11-14T18:31:25Z",
  "published": "2025-06-18T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50010"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b7f559152a33c55f51b569b22efbe5e24886798"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/40bf722f8064f50200b8c4f8946cd625b441dda9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b20c61365140d432dee7da7aa294215e7b900d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59cefb583c984c0da8cf21a4c57d26d5a20dff5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/656689cb03ada4650016c153346939a1c334b1ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d2d375eb68b4b8de6ea7460483a26fa9de56b443"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e740e787f06671455b59d1e498c9945f7b4e7b3b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f350812e2d15278f1d867eeb997407782234fb3c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q2X-2Q4W-WFFW

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2023-01-21 03:30
VLAI
Details

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-30T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.",
  "id": "GHSA-9q2x-2q4w-wffw",
  "modified": "2023-01-21T03:30:28Z",
  "published": "2022-07-01T00:01:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2056"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2056.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/libtiff/libtiff/-/issues/415"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/346"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TSS7MJ7OO7JO5BNKCRYSFU7UAYOKLA2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXUMJXVEAYFWRO3U3YHKSULHIVDOLEQS"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220826-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5333"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q64-VQCR-HW99

Vulnerability from github – Published: 2022-05-01 18:11 – Updated: 2024-02-02 03:30
VLAI
Details

The TFTP implementation in IBM Tivoli Provisioning Manager for OS Deployment 5.1 before Fix Pack 3 allows remote attackers to cause a denial of service (rembo.exe crash and multiple service outage) via a read (RRQ) request with an invalid blksize (blocksize), which triggers a divide-by-zero error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-3268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-07-18T23:30:00Z",
    "severity": "MODERATE"
  },
  "details": "The TFTP implementation in IBM Tivoli Provisioning Manager for OS Deployment 5.1 before Fix Pack 3 allows remote attackers to cause a denial of service (rembo.exe crash and multiple service outage) via a read (RRQ) request with an invalid blksize (blocksize), which triggers a divide-by-zero error.",
  "id": "GHSA-9q64-vqcr-hw99",
  "modified": "2024-02-02T03:30:31Z",
  "published": "2022-05-01T18:11:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3268"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35468"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=560"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26093"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1018401"
    },
    {
      "type": "WEB",
      "url": "http://www-1.ibm.com/support/docview.wss?uid=swg24016347"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/24942"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/2560"
    },
    {
      "type": "WEB",
      "url": "http://www3.software.ibm.com/ibmdl/pub/software/tivoli_support/patches/patches_5.1.0/5.1.0-TIV-TPMOSD-FP0003/5.1.0-TIV-TPMOSD-FP0003.README.HTM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R4H-7XV2-84WF

Vulnerability from github – Published: 2023-08-07 15:30 – Updated: 2025-02-13 18:31
VLAI
Details

Divide By Zero in vim/vim from 9.0.1367-1 to 9.0.1367-3

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-07T13:15:12Z",
    "severity": "HIGH"
  },
  "details": "Divide By Zero in vim/vim from\u00a09.0.1367-1 to\u00a09.0.1367-3",
  "id": "GHSA-9r4h-7xv2-84wf",
  "modified": "2025-02-13T18:31:45Z",
  "published": "2023-08-07T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/issues/12528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/pull/12540"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230831-0012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RXJ-WRX5-6463

Vulnerability from github – Published: 2026-01-28 21:31 – Updated: 2026-01-30 00:31
VLAI
Details

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T21:16:09Z",
    "severity": "MODERATE"
  },
  "details": "A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.",
  "id": "GHSA-9rxj-wrx5-6463",
  "modified": "2026-01-30T00:31:22Z",
  "published": "2026-01-28T21:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71006"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Oneflow-Inc/oneflow/issues/10653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Daisy2ang"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9V75-P4CG-F8C9

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-03-12 00:30
VLAI
Details

In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it's possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability. The patch uses the PerceptibleReciprocal() to prevent the divide-by-zero from occurring. This flaw affects ImageMagick versions prior to ImageMagick 7.0.8-68.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-03T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In `GammaImage()` of /MagickCore/enhance.c, depending on the `gamma` value, it\u0027s possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability. The patch uses the `PerceptibleReciprocal()` to prevent the divide-by-zero from occurring. This flaw affects ImageMagick versions prior to ImageMagick 7.0.8-68.",
  "id": "GHSA-9v75-p4cg-f8c9",
  "modified": "2023-03-12T00:30:16Z",
  "published": "2022-05-24T17:35:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27760"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1894239"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VPM-RCF4-9WQW

Vulnerability from github – Published: 2021-05-21 14:26 – Updated: 2024-11-01 17:09
VLAI
Summary
Division by 0 in `MaxPoolGradWithArgmax`
Details

Impact

The implementation of tf.raw_ops.MaxPoolGradWithArgmax is vulnerable to a division by 0:

import tensorflow as tf

input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
grad = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
argmax = tf.constant([], shape=[0], dtype=tf.int64)
ksize = [1, 1, 1, 1]
strides = [1, 1, 1, 1]

tf.raw_ops.MaxPoolGradWithArgmax(
  input=input, grad=grad, argmax=argmax, ksize=ksize, strides=strides,
  padding='SAME', include_batch_in_index=False)

The implementation fails to validate that the batch dimension of the tensor is non-zero, before dividing by this quantity.

Patches

We have patched the issue in GitHub commit 376c352a37ce5a68b721406dc7e77ac4b6cf483d.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T18:38:17Z",
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe implementation of `tf.raw_ops.MaxPoolGradWithArgmax` is vulnerable to a division by 0:\n\n```python\nimport tensorflow as tf\n\ninput = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)\ngrad = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)\nargmax = tf.constant([], shape=[0], dtype=tf.int64)\nksize = [1, 1, 1, 1]\nstrides = [1, 1, 1, 1]\n\ntf.raw_ops.MaxPoolGradWithArgmax(\n  input=input, grad=grad, argmax=argmax, ksize=ksize, strides=strides,\n  padding=\u0027SAME\u0027, include_batch_in_index=False)\n```\n  \nThe [implementation](https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2827621b7edb56a730233bd8/tensorflow/core/kernels/maxpooling_op.cc#L1033-L1034) fails to validate that the batch dimension of the tensor is non-zero, before dividing by this quantity.\n\n### Patches\nWe have patched the issue in GitHub commit [376c352a37ce5a68b721406dc7e77ac4b6cf483d](https://github.com/tensorflow/tensorflow/commit/376c352a37ce5a68b721406dc7e77ac4b6cf483d).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
  "id": "GHSA-9vpm-rcf4-9wqw",
  "modified": "2024-11-01T17:09:55Z",
  "published": "2021-05-21T14:26:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9vpm-rcf4-9wqw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29573"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/376c352a37ce5a68b721406dc7e77ac4b6cf483d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-501.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-699.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-210.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Division by 0 in `MaxPoolGradWithArgmax`"
}

GHSA-C52R-MJQP-7W2R

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-15 21:31
VLAI
Details

Divide by zero for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T17:16:19Z",
    "severity": "MODERATE"
  },
  "details": "Divide by zero for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
  "id": "GHSA-c52r-mjqp-7w2r",
  "modified": "2026-05-15T21:31:31Z",
  "published": "2026-05-12T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20881"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01387.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C589-8XVR-7CM3

Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-05-29 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: rivafb: fix divide error in nv3_arb()

A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first.

In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel.

Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division.

The following log reveals it:

rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-18T18:16:25Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: rivafb: fix divide error in nv3_arb()\n\nA userspace program can trigger the RIVA NV3 arbitration code by calling\nthe FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver\nrecomputes FIFO arbitration parameters in nv3_arb(), using state-\u003emclk_khz\n(derived from the PRAMDAC MCLK PLL) as a divisor without validating it\nfirst.\n\nIn a normal setup, state-\u003emclk_khz is provided by the real hardware and is\nnon-zero. However, an attacker can construct a malicious or misconfigured\ndevice (e.g. a crafted/emulated PCI device) that exposes a bogus PLL\nconfiguration, causing state-\u003emclk_khz to become zero.  Once\nnv3_get_param() calls nv3_arb(), the division by state-\u003emclk_khz in the gns\ncalculation causes a divide error and crashes the kernel.\n\nFix this by checking whether state-\u003emclk_khz is zero and bailing out before\ndoing the division.\n\nThe following log reveals it:\n\nrivafb: setting virtual Y resolution to 2184\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]\nRIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546\nCall Trace:\n  nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603\n  nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]\n  CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246\n  riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779\n  rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196\n  fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033\n  do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109\n  fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188\n  __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856",
  "id": "GHSA-c589-8xvr-7cm3",
  "modified": "2026-05-29T21:31:16Z",
  "published": "2026-03-18T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23266"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.