CWE-369
AllowedDivide By Zero
Abstraction: Base · Status: Draft
The product divides a value by zero.
577 vulnerabilities reference this CWE, most recent first.
GHSA-W9M2-286P-3583
Vulnerability from github – Published: 2026-05-27 12:31 – Updated: 2026-06-26 21:32In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen".
Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)
{
"affected": [],
"aliases": [
"CVE-2026-45841"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T11:16:23Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\n\nnf_osf_match_one() computes ctx-\u003ewindow % f-\u003ewss.val in the\nOSF_WSS_MODULO branch with no guard for f-\u003ewss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\n\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f-\u003ewss is per-fingerprint, not per-option, so\nthe check must run regardless of f-\u003eopt_num (including 0). Also\nreject wss.wc \u003e= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\n\nCrash:\n Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n \u003cIRQ\u003e\n nf_osf_match (net/netfilter/nfnetlink_osf.c:220)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n nf_hook_slow (net/netfilter/core.c:622)\n ip_local_deliver (net/ipv4/ip_input.c:265)\n ip_rcv (include/linux/skbuff.h:1162)\n __netif_receive_skb_one_core (net/core/dev.c:6181)\n process_backlog (net/core/dev.c:6642)\n __napi_poll (net/core/dev.c:7710)\n net_rx_action (net/core/dev.c:7945)\n handle_softirqs (kernel/softirq.c:622)",
"id": "GHSA-w9m2-286p-3583",
"modified": "2026-06-26T21:32:05Z",
"published": "2026-05-27T12:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45841"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WCCR-CP5J-5GGC
Vulnerability from github – Published: 2024-10-09 15:32 – Updated: 2024-10-23 18:33In the Linux kernel, the following vulnerability has been resolved:
spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware
If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.
{
"affected": [],
"aliases": [
"CVE-2024-47664"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T15:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware\n\nIf the value of max_speed_hz is 0, it may cause a division by zero\nerror in hisi_calc_effective_speed().\nThe value of max_speed_hz is provided by firmware.\nFirmware is generally considered as a trusted domain. However, as\ndivision by zero errors can cause system failure, for defense measure,\nthe value of max_speed is validated here. So 0 is regarded as invalid\nand an error code is returned.",
"id": "GHSA-wccr-cp5j-5ggc",
"modified": "2024-10-23T18:33:06Z",
"published": "2024-10-09T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47664"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16ccaf581da4fcf1e4d66086cf37263f9a656d43"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5127c42c77de18651aa9e8e0a3ced190103b449c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee73a15d4a8ce8fb02d7866f7cf78fcdd16f0fcc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WG9F-2MRX-WJP7
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11libavformat/movenc.c in FFmpeg 3.2 and 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.
{
"affected": [],
"aliases": [
"CVE-2018-14395"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-19T05:29:00Z",
"severity": "MODERATE"
},
"details": "libavformat/movenc.c in FFmpeg 3.2 and 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.",
"id": "GHSA-wg9f-2mrx-wjp7",
"modified": "2022-05-13T01:11:44Z",
"published": "2022-05-13T01:11:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14395"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/commit/2c0e98a0b478284bdff6d7a4062522605a8beae5"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/commit/fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4258"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WH79-QJRF-XHM7
Vulnerability from github – Published: 2022-06-28 00:00 – Updated: 2022-07-08 00:00When performing the derivation shape operation of the SpaceToBatch operator, if there is a value of 0 in the parameter block_shape element, it will cause a division by 0 exception.
{
"affected": [],
"aliases": [
"CVE-2021-33653"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-27T17:15:00Z",
"severity": "HIGH"
},
"details": "When performing the derivation shape operation of the SpaceToBatch operator, if there is a value of 0 in the parameter block_shape element, it will cause a division by 0 exception.",
"id": "GHSA-wh79-qjrf-xhm7",
"modified": "2022-07-08T00:00:45Z",
"published": "2022-06-28T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33653"
},
{
"type": "WEB",
"url": "https://gitee.com/mindspore/community/blob/master/security/security_advisory_list/mssa-2021-002_en.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHC6-484Q-9856
Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. This issue is different from CVE-2018-11207.
{
"affected": [],
"aliases": [
"CVE-2018-17237"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-20T06:29:00Z",
"severity": "MODERATE"
},
"details": "A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. This issue is different from CVE-2018-11207.",
"id": "GHSA-whc6-484q-9856",
"modified": "2022-05-14T01:57:28Z",
"published": "2022-05-14T01:57:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17237"
},
{
"type": "WEB",
"url": "https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00009.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHP8-XGVP-XJ3V
Vulnerability from github – Published: 2023-01-30 18:30 – Updated: 2023-02-06 21:30Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.
{
"affected": [],
"aliases": [
"CVE-2023-0512"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T16:15:00Z",
"severity": "HIGH"
},
"details": "Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.",
"id": "GHSA-whp8-xgvp-xj3v",
"modified": "2023-02-06T21:30:30Z",
"published": "2023-01-30T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0512"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/870219c58c0804bdc55419b2e455c06ac715a835"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213675"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213677"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Mar/17"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Mar/18"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Mar/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJJM-JX64-48RF
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability in the expr5 function in asm/eval.c via a malformed input file.
{
"affected": [],
"aliases": [
"CVE-2018-10016"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-11T05:29:00Z",
"severity": "MODERATE"
},
"details": "Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability in the expr5 function in asm/eval.c via a malformed input file.",
"id": "GHSA-wjjm-jx64-48rf",
"modified": "2022-05-13T01:25:23Z",
"published": "2022-05-13T01:25:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10016"
},
{
"type": "WEB",
"url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392473"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00015.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPC4-W9PJ-2V9R
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2020-20445"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-25T18:15:00Z",
"severity": "MODERATE"
},
"details": "FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.",
"id": "GHSA-wpc4-w9pj-2v9r",
"modified": "2022-05-24T19:03:11Z",
"published": "2022-05-24T19:03:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20445"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html"
},
{
"type": "WEB",
"url": "https://trac.ffmpeg.org/ticket/7996"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4990"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4998"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WPP4-VQFQ-V4HP
Vulnerability from github – Published: 2025-10-27 23:33 – Updated: 2025-10-27 23:33Summary
A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors.
Vulnerabilities exists in the CLAHEImage() function of ImageMagick’s MagickCore/enhance.c.
- Unsigned integer underflow → out-of-bounds pointer arithmetic (OOB): when
tile_info.height == 0, the expressiontile_info.height - 1(unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion). - Division/modulus by zero: where code performs
... / tile_info.widthor... % tile_info.heightwithout re-checking for zero, causing immediate division-by-zero crashes under sanitizers orabortat runtime.
Both behaviors are triggered by the same invalid tile condition (e.g., CLI exact -clahe 0x0! or automatic tile derivation dim >> 3 == 0 for very small images).
Details
Unsigned underflow(can lea to OOB)
- Location:
MagickCore/enhance.c, around line 609 - Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
-
Vulnerable code
enhance.c: 609
c p += (ptrdiff_t) clahe_info->width * (tile.height - 1); -
Root Cause
- If
tile.height == 0, then(tile.height - 1)underflows toUINT_MAX. - Multiplication with
clahe_info->widthyields a huge value close toSIZE_MAX. - Adding this to
pcauses pointer arithmetic underflow.
- If
Division-by-zero
- File / Location:
MagickCore/enhance.c, around line 669 - Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
-
vulnerable code
enhance.c: 669-673
c if ((image->columns % tile_info.width) != 0) tile_info.x=(ssize_t) (tile_info.width-(image->columns % tile_info.width)); tile_info.y=0; if ((image->rows % tile_info.height) != 0) tile_info.y=(ssize_t) (tile_info.height-(image->rows % tile_info.height)); -
Root cause
Missing input validation / bounds checks after computing default tile dimensions:
If either
tile_info.widthortile_info.heightis 0, this triggers a division by zero. Zeros can reach this point through:- Exact tiles: CLI
clahe 0x0!(the!forces zero to be used verbatim). - Auto tiles on tiny images: When a requested tile is
0(no!), the code derives a default from the image size (e.g.,dim >> 3). For images withdim < 8, this result is 0 unless clamped.
- Exact tiles: CLI
Reproduction
Unsigned underflow
Environment
Built with AddressSanitizer and UndefinedBehaviorSanitizer enabled.
export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0
Command
./magick xc:black -clahe 0x0 null:
Output
MagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage
./magick -size 10x10 xc:black -clahe 0x0 null:
memory region corruption.
./magick -size 2000x2000 xc:black -clahe 0x0 null:
→ Significant memory consumption and evidence of memory region corruption.
./magick -size 4000x4000 xc:black -clahe 0x0 null:
→ Much larger memory usage; process appears to be aggressively consuming cache and address space.
./magick -size 8000x8000 xc:black -clahe 0x0 null:
→ Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.
Division-by-zero
Environment: ASan/UBSan-enabled build.
export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0
Command
./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:
Output
Notes: Without sanitizers, the process may terminate with just Aborted (still DoS).
Impact
- Primary: Denial-of-Service — crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via
clahe 0x0!or by uploading very small images to services using ImageMagick. - Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.
Suggested concrete patch snippets
Apply in CLAHEImage() after tile_info is computed but before any division/modulus/pointer arithmetic:
if (exact_tiles_requested && (tile_info.width == 0 || tile_info.height == 0)) {
ThrowMagickException(exception, GetMagickModule(), OptionError,
"CLAHEInvalidTile", "%lux%lu",
(unsigned long) tile_info.width,
(unsigned long) tile_info.height);
return (Image *) NULL;
}
if (!exact_tiles_requested) {
tile_info.width = (tile_info.width == 0) ? MagickMax((size_t)1, image->columns >> 3) : tile_info.width;
tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image->rows >> 3) : tile_info.height;
}
if (tile_info.width == 0 || tile_info.height == 0) {
ThrowMagickException(exception, GetMagickModule(), OptionError,
"CLAHEInvalidTile", "%lux%lu",
(unsigned long) tile_info.width,
(unsigned long) tile_info.height);
return (Image *) NULL;
}
ssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;
if (tile_h_minus1 < 0) {
ThrowMagickException(exception, GetMagickModule(), OptionError,
"CLAHEInvalidTile", "%lux%lu",
(unsigned long) tile_info.width,
(unsigned long) tile_info.height);
return (Image *) NULL;
}
p += (ptrdiff_t) clahe_info->width * tile_h_minus1;
Notes about exact_tiles_requested: if the CLI/Wand parser already exposes whether ! was present, use it. If not, add a parse-time flag so CLAHEImage can know whether 0 is literal or auto.
Credit
Team Whys
Bug Hunting Master Program, HSpace/Findthegap
Youngmin Kim kunshim@naver.com
Woojin Park
Youngin Won
@amethyst0225 youngin04@korea.ac.kr
Siyeon Han
Shinyoung Won
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62594"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-191",
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-27T23:33:10Z",
"nvd_published_at": "2025-10-27T20:15:54Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA single root cause in the CLAHE implementation \u2014 tile width/height becoming zero \u2014 produces two distinct but related unsafe behaviors.\nVulnerabilities exists in the `CLAHEImage()` function of ImageMagick\u2019s `MagickCore/enhance.c`.\n\n1. Unsigned integer underflow \u2192 out-of-bounds pointer arithmetic (OOB): when `tile_info.height == 0`, the expression `tile_info.height - 1` (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).\n2. **Division/modulus by zero**: where code performs `... / tile_info.width` or `... % tile_info.height` without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or `abort` at runtime.\n\nBoth behaviors are triggered by the same invalid tile condition (e.g., CLI exact `-clahe 0x0!` or automatic tile derivation `dim \u003e\u003e 3 == 0` for very small images). \n\n---\n\n## Details\n\n### **Unsigned underflow(can lea to OOB)**\n\n- Location: `MagickCore/enhance.c`, around line 609\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- Vulnerable code\n \n enhance.c: 609\n \n ```c\n p += (ptrdiff_t) clahe_info-\u003ewidth * (tile.height - 1);\n ```\n \n- Root Cause\n - If `tile.height == 0`, then `(tile.height - 1)` underflows to `UINT_MAX`.\n - Multiplication with `clahe_info-\u003ewidth` yields a huge value close to `SIZE_MAX`.\n - Adding this to `p` causes pointer arithmetic underflow.\n\n### **Division-by-zero**\n\n- File / Location: `MagickCore/enhance.c`, around line 669\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- vulnerable code\n \n enhance.c: 669-673\n \n ```c\n if ((image-\u003ecolumns % tile_info.width) != 0)\n tile_info.x=(ssize_t) (tile_info.width-(image-\u003ecolumns % tile_info.width));\n tile_info.y=0;\n if ((image-\u003erows % tile_info.height) != 0)\n tile_info.y=(ssize_t) (tile_info.height-(image-\u003erows % tile_info.height));\n ```\n \n- Root cause\n \n Missing input validation / bounds checks after computing default tile dimensions:\n \n If either `tile_info.width` or `tile_info.height` is 0, this triggers a division by zero. Zeros can reach this point through:\n \n 1. Exact tiles: CLI `clahe 0x0!` (the `!` forces zero to be used verbatim).\n 2. Auto tiles on tiny images: When a requested tile is `0` (no `!`), the code derives a default from the image size (e.g., `dim \u003e\u003e 3`). For images with `dim \u003c 8`, this result is 0 unless clamped.\n\n---\n\n## Reproduction\n\n### **Unsigned underflow**\n\n**Environment**\n\nBuilt with AddressSanitizer and UndefinedBehaviorSanitizer enabled.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick xc:black -clahe 0x0 null:\n```\n\n**Output**\n\n```\nMagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed\nSUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage\n```\n\n`./magick -size 10x10 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1068\" height=\"64\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9637ee-1d03-4066-834d-fda22410dd8b\" /\u003e\n\nmemory region corruption.\n\n`./magick -size 2000x2000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1069\" height=\"70\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ecbab79c-a3c2-4e8c-96c9-8e2aa8f0d2b2\" /\u003e\n\n\u2192 Significant memory consumption and evidence of memory region corruption.\n\n`./magick -size 4000x4000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"776\" height=\"49\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63a7cec5-616b-4aa5-87f3-a546a87e6625\" /\u003e\n\n\u2192 Much larger memory usage; process appears to be aggressively consuming cache and address space.\n\n`./magick -size 8000x8000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"748\" height=\"46\" alt=\"image\" src=\"https://github.com/user-attachments/assets/48b3aac8-98b3-4fbb-a5ca-4e7936bca44b\" /\u003e\n\n\u2192 Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.\n\n### **Division-by-zero**\n\n**Environment:** ASan/UBSan-enabled build.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:\n```\n\n**Output**\n\n\u003cimg width=\"1915\" height=\"818\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cfe44432-b429-49e4-8673-2ed55ba9a961\" /\u003e\n\n**Notes:** Without sanitizers, the process may terminate with just `Aborted` (still DoS).\n\n---\n\n## Impact\n\n- Primary: Denial-of-Service \u2014 crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via `clahe 0x0!` or by uploading very small images to services using ImageMagick.\n- Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.\n\n---\n\n## Suggested concrete patch snippets\n\nApply in `CLAHEImage()` after `tile_info` is computed but **before** any division/modulus/pointer arithmetic:\n\n```c\nif (exact_tiles_requested \u0026\u0026 (tile_info.width == 0 || tile_info.height == 0)) {\n ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"CLAHEInvalidTile\", \"%lux%lu\",\n (unsigned long) tile_info.width,\n (unsigned long) tile_info.height);\n return (Image *) NULL;\n}\n\nif (!exact_tiles_requested) {\n tile_info.width = (tile_info.width == 0) ? MagickMax((size_t)1, image-\u003ecolumns \u003e\u003e 3) : tile_info.width;\n tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image-\u003erows \u003e\u003e 3) : tile_info.height;\n}\n\nif (tile_info.width == 0 || tile_info.height == 0) {\n ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"CLAHEInvalidTile\", \"%lux%lu\",\n (unsigned long) tile_info.width,\n (unsigned long) tile_info.height);\n return (Image *) NULL;\n}\n\nssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;\nif (tile_h_minus1 \u003c 0) {\n ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"CLAHEInvalidTile\", \"%lux%lu\",\n (unsigned long) tile_info.width,\n (unsigned long) tile_info.height);\n return (Image *) NULL;\n}\np += (ptrdiff_t) clahe_info-\u003ewidth * tile_h_minus1;\n```\n\nNotes about `exact_tiles_requested`: if the CLI/Wand parser already exposes whether `!` was present, use it. If not, add a parse-time flag so CLAHEImage can know whether `0` is literal or auto.\n\n---\n\n## Credit\n\n### Team Whys \n\n**Bug Hunting Master Program, HSpace/Findthegap**\n\n**Youngmin Kim** \nkunshim@naver.com\n\n**Woojin Park**\n\n[@jin-156](https://github.com/jin-156)\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Youngin Won**\n\n[@amethyst0225](https://github.com/amethyst0225)\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n\n[@hanbunny](https://github.com/hanbunny)\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)\n\n**Shinyoung Won**\n\n[@yosiimich](yosimich123@gmail.com)\n[yosimich123@gmail.com](mailto:yosimich123@gmail.com)",
"id": "GHSA-wpp4-vqfq-v4hp",
"modified": "2025-10-27T23:33:10Z",
"published": "2025-10-27T23:33:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62594"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)"
}
GHSA-WPWF-QXPX-V6QH
Vulnerability from github – Published: 2024-11-08 06:30 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()
The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division.
The observed behavior was introduced by commit 826b5de90c0b ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"), and it is difficult to show that any of the interval parameters will satisfy the snd_interval_test() condition with data from the amdtp_rate_table[] table.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
{
"affected": [],
"aliases": [
"CVE-2024-50205"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-08T06:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()\n\nThe step variable is initialized to zero. It is changed in the loop,\nbut if it\u0027s not changed it will remain zero. Add a variable check\nbefore the division.\n\nThe observed behavior was introduced by commit 826b5de90c0b\n(\"ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size\"),\nand it is difficult to show that any of the interval parameters will\nsatisfy the snd_interval_test() condition with data from the\namdtp_rate_table[] table.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"id": "GHSA-wpwf-qxpx-v6qh",
"modified": "2026-05-12T15:30:40Z",
"published": "2024-11-08T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50205"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3452d39c4704aa12504e4190298c721fb01083c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bdc21506f12b2d432b1f2667e5ff4c75eee58e3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e431f85c87bbffd93a9830d5a576586f9855291"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72cafe63b35d06b5cfbaf807e90ae657907858da"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d4eb9e22131ec154e638cbd56629195c9bcbe9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2826873db70a6719cdd9212a6739f3e6234cfc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d575414361630b8b0523912532fcd7c79e43468c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.