Common Weakness Enumeration

CWE-369

Allowed

Divide By Zero

Abstraction: Base · Status: Draft

The product divides a value by zero.

577 vulnerabilities reference this CWE, most recent first.

GHSA-W9M2-286P-3583

Vulnerability from github – Published: 2026-05-27 12:31 – Updated: 2026-06-26 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO

nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.

Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen".

Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T11:16:23Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO\n\nnf_osf_match_one() computes ctx-\u003ewindow % f-\u003ewss.val in the\nOSF_WSS_MODULO branch with no guard for f-\u003ewss.val == 0. A\nCAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a\nsubsequent matching TCP SYN divides by zero and panics the kernel.\n\nReject the bogus fingerprint in nfnl_osf_add_callback() above the\nper-option for-loop. f-\u003ewss is per-fingerprint, not per-option, so\nthe check must run regardless of f-\u003eopt_num (including 0). Also\nreject wss.wc \u003e= OSF_WSS_MAX; nf_osf_match_one() already treats that\nas \"should not happen\".\n\nCrash:\n Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n \u003cIRQ\u003e\n  nf_osf_match (net/netfilter/nfnetlink_osf.c:220)\n  xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n  ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n  nf_hook_slow (net/netfilter/core.c:622)\n  ip_local_deliver (net/ipv4/ip_input.c:265)\n  ip_rcv (include/linux/skbuff.h:1162)\n  __netif_receive_skb_one_core (net/core/dev.c:6181)\n  process_backlog (net/core/dev.c:6642)\n  __napi_poll (net/core/dev.c:7710)\n  net_rx_action (net/core/dev.c:7945)\n  handle_softirqs (kernel/softirq.c:622)",
  "id": "GHSA-w9m2-286p-3583",
  "modified": "2026-06-26T21:32:05Z",
  "published": "2026-05-27T12:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45841"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0694618cf3e9b120666e31f5f383a6e466d95a0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26900306a5a2c3e4f75c643a064525526bb6e5f3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb833bbc1b3c51e08652d3c86298307c07d3f2db"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCCR-CP5J-5GGC

Vulnerability from github – Published: 2024-10-09 15:32 – Updated: 2024-10-23 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware

If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-09T15:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware\n\nIf the value of max_speed_hz is 0, it may cause a division by zero\nerror in hisi_calc_effective_speed().\nThe value of max_speed_hz is provided by firmware.\nFirmware is generally considered as a trusted domain. However, as\ndivision by zero errors can cause system failure, for defense measure,\nthe value of max_speed is validated here. So 0 is regarded as invalid\nand an error code is returned.",
  "id": "GHSA-wccr-cp5j-5ggc",
  "modified": "2024-10-23T18:33:06Z",
  "published": "2024-10-09T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47664"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16ccaf581da4fcf1e4d66086cf37263f9a656d43"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5127c42c77de18651aa9e8e0a3ced190103b449c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee73a15d4a8ce8fb02d7866f7cf78fcdd16f0fcc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG9F-2MRX-WJP7

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI
Details

libavformat/movenc.c in FFmpeg 3.2 and 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-19T05:29:00Z",
    "severity": "MODERATE"
  },
  "details": "libavformat/movenc.c in FFmpeg 3.2 and 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.",
  "id": "GHSA-wg9f-2mrx-wjp7",
  "modified": "2022-05-13T01:11:44Z",
  "published": "2022-05-13T01:11:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/2c0e98a0b478284bdff6d7a4062522605a8beae5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4258"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041394"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WH79-QJRF-XHM7

Vulnerability from github – Published: 2022-06-28 00:00 – Updated: 2022-07-08 00:00
VLAI
Details

When performing the derivation shape operation of the SpaceToBatch operator, if there is a value of 0 in the parameter block_shape element, it will cause a division by 0 exception.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-27T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "When performing the derivation shape operation of the SpaceToBatch operator, if there is a value of 0 in the parameter block_shape element, it will cause a division by 0 exception.",
  "id": "GHSA-wh79-qjrf-xhm7",
  "modified": "2022-07-08T00:00:45Z",
  "published": "2022-06-28T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33653"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/mindspore/community/blob/master/security/security_advisory_list/mssa-2021-002_en.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHC6-484Q-9856

Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57
VLAI
Details

A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. This issue is different from CVE-2018-11207.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-20T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. This issue is different from CVE-2018-11207.",
  "id": "GHSA-whc6-484q-9856",
  "modified": "2022-05-14T01:57:28Z",
  "published": "2022-05-14T01:57:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHP8-XGVP-XJ3V

Vulnerability from github – Published: 2023-01-30 18:30 – Updated: 2023-02-06 21:30
VLAI
Details

Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.",
  "id": "GHSA-whp8-xgvp-xj3v",
  "modified": "2023-02-06T21:30:30Z",
  "published": "2023-01-30T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0512"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/870219c58c0804bdc55419b2e455c06ac715a835"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/de83736a-1936-4872-830b-f1e9b0ad2a74"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213670"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213675"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213677"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Mar/17"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Mar/18"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Mar/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJJM-JX64-48RF

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability in the expr5 function in asm/eval.c via a malformed input file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-11T05:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability in the expr5 function in asm/eval.c via a malformed input file.",
  "id": "GHSA-wjjm-jx64-48rf",
  "modified": "2022-05-13T01:25:23Z",
  "published": "2022-05-13T01:25:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10016"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392473"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPC4-W9PJ-2V9R

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-20445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-25T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service.",
  "id": "GHSA-wpc4-w9pj-2v9r",
  "modified": "2022-05-24T19:03:11Z",
  "published": "2022-05-24T19:03:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20445"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://trac.ffmpeg.org/ticket/7996"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4990"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4998"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WPP4-VQFQ-V4HP

Vulnerability from github – Published: 2025-10-27 23:33 – Updated: 2025-10-27 23:33
VLAI
Summary
ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
Details

Summary

A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors. Vulnerabilities exists in the CLAHEImage() function of ImageMagick’s MagickCore/enhance.c.

  1. Unsigned integer underflow → out-of-bounds pointer arithmetic (OOB): when tile_info.height == 0, the expression tile_info.height - 1 (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).
  2. Division/modulus by zero: where code performs ... / tile_info.width or ... % tile_info.height without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or abort at runtime.

Both behaviors are triggered by the same invalid tile condition (e.g., CLI exact -clahe 0x0! or automatic tile derivation dim >> 3 == 0 for very small images).


Details

Unsigned underflow(can lea to OOB)

  • Location: MagickCore/enhance.c, around line 609
  • Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
  • Vulnerable code

    enhance.c: 609

    c p += (ptrdiff_t) clahe_info->width * (tile.height - 1);

  • Root Cause

    • If tile.height == 0, then (tile.height - 1) underflows to UINT_MAX.
    • Multiplication with clahe_info->width yields a huge value close to SIZE_MAX.
    • Adding this to p causes pointer arithmetic underflow.

Division-by-zero

  • File / Location: MagickCore/enhance.c, around line 669
  • Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
  • vulnerable code

    enhance.c: 669-673

    c if ((image->columns % tile_info.width) != 0) tile_info.x=(ssize_t) (tile_info.width-(image->columns % tile_info.width)); tile_info.y=0; if ((image->rows % tile_info.height) != 0) tile_info.y=(ssize_t) (tile_info.height-(image->rows % tile_info.height));

  • Root cause

    Missing input validation / bounds checks after computing default tile dimensions:

    If either tile_info.width or tile_info.height is 0, this triggers a division by zero. Zeros can reach this point through:

    1. Exact tiles: CLI clahe 0x0! (the ! forces zero to be used verbatim).
    2. Auto tiles on tiny images: When a requested tile is 0 (no !), the code derives a default from the image size (e.g., dim >> 3). For images with dim < 8, this result is 0 unless clamped.

Reproduction

Unsigned underflow

Environment

Built with AddressSanitizer and UndefinedBehaviorSanitizer enabled.

export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0

Command

./magick xc:black -clahe 0x0 null:

Output

MagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage

./magick -size 10x10 xc:black -clahe 0x0 null:

image

memory region corruption.

./magick -size 2000x2000 xc:black -clahe 0x0 null:

image

→ Significant memory consumption and evidence of memory region corruption.

./magick -size 4000x4000 xc:black -clahe 0x0 null:

image

→ Much larger memory usage; process appears to be aggressively consuming cache and address space.

./magick -size 8000x8000 xc:black -clahe 0x0 null:

image

→ Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.

Division-by-zero

Environment: ASan/UBSan-enabled build.

export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0

Command

./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:

Output

image

Notes: Without sanitizers, the process may terminate with just Aborted (still DoS).


Impact

  • Primary: Denial-of-Service — crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via clahe 0x0! or by uploading very small images to services using ImageMagick.
  • Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.

Suggested concrete patch snippets

Apply in CLAHEImage() after tile_info is computed but before any division/modulus/pointer arithmetic:

if (exact_tiles_requested && (tile_info.width == 0 || tile_info.height == 0)) {
  ThrowMagickException(exception, GetMagickModule(), OptionError,
                       "CLAHEInvalidTile", "%lux%lu",
                       (unsigned long) tile_info.width,
                       (unsigned long) tile_info.height);
  return (Image *) NULL;
}

if (!exact_tiles_requested) {
  tile_info.width  = (tile_info.width  == 0) ? MagickMax((size_t)1, image->columns >> 3) : tile_info.width;
  tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image->rows    >> 3) : tile_info.height;
}

if (tile_info.width == 0 || tile_info.height == 0) {
  ThrowMagickException(exception, GetMagickModule(), OptionError,
                       "CLAHEInvalidTile", "%lux%lu",
                       (unsigned long) tile_info.width,
                       (unsigned long) tile_info.height);
  return (Image *) NULL;
}

ssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;
if (tile_h_minus1 < 0) {
  ThrowMagickException(exception, GetMagickModule(), OptionError,
                       "CLAHEInvalidTile", "%lux%lu",
                       (unsigned long) tile_info.width,
                       (unsigned long) tile_info.height);
  return (Image *) NULL;
}
p += (ptrdiff_t) clahe_info->width * tile_h_minus1;

Notes about exact_tiles_requested: if the CLI/Wand parser already exposes whether ! was present, use it. If not, add a parse-time flag so CLAHEImage can know whether 0 is literal or auto.


Credit

Team Whys

Bug Hunting Master Program, HSpace/Findthegap

Youngmin Kim kunshim@naver.com

Woojin Park

@jin-156 1203kids@gmail.com

Youngin Won

@amethyst0225 youngin04@korea.ac.kr

Siyeon Han

@hanbunny kokosyeon@gmail.com

Shinyoung Won

@yosiimich yosimich123@gmail.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-191",
      "CWE-369"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-27T23:33:10Z",
    "nvd_published_at": "2025-10-27T20:15:54Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA single root cause in the CLAHE implementation \u2014 tile width/height becoming zero \u2014 produces two distinct but related unsafe behaviors.\nVulnerabilities exists in the `CLAHEImage()` function of ImageMagick\u2019s `MagickCore/enhance.c`.\n\n1. Unsigned integer underflow \u2192 out-of-bounds pointer arithmetic (OOB): when `tile_info.height == 0`, the expression `tile_info.height - 1` (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).\n2. **Division/modulus by zero**: where code performs `... / tile_info.width` or `... % tile_info.height` without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or `abort` at runtime.\n\nBoth behaviors are triggered by the same invalid tile condition (e.g., CLI exact `-clahe 0x0!` or automatic tile derivation `dim \u003e\u003e 3 == 0` for very small images). \n\n---\n\n## Details\n\n### **Unsigned underflow(can lea to OOB)**\n\n- Location: `MagickCore/enhance.c`, around line 609\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- Vulnerable code\n    \n    enhance.c: 609\n    \n    ```c\n    p += (ptrdiff_t) clahe_info-\u003ewidth * (tile.height - 1);\n    ```\n    \n- Root Cause\n    - If `tile.height == 0`, then `(tile.height - 1)` underflows to `UINT_MAX`.\n    - Multiplication with `clahe_info-\u003ewidth` yields a huge value close to `SIZE_MAX`.\n    - Adding this to `p` causes pointer arithmetic underflow.\n\n### **Division-by-zero**\n\n- File / Location: `MagickCore/enhance.c`, around line 669\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- vulnerable code\n    \n    enhance.c: 669-673\n    \n    ```c\n     if ((image-\u003ecolumns % tile_info.width) != 0)\n        tile_info.x=(ssize_t) (tile_info.width-(image-\u003ecolumns % tile_info.width));\n      tile_info.y=0;\n      if ((image-\u003erows % tile_info.height) != 0)\n        tile_info.y=(ssize_t) (tile_info.height-(image-\u003erows % tile_info.height));\n    ```\n    \n- Root cause\n    \n    Missing input validation / bounds checks after computing default tile dimensions:\n    \n    If either `tile_info.width` or `tile_info.height` is 0, this triggers a division by zero. Zeros can reach this point through:\n    \n    1. Exact tiles: CLI `clahe 0x0!` (the `!` forces zero to be used verbatim).\n    2. Auto tiles on tiny images: When a requested tile is `0` (no `!`), the code derives a default from the image size (e.g., `dim \u003e\u003e 3`). For images with `dim \u003c 8`, this result is 0 unless clamped.\n\n---\n\n## Reproduction\n\n### **Unsigned underflow**\n\n**Environment**\n\nBuilt with AddressSanitizer and UndefinedBehaviorSanitizer enabled.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick xc:black -clahe 0x0 null:\n```\n\n**Output**\n\n```\nMagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed\nSUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage\n```\n\n`./magick -size 10x10 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1068\" height=\"64\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9637ee-1d03-4066-834d-fda22410dd8b\" /\u003e\n\nmemory region corruption.\n\n`./magick -size 2000x2000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1069\" height=\"70\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ecbab79c-a3c2-4e8c-96c9-8e2aa8f0d2b2\" /\u003e\n\n\u2192 Significant memory consumption and evidence of memory region corruption.\n\n`./magick -size 4000x4000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"776\" height=\"49\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63a7cec5-616b-4aa5-87f3-a546a87e6625\" /\u003e\n\n\u2192 Much larger memory usage; process appears to be aggressively consuming cache and address space.\n\n`./magick -size 8000x8000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"748\" height=\"46\" alt=\"image\" src=\"https://github.com/user-attachments/assets/48b3aac8-98b3-4fbb-a5ca-4e7936bca44b\" /\u003e\n\n\u2192 Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.\n\n### **Division-by-zero**\n\n**Environment:** ASan/UBSan-enabled build.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:\n```\n\n**Output**\n\n\u003cimg width=\"1915\" height=\"818\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cfe44432-b429-49e4-8673-2ed55ba9a961\" /\u003e\n\n**Notes:** Without sanitizers, the process may terminate with just `Aborted` (still DoS).\n\n---\n\n## Impact\n\n- Primary: Denial-of-Service \u2014 crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via `clahe 0x0!` or by uploading very small images to services using ImageMagick.\n- Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.\n\n---\n\n## Suggested concrete patch snippets\n\nApply in `CLAHEImage()` after `tile_info` is computed but **before** any division/modulus/pointer arithmetic:\n\n```c\nif (exact_tiles_requested \u0026\u0026 (tile_info.width == 0 || tile_info.height == 0)) {\n  ThrowMagickException(exception, GetMagickModule(), OptionError,\n                       \"CLAHEInvalidTile\", \"%lux%lu\",\n                       (unsigned long) tile_info.width,\n                       (unsigned long) tile_info.height);\n  return (Image *) NULL;\n}\n\nif (!exact_tiles_requested) {\n  tile_info.width  = (tile_info.width  == 0) ? MagickMax((size_t)1, image-\u003ecolumns \u003e\u003e 3) : tile_info.width;\n  tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image-\u003erows    \u003e\u003e 3) : tile_info.height;\n}\n\nif (tile_info.width == 0 || tile_info.height == 0) {\n  ThrowMagickException(exception, GetMagickModule(), OptionError,\n                       \"CLAHEInvalidTile\", \"%lux%lu\",\n                       (unsigned long) tile_info.width,\n                       (unsigned long) tile_info.height);\n  return (Image *) NULL;\n}\n\nssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;\nif (tile_h_minus1 \u003c 0) {\n  ThrowMagickException(exception, GetMagickModule(), OptionError,\n                       \"CLAHEInvalidTile\", \"%lux%lu\",\n                       (unsigned long) tile_info.width,\n                       (unsigned long) tile_info.height);\n  return (Image *) NULL;\n}\np += (ptrdiff_t) clahe_info-\u003ewidth * tile_h_minus1;\n```\n\nNotes about `exact_tiles_requested`: if the CLI/Wand parser already exposes whether `!` was present, use it. If not, add a parse-time flag so CLAHEImage can know whether `0` is literal or auto.\n\n---\n\n## Credit\n\n### Team Whys \n\n**Bug Hunting Master Program, HSpace/Findthegap**\n\n**Youngmin Kim** \nkunshim@naver.com\n\n**Woojin Park**\n\n[@jin-156](https://github.com/jin-156)\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Youngin Won**\n\n[@amethyst0225](https://github.com/amethyst0225)\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n\n[@hanbunny](https://github.com/hanbunny)\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)\n\n**Shinyoung Won**\n\n[@yosiimich](yosimich123@gmail.com)\n[yosimich123@gmail.com](mailto:yosimich123@gmail.com)",
  "id": "GHSA-wpp4-vqfq-v4hp",
  "modified": "2025-10-27T23:33:10Z",
  "published": "2025-10-27T23:33:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62594"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)"
}

GHSA-WPWF-QXPX-V6QH

Vulnerability from github – Published: 2024-11-08 06:30 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()

The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division.

The observed behavior was introduced by commit 826b5de90c0b ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"), and it is difficult to show that any of the interval parameters will satisfy the snd_interval_test() condition with data from the amdtp_rate_table[] table.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-08T06:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()\n\nThe step variable is initialized to zero. It is changed in the loop,\nbut if it\u0027s not changed it will remain zero. Add a variable check\nbefore the division.\n\nThe observed behavior was introduced by commit 826b5de90c0b\n(\"ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size\"),\nand it is difficult to show that any of the interval parameters will\nsatisfy the snd_interval_test() condition with data from the\namdtp_rate_table[] table.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
  "id": "GHSA-wpwf-qxpx-v6qh",
  "modified": "2026-05-12T15:30:40Z",
  "published": "2024-11-08T06:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50205"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3452d39c4704aa12504e4190298c721fb01083c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bdc21506f12b2d432b1f2667e5ff4c75eee58e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e431f85c87bbffd93a9830d5a576586f9855291"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72cafe63b35d06b5cfbaf807e90ae657907858da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d4eb9e22131ec154e638cbd56629195c9bcbe9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d2826873db70a6719cdd9212a6739f3e6234cfc4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d575414361630b8b0523912532fcd7c79e43468c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.