Common Weakness Enumeration

CWE-369

Allowed

Divide By Zero

Abstraction: Base · Status: Draft

The product divides a value by zero.

577 vulnerabilities reference this CWE, most recent first.

GHSA-4C27-WWV3-V6H2

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2023-05-22 03:30
VLAI
Details

A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-09T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-4c27-wwv3-v6h2",
  "modified": "2023-05-22T03:30:15Z",
  "published": "2022-05-24T17:43:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/pull/3193"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928958"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4H39-WWJ7-HQ2M

Vulnerability from github – Published: 2024-07-05 09:33 – Updated: 2024-07-08 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: savage: Handle err return when savagefb_check_var failed

The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero") checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn't handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-05T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Handle err return when savagefb_check_var failed\n\nThe commit 04e5eac8f3ab(\"fbdev: savage: Error out if pixclock equals zero\")\nchecks the value of pixclock to avoid divide-by-zero error. However\nthe function savagefb_probe doesn\u0027t handle the error return of\nsavagefb_check_var. When pixclock is 0, it will cause divide-by-zero error.",
  "id": "GHSA-4h39-wwj7-hq2m",
  "modified": "2024-07-08T18:31:16Z",
  "published": "2024-07-05T09:33:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39475"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32f92b0078ebf79dbe4827288e0acb50d89d3d5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b2c67e30b4e1d2ae19dba8b8e8f3b5fd3cf8089"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f446859bfa46df0ffb34149499f48a2c2d8cd95"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6ad959b6703e2c4c5d7af03b4cfd5ff608036339"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/86435f39c18967cdd937d7a49ba539cdea7fb547"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8385ff814ca4cb7e63789841e6ec2a14c73e1e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be754cbd77eaf2932408a4e18532e4945274a5c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/edaa57480b876e8203b51df7c3d14a51ea6b09e3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HJR-56F9-J54W

Vulnerability from github – Published: 2025-01-21 12:30 – Updated: 2025-09-26 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

gve: guard XDP xmit NDO on existence of xdp queues

In GVE, dedicated XDP queues only exist when an XDP program is installed and the interface is up. As such, the NDO XDP XMIT callback should return early if either of these conditions are false.

In the case of no loaded XDP program, priv->num_xdp_queues=0 which can cause a divide-by-zero error, and in the case of interface down, num_xdp_queues remains untouched to persist XDP queue count for the next interface up, but the TX pointer itself would be NULL.

The XDP xmit callback also needs to synchronize with a device transitioning from open to close. This synchronization will happen via the GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call, which waits for any RCU critical sections at call-time to complete.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T12:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: guard XDP xmit NDO on existence of xdp queues\n\nIn GVE, dedicated XDP queues only exist when an XDP program is installed\nand the interface is up. As such, the NDO XDP XMIT callback should\nreturn early if either of these conditions are false.\n\nIn the case of no loaded XDP program, priv-\u003enum_xdp_queues=0 which can\ncause a divide-by-zero error, and in the case of interface down,\nnum_xdp_queues remains untouched to persist XDP queue count for the next\ninterface up, but the TX pointer itself would be NULL.\n\nThe XDP xmit callback also needs to synchronize with a device\ntransitioning from open to close. This synchronization will happen via\nthe GVE_PRIV_FLAGS_NAPI_ENABLED bit along with a synchronize_net() call,\nwhich waits for any RCU critical sections at call-time to complete.",
  "id": "GHSA-4hjr-56f9-j54w",
  "modified": "2025-09-26T21:30:27Z",
  "published": "2025-01-21T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57932"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35f44eed5828cf1bc7e760d1993ed8549ba41c7b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbe9eb2c39d09f3c8574febcfa39d8c09d0c7cb5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff7c2dea9dd1a436fc79d6273adffdcc4a7ffea3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4HR6-49G3-G573

Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2023-08-31 18:30
VLAI
Details

Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4678"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.",
  "id": "GHSA-4hr6-49g3-g573",
  "modified": "2023-08-31T18:30:28Z",
  "published": "2023-08-31T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4678"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JM9-V433-WX3F

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2022-10-07 18:15
VLAI
Details

WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1010315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.",
  "id": "GHSA-4jm9-v433-wx3f",
  "modified": "2022-10-07T18:15:49Z",
  "published": "2022-05-24T16:50:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbry/WavPack/issues/65"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4062-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4M6C-V88J-QQXH

Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2025-02-27 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: savage: Error out if pixclock equals zero

The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of pixclock, it may cause divide-by-zero error.

Although pixclock is checked in savagefb_decode_var(), but it is not checked properly in savagefb_probe(). Fix this by checking whether pixclock is zero in the function savagefb_check_var() before info->var.pixclock is used as the divisor.

This is similar to CVE-2022-3061 in i740fb which was fixed by commit 15cf0b8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T17:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn\u0027t check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo-\u003evar.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.",
  "id": "GHSA-4m6c-v88j-qqxh",
  "modified": "2025-02-27T15:31:49Z",
  "published": "2024-04-03T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26778"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4Q34-PQWJ-3CV6

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-19 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()

Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug in: drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. and then in: drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); we'll get a division-by-zero.

The following log can reveal it:

divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189

Fix this by checking the argument of ark_set_pixclock() first.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvideo: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()\n\nSince the user can control the arguments of the ioctl() from the user\nspace, under special arguments that may result in a divide-by-zero bug\nin:\n  drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info-\u003evar.pixclock) / hmul);\nwith hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0.\nand then in:\n  drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par-\u003edac, 0, 1000000000 / pixclock);\nwe\u0027ll get a division-by-zero.\n\nThe following log can reveal it:\n\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nRIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline]\nRIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784\nCall Trace:\n fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034\n do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110\n fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189\n\nFix this by checking the argument of ark_set_pixclock() first.",
  "id": "GHSA-4q34-pqwj-3cv6",
  "modified": "2025-11-19T15:31:28Z",
  "published": "2025-06-18T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50102"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0288fa799e273b08839037499d704dc7bdc13e9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/15661642511b2b192077684a89f42a8d95d54286"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/236c1502520b7b08955467ec2e50b3232e34f1f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f1c4523f7a3aaabe7e53d3ebd378292947e95c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76b3f0a0b56e53a960a14624a0f48b3d94b5e7e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ebc5031958c1f3a2795e4533b4091d77c738d14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a249e1b89ca25e1c34bdf96154e3f6224a91a9af"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9a66f23612b84617e04412169e155a4b92f632d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R58-H5CF-8QGJ

Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-08 00:30
VLAI
Details

A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<...>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T22:16:01Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod\u003c...\u003e::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-4r58-h5cf-8qgj",
  "modified": "2026-02-08T00:30:57Z",
  "published": "2026-02-08T00:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mapnik/mapnik/issues/4545"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mapnik/mapnik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oneafter/1219/blob/main/repro"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344502"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344502"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.743386"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4RXG-5MF4-8HRC

Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2025-04-20 03:35
VLAI
Details

tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-09T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.",
  "id": "GHSA-4rxg-5mf4-8hrc",
  "modified": "2025-04-20T03:35:38Z",
  "published": "2022-05-14T03:36:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7598"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201709-27"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3602-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3844"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97499"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VF2-4XCG-65CX

Vulnerability from github – Published: 2021-05-21 14:21 – Updated: 2024-10-30 22:08
VLAI
Summary
Division by 0 in `Conv2D`
Details

Impact

An attacker can trigger a division by 0 in tf.raw_ops.Conv2D:

import tensorflow as tf

input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)

strides = [1, 1, 1, 1]
padding = "SAME"

tf.raw_ops.Conv2D(input=input, filter=filter, strides=strides, padding=padding)

This is because the implementation does a division by a quantity that is controlled by the caller:

  const int64 patch_depth = filter.dim_size(2);
  if (in_depth % patch_depth != 0) { ... }

Patches

We have patched the issue in GitHub commit b12aa1d44352de21d1a6faaf04172d8c2508b42b.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T23:14:52Z",
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAn attacker can trigger a division by 0 in `tf.raw_ops.Conv2D`:\n\n```python\nimport tensorflow as tf\n\ninput = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)\nfilter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)\n\nstrides = [1, 1, 1, 1]\npadding = \"SAME\"\n                               \ntf.raw_ops.Conv2D(input=input, filter=filter, strides=strides, padding=padding)\n```                            \n                               \nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/988087bd83f144af14087fe4fecee2d250d93737/tensorflow/core/kernels/conv_ops.cc#L261-L263) does a division by a quantity that is controlled by the caller:\n```cc\n  const int64 patch_depth = filter.dim_size(2);\n  if (in_depth % patch_depth != 0) { ... }\n```\n  \n### Patches\nWe have patched the issue in GitHub commit [b12aa1d44352de21d1a6faaf04172d8c2508b42b](https://github.com/tensorflow/tensorflow/commit/b12aa1d44352de21d1a6faaf04172d8c2508b42b).\n  \nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution \nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
  "id": "GHSA-4vf2-4xcg-65cx",
  "modified": "2024-10-30T22:08:50Z",
  "published": "2021-05-21T14:21:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-4vf2-4xcg-65cx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29526"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/b12aa1d44352de21d1a6faaf04172d8c2508b42b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-454.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-652.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-163.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Division by 0 in `Conv2D`"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.