Common Weakness Enumeration

CWE-191

Allowed

Integer Underflow (Wrap or Wraparound)

Abstraction: Base · Status: Draft

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

640 vulnerabilities reference this CWE, most recent first.

GHSA-WFWJ-6WVW-XHCW

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-08-29 15:30
VLAI
Details

A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
  "id": "GHSA-wfwj-6wvw-xhcw",
  "modified": "2025-08-29T15:30:37Z",
  "published": "2022-05-24T17:28:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14362"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869144"
    },
    {
      "type": "WEB",
      "url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202012-01"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4488-2"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1419"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WGH3-CVVC-WGR6

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-10-19 19:00
VLAI
Details

u'Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument' in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-12T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "u\u0027Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument\u0027 in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439",
  "id": "GHSA-wgh3-cvvc-wgr6",
  "modified": "2022-10-19T19:00:22Z",
  "published": "2022-05-24T17:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11208"
    },
    {
      "type": "WEB",
      "url": "https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril"
    },
    {
      "type": "WEB",
      "url": "https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHW3-PV3M-QCCM

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01
VLAI
Details

An exploitable integer underflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall, version 7003. When parsing SRV records in an mDNS packet, the "RDLENGTH" value is handled incorrectly, leading to an out-of-bounds access that crashes the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable integer underflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall, version 7003. When parsing SRV records in an mDNS packet, the \"RDLENGTH\" value is handled incorrectly, leading to an out-of-bounds access that crashes the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.",
  "id": "GHSA-whw3-pv3m-qccm",
  "modified": "2022-05-13T01:01:45Z",
  "published": "2022-05-13T01:01:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4011"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0681"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJJW-4VR2-W8QR

Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-10 21:30
VLAI
Details

Animate versions 23.0.8, 24.0.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T21:15:18Z",
    "severity": "HIGH"
  },
  "details": "Animate versions 23.0.8, 24.0.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-wjjw-4vr2-w8qr",
  "modified": "2024-12-10T21:30:53Z",
  "published": "2024-12-10T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52986"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/animate/apsb24-96.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPP4-VQFQ-V4HP

Vulnerability from github – Published: 2025-10-27 23:33 – Updated: 2025-10-27 23:33
VLAI
Summary
ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
Details

Summary

A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors. Vulnerabilities exists in the CLAHEImage() function of ImageMagick’s MagickCore/enhance.c.

  1. Unsigned integer underflow → out-of-bounds pointer arithmetic (OOB): when tile_info.height == 0, the expression tile_info.height - 1 (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).
  2. Division/modulus by zero: where code performs ... / tile_info.width or ... % tile_info.height without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or abort at runtime.

Both behaviors are triggered by the same invalid tile condition (e.g., CLI exact -clahe 0x0! or automatic tile derivation dim >> 3 == 0 for very small images).


Details

Unsigned underflow(can lea to OOB)

  • Location: MagickCore/enhance.c, around line 609
  • Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
  • Vulnerable code

    enhance.c: 609

    c p += (ptrdiff_t) clahe_info->width * (tile.height - 1);

  • Root Cause

    • If tile.height == 0, then (tile.height - 1) underflows to UINT_MAX.
    • Multiplication with clahe_info->width yields a huge value close to SIZE_MAX.
    • Adding this to p causes pointer arithmetic underflow.

Division-by-zero

  • File / Location: MagickCore/enhance.c, around line 669
  • Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
  • vulnerable code

    enhance.c: 669-673

    c if ((image->columns % tile_info.width) != 0) tile_info.x=(ssize_t) (tile_info.width-(image->columns % tile_info.width)); tile_info.y=0; if ((image->rows % tile_info.height) != 0) tile_info.y=(ssize_t) (tile_info.height-(image->rows % tile_info.height));

  • Root cause

    Missing input validation / bounds checks after computing default tile dimensions:

    If either tile_info.width or tile_info.height is 0, this triggers a division by zero. Zeros can reach this point through:

    1. Exact tiles: CLI clahe 0x0! (the ! forces zero to be used verbatim).
    2. Auto tiles on tiny images: When a requested tile is 0 (no !), the code derives a default from the image size (e.g., dim >> 3). For images with dim < 8, this result is 0 unless clamped.

Reproduction

Unsigned underflow

Environment

Built with AddressSanitizer and UndefinedBehaviorSanitizer enabled.

export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0

Command

./magick xc:black -clahe 0x0 null:

Output

MagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage

./magick -size 10x10 xc:black -clahe 0x0 null:

image

memory region corruption.

./magick -size 2000x2000 xc:black -clahe 0x0 null:

image

→ Significant memory consumption and evidence of memory region corruption.

./magick -size 4000x4000 xc:black -clahe 0x0 null:

image

→ Much larger memory usage; process appears to be aggressively consuming cache and address space.

./magick -size 8000x8000 xc:black -clahe 0x0 null:

image

→ Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.

Division-by-zero

Environment: ASan/UBSan-enabled build.

export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0

Command

./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:

Output

image

Notes: Without sanitizers, the process may terminate with just Aborted (still DoS).


Impact

  • Primary: Denial-of-Service — crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via clahe 0x0! or by uploading very small images to services using ImageMagick.
  • Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.

Suggested concrete patch snippets

Apply in CLAHEImage() after tile_info is computed but before any division/modulus/pointer arithmetic:

if (exact_tiles_requested && (tile_info.width == 0 || tile_info.height == 0)) {
  ThrowMagickException(exception, GetMagickModule(), OptionError,
                       "CLAHEInvalidTile", "%lux%lu",
                       (unsigned long) tile_info.width,
                       (unsigned long) tile_info.height);
  return (Image *) NULL;
}

if (!exact_tiles_requested) {
  tile_info.width  = (tile_info.width  == 0) ? MagickMax((size_t)1, image->columns >> 3) : tile_info.width;
  tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image->rows    >> 3) : tile_info.height;
}

if (tile_info.width == 0 || tile_info.height == 0) {
  ThrowMagickException(exception, GetMagickModule(), OptionError,
                       "CLAHEInvalidTile", "%lux%lu",
                       (unsigned long) tile_info.width,
                       (unsigned long) tile_info.height);
  return (Image *) NULL;
}

ssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;
if (tile_h_minus1 < 0) {
  ThrowMagickException(exception, GetMagickModule(), OptionError,
                       "CLAHEInvalidTile", "%lux%lu",
                       (unsigned long) tile_info.width,
                       (unsigned long) tile_info.height);
  return (Image *) NULL;
}
p += (ptrdiff_t) clahe_info->width * tile_h_minus1;

Notes about exact_tiles_requested: if the CLI/Wand parser already exposes whether ! was present, use it. If not, add a parse-time flag so CLAHEImage can know whether 0 is literal or auto.


Credit

Team Whys

Bug Hunting Master Program, HSpace/Findthegap

Youngmin Kim kunshim@naver.com

Woojin Park

@jin-156 1203kids@gmail.com

Youngin Won

@amethyst0225 youngin04@korea.ac.kr

Siyeon Han

@hanbunny kokosyeon@gmail.com

Shinyoung Won

@yosiimich yosimich123@gmail.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-191",
      "CWE-369"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-27T23:33:10Z",
    "nvd_published_at": "2025-10-27T20:15:54Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA single root cause in the CLAHE implementation \u2014 tile width/height becoming zero \u2014 produces two distinct but related unsafe behaviors.\nVulnerabilities exists in the `CLAHEImage()` function of ImageMagick\u2019s `MagickCore/enhance.c`.\n\n1. Unsigned integer underflow \u2192 out-of-bounds pointer arithmetic (OOB): when `tile_info.height == 0`, the expression `tile_info.height - 1` (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).\n2. **Division/modulus by zero**: where code performs `... / tile_info.width` or `... % tile_info.height` without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or `abort` at runtime.\n\nBoth behaviors are triggered by the same invalid tile condition (e.g., CLI exact `-clahe 0x0!` or automatic tile derivation `dim \u003e\u003e 3 == 0` for very small images). \n\n---\n\n## Details\n\n### **Unsigned underflow(can lea to OOB)**\n\n- Location: `MagickCore/enhance.c`, around line 609\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- Vulnerable code\n    \n    enhance.c: 609\n    \n    ```c\n    p += (ptrdiff_t) clahe_info-\u003ewidth * (tile.height - 1);\n    ```\n    \n- Root Cause\n    - If `tile.height == 0`, then `(tile.height - 1)` underflows to `UINT_MAX`.\n    - Multiplication with `clahe_info-\u003ewidth` yields a huge value close to `SIZE_MAX`.\n    - Adding this to `p` causes pointer arithmetic underflow.\n\n### **Division-by-zero**\n\n- File / Location: `MagickCore/enhance.c`, around line 669\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- vulnerable code\n    \n    enhance.c: 669-673\n    \n    ```c\n     if ((image-\u003ecolumns % tile_info.width) != 0)\n        tile_info.x=(ssize_t) (tile_info.width-(image-\u003ecolumns % tile_info.width));\n      tile_info.y=0;\n      if ((image-\u003erows % tile_info.height) != 0)\n        tile_info.y=(ssize_t) (tile_info.height-(image-\u003erows % tile_info.height));\n    ```\n    \n- Root cause\n    \n    Missing input validation / bounds checks after computing default tile dimensions:\n    \n    If either `tile_info.width` or `tile_info.height` is 0, this triggers a division by zero. Zeros can reach this point through:\n    \n    1. Exact tiles: CLI `clahe 0x0!` (the `!` forces zero to be used verbatim).\n    2. Auto tiles on tiny images: When a requested tile is `0` (no `!`), the code derives a default from the image size (e.g., `dim \u003e\u003e 3`). For images with `dim \u003c 8`, this result is 0 unless clamped.\n\n---\n\n## Reproduction\n\n### **Unsigned underflow**\n\n**Environment**\n\nBuilt with AddressSanitizer and UndefinedBehaviorSanitizer enabled.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick xc:black -clahe 0x0 null:\n```\n\n**Output**\n\n```\nMagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed\nSUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage\n```\n\n`./magick -size 10x10 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1068\" height=\"64\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9637ee-1d03-4066-834d-fda22410dd8b\" /\u003e\n\nmemory region corruption.\n\n`./magick -size 2000x2000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1069\" height=\"70\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ecbab79c-a3c2-4e8c-96c9-8e2aa8f0d2b2\" /\u003e\n\n\u2192 Significant memory consumption and evidence of memory region corruption.\n\n`./magick -size 4000x4000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"776\" height=\"49\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63a7cec5-616b-4aa5-87f3-a546a87e6625\" /\u003e\n\n\u2192 Much larger memory usage; process appears to be aggressively consuming cache and address space.\n\n`./magick -size 8000x8000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"748\" height=\"46\" alt=\"image\" src=\"https://github.com/user-attachments/assets/48b3aac8-98b3-4fbb-a5ca-4e7936bca44b\" /\u003e\n\n\u2192 Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.\n\n### **Division-by-zero**\n\n**Environment:** ASan/UBSan-enabled build.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:\n```\n\n**Output**\n\n\u003cimg width=\"1915\" height=\"818\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cfe44432-b429-49e4-8673-2ed55ba9a961\" /\u003e\n\n**Notes:** Without sanitizers, the process may terminate with just `Aborted` (still DoS).\n\n---\n\n## Impact\n\n- Primary: Denial-of-Service \u2014 crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via `clahe 0x0!` or by uploading very small images to services using ImageMagick.\n- Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.\n\n---\n\n## Suggested concrete patch snippets\n\nApply in `CLAHEImage()` after `tile_info` is computed but **before** any division/modulus/pointer arithmetic:\n\n```c\nif (exact_tiles_requested \u0026\u0026 (tile_info.width == 0 || tile_info.height == 0)) {\n  ThrowMagickException(exception, GetMagickModule(), OptionError,\n                       \"CLAHEInvalidTile\", \"%lux%lu\",\n                       (unsigned long) tile_info.width,\n                       (unsigned long) tile_info.height);\n  return (Image *) NULL;\n}\n\nif (!exact_tiles_requested) {\n  tile_info.width  = (tile_info.width  == 0) ? MagickMax((size_t)1, image-\u003ecolumns \u003e\u003e 3) : tile_info.width;\n  tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image-\u003erows    \u003e\u003e 3) : tile_info.height;\n}\n\nif (tile_info.width == 0 || tile_info.height == 0) {\n  ThrowMagickException(exception, GetMagickModule(), OptionError,\n                       \"CLAHEInvalidTile\", \"%lux%lu\",\n                       (unsigned long) tile_info.width,\n                       (unsigned long) tile_info.height);\n  return (Image *) NULL;\n}\n\nssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;\nif (tile_h_minus1 \u003c 0) {\n  ThrowMagickException(exception, GetMagickModule(), OptionError,\n                       \"CLAHEInvalidTile\", \"%lux%lu\",\n                       (unsigned long) tile_info.width,\n                       (unsigned long) tile_info.height);\n  return (Image *) NULL;\n}\np += (ptrdiff_t) clahe_info-\u003ewidth * tile_h_minus1;\n```\n\nNotes about `exact_tiles_requested`: if the CLI/Wand parser already exposes whether `!` was present, use it. If not, add a parse-time flag so CLAHEImage can know whether `0` is literal or auto.\n\n---\n\n## Credit\n\n### Team Whys \n\n**Bug Hunting Master Program, HSpace/Findthegap**\n\n**Youngmin Kim** \nkunshim@naver.com\n\n**Woojin Park**\n\n[@jin-156](https://github.com/jin-156)\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Youngin Won**\n\n[@amethyst0225](https://github.com/amethyst0225)\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n\n[@hanbunny](https://github.com/hanbunny)\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)\n\n**Shinyoung Won**\n\n[@yosiimich](yosimich123@gmail.com)\n[yosimich123@gmail.com](mailto:yosimich123@gmail.com)",
  "id": "GHSA-wpp4-vqfq-v4hp",
  "modified": "2025-10-27T23:33:10Z",
  "published": "2025-10-27T23:33:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62594"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)"
}

GHSA-WPV6-5Q5M-QPH7

Vulnerability from github – Published: 2022-05-01 17:41 – Updated: 2022-05-01 17:41
VLAI
Details

Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-0063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-09-21T19:17:00Z",
    "severity": "HIGH"
  },
  "details": "Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.",
  "id": "GHSA-wpv6-5q5m-qph7",
  "modified": "2022-05-01T17:41:31Z",
  "published": "2022-05-01T17:41:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0063"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33103"
    },
    {
      "type": "WEB",
      "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26890"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27694"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27706"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200711-23.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/threats/275.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25729"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018717"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-543-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/ace/doc/releasenotes_ace.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/player/doc/releasenotes_player.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/player2/doc/releasenotes_player2.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/server/doc/releasenotes_server.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WQ8F-46WW-6C2H

Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 22:27
VLAI
Summary
Integer underflow in untrusted
Details

A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "untrusted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:24:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn\u0027t properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It\u0027s also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.",
  "id": "GHSA-wq8f-46ww-6c2h",
  "modified": "2023-06-13T22:27:01Z",
  "published": "2021-08-25T20:43:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/briansmith/untrusted/pull/20"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/briansmith/untrusted"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Integer underflow in untrusted"
}

GHSA-WW7R-JW8R-PPWC

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03
VLAI
Details

An issue was discovered in YottaDB through r1.32 and V7.0-000. Using crafted input, attackers can cause an integer underflow of the size of calls to memset in op_fnj3 in sr_port/op_fnj3.c in order to cause a segmentation fault and crash the application. This is a "- digs" subtraction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-15T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in YottaDB through r1.32 and V7.0-000. Using crafted input, attackers can cause an integer underflow of the size of calls to memset in op_fnj3 in sr_port/op_fnj3.c in order to cause a segmentation fault and crash the application. This is a \"- digs\" subtraction.",
  "id": "GHSA-ww7r-jw8r-ppwc",
  "modified": "2022-04-23T00:03:17Z",
  "published": "2022-04-16T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44489"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/YottaDB/DB/YDB/-/issues/828"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWPV-HJ37-M43G

Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47
VLAI
Details

Integer underflow in the mov_read_default function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-1208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-09T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Integer underflow in the mov_read_default function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file.",
  "id": "GHSA-wwpv-hj37-m43g",
  "modified": "2022-05-14T03:47:43Z",
  "published": "2022-05-14T03:47:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1208"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/chromium/issues/detail?id=444546"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/blob/n2.4.6/Changelog"
    },
    {
      "type": "WEB",
      "url": "http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3ebd76a9c57558e284e94da367dd23b435e6a6d0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX39-GWC4-8CJF

Vulnerability from github – Published: 2022-05-01 02:03 – Updated: 2024-02-08 18:30
VLAI
Details

The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-1891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-06-09T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.",
  "id": "GHSA-wx39-gwc4-8cjf",
  "modified": "2024-02-08T18:30:37Z",
  "published": "2022-05-01T02:03:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1891"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=111816939928640\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=111817881214343\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1014145"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/13880"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.