CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
640 vulnerabilities reference this CWE, most recent first.
GHSA-WFWJ-6WVW-XHCW
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-08-29 15:30A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2020-14362"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in X.Org Server before xorg-x11-server 1.20.9. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"id": "GHSA-wfwj-6wvw-xhcw",
"modified": "2025-08-29T15:30:37Z",
"published": "2022-05-24T17:28:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14362"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869144"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202012-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4488-2"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGH3-CVVC-WGR6
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-10-19 19:00u'Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument' in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439
{
"affected": [],
"aliases": [
"CVE-2020-11208"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T10:15:00Z",
"severity": "HIGH"
},
"details": "u\u0027Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument\u0027 in SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439",
"id": "GHSA-wgh3-cvvc-wgr6",
"modified": "2022-10-19T19:00:22Z",
"published": "2022-05-24T17:33:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11208"
},
{
"type": "WEB",
"url": "https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril"
},
{
"type": "WEB",
"url": "https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHW3-PV3M-QCCM
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable integer underflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall, version 7003. When parsing SRV records in an mDNS packet, the "RDLENGTH" value is handled incorrectly, leading to an out-of-bounds access that crashes the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-4011"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T16:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable integer underflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall, version 7003. When parsing SRV records in an mDNS packet, the \"RDLENGTH\" value is handled incorrectly, leading to an out-of-bounds access that crashes the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.",
"id": "GHSA-whw3-pv3m-qccm",
"modified": "2022-05-13T01:01:45Z",
"published": "2022-05-13T01:01:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4011"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJJW-4VR2-W8QR
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-10 21:30Animate versions 23.0.8, 24.0.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-52986"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T21:15:18Z",
"severity": "HIGH"
},
"details": "Animate versions 23.0.8, 24.0.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-wjjw-4vr2-w8qr",
"modified": "2024-12-10T21:30:53Z",
"published": "2024-12-10T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52986"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/animate/apsb24-96.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPP4-VQFQ-V4HP
Vulnerability from github – Published: 2025-10-27 23:33 – Updated: 2025-10-27 23:33Summary
A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors.
Vulnerabilities exists in the CLAHEImage() function of ImageMagick’s MagickCore/enhance.c.
- Unsigned integer underflow → out-of-bounds pointer arithmetic (OOB): when
tile_info.height == 0, the expressiontile_info.height - 1(unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion). - Division/modulus by zero: where code performs
... / tile_info.widthor... % tile_info.heightwithout re-checking for zero, causing immediate division-by-zero crashes under sanitizers orabortat runtime.
Both behaviors are triggered by the same invalid tile condition (e.g., CLI exact -clahe 0x0! or automatic tile derivation dim >> 3 == 0 for very small images).
Details
Unsigned underflow(can lea to OOB)
- Location:
MagickCore/enhance.c, around line 609 - Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
-
Vulnerable code
enhance.c: 609
c p += (ptrdiff_t) clahe_info->width * (tile.height - 1); -
Root Cause
- If
tile.height == 0, then(tile.height - 1)underflows toUINT_MAX. - Multiplication with
clahe_info->widthyields a huge value close toSIZE_MAX. - Adding this to
pcauses pointer arithmetic underflow.
- If
Division-by-zero
- File / Location:
MagickCore/enhance.c, around line 669 - Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)
-
vulnerable code
enhance.c: 669-673
c if ((image->columns % tile_info.width) != 0) tile_info.x=(ssize_t) (tile_info.width-(image->columns % tile_info.width)); tile_info.y=0; if ((image->rows % tile_info.height) != 0) tile_info.y=(ssize_t) (tile_info.height-(image->rows % tile_info.height)); -
Root cause
Missing input validation / bounds checks after computing default tile dimensions:
If either
tile_info.widthortile_info.heightis 0, this triggers a division by zero. Zeros can reach this point through:- Exact tiles: CLI
clahe 0x0!(the!forces zero to be used verbatim). - Auto tiles on tiny images: When a requested tile is
0(no!), the code derives a default from the image size (e.g.,dim >> 3). For images withdim < 8, this result is 0 unless clamped.
- Exact tiles: CLI
Reproduction
Unsigned underflow
Environment
Built with AddressSanitizer and UndefinedBehaviorSanitizer enabled.
export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0
Command
./magick xc:black -clahe 0x0 null:
Output
MagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage
./magick -size 10x10 xc:black -clahe 0x0 null:
memory region corruption.
./magick -size 2000x2000 xc:black -clahe 0x0 null:
→ Significant memory consumption and evidence of memory region corruption.
./magick -size 4000x4000 xc:black -clahe 0x0 null:
→ Much larger memory usage; process appears to be aggressively consuming cache and address space.
./magick -size 8000x8000 xc:black -clahe 0x0 null:
→ Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.
Division-by-zero
Environment: ASan/UBSan-enabled build.
export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1
export ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0
Command
./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:
Output
Notes: Without sanitizers, the process may terminate with just Aborted (still DoS).
Impact
- Primary: Denial-of-Service — crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via
clahe 0x0!or by uploading very small images to services using ImageMagick. - Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.
Suggested concrete patch snippets
Apply in CLAHEImage() after tile_info is computed but before any division/modulus/pointer arithmetic:
if (exact_tiles_requested && (tile_info.width == 0 || tile_info.height == 0)) {
ThrowMagickException(exception, GetMagickModule(), OptionError,
"CLAHEInvalidTile", "%lux%lu",
(unsigned long) tile_info.width,
(unsigned long) tile_info.height);
return (Image *) NULL;
}
if (!exact_tiles_requested) {
tile_info.width = (tile_info.width == 0) ? MagickMax((size_t)1, image->columns >> 3) : tile_info.width;
tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image->rows >> 3) : tile_info.height;
}
if (tile_info.width == 0 || tile_info.height == 0) {
ThrowMagickException(exception, GetMagickModule(), OptionError,
"CLAHEInvalidTile", "%lux%lu",
(unsigned long) tile_info.width,
(unsigned long) tile_info.height);
return (Image *) NULL;
}
ssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;
if (tile_h_minus1 < 0) {
ThrowMagickException(exception, GetMagickModule(), OptionError,
"CLAHEInvalidTile", "%lux%lu",
(unsigned long) tile_info.width,
(unsigned long) tile_info.height);
return (Image *) NULL;
}
p += (ptrdiff_t) clahe_info->width * tile_h_minus1;
Notes about exact_tiles_requested: if the CLI/Wand parser already exposes whether ! was present, use it. If not, add a parse-time flag so CLAHEImage can know whether 0 is literal or auto.
Credit
Team Whys
Bug Hunting Master Program, HSpace/Findthegap
Youngmin Kim kunshim@naver.com
Woojin Park
Youngin Won
@amethyst0225 youngin04@korea.ac.kr
Siyeon Han
Shinyoung Won
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62594"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-191",
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-27T23:33:10Z",
"nvd_published_at": "2025-10-27T20:15:54Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA single root cause in the CLAHE implementation \u2014 tile width/height becoming zero \u2014 produces two distinct but related unsafe behaviors.\nVulnerabilities exists in the `CLAHEImage()` function of ImageMagick\u2019s `MagickCore/enhance.c`.\n\n1. Unsigned integer underflow \u2192 out-of-bounds pointer arithmetic (OOB): when `tile_info.height == 0`, the expression `tile_info.height - 1` (unsigned) wraps to a very large value; using that value in pointer arithmetic yields a huge offset and OOB memory access (leading to memory corruption, SIGSEGV, or resource exhaustion).\n2. **Division/modulus by zero**: where code performs `... / tile_info.width` or `... % tile_info.height` without re-checking for zero, causing immediate division-by-zero crashes under sanitizers or `abort` at runtime.\n\nBoth behaviors are triggered by the same invalid tile condition (e.g., CLI exact `-clahe 0x0!` or automatic tile derivation `dim \u003e\u003e 3 == 0` for very small images). \n\n---\n\n## Details\n\n### **Unsigned underflow(can lea to OOB)**\n\n- Location: `MagickCore/enhance.c`, around line 609\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- Vulnerable code\n \n enhance.c: 609\n \n ```c\n p += (ptrdiff_t) clahe_info-\u003ewidth * (tile.height - 1);\n ```\n \n- Root Cause\n - If `tile.height == 0`, then `(tile.height - 1)` underflows to `UINT_MAX`.\n - Multiplication with `clahe_info-\u003ewidth` yields a huge value close to `SIZE_MAX`.\n - Adding this to `p` causes pointer arithmetic underflow.\n\n### **Division-by-zero**\n\n- File / Location: `MagickCore/enhance.c`, around line 669\n- Version tested: 7.1.2-8 (local ASan(undefined). /UBSan build)\n- vulnerable code\n \n enhance.c: 669-673\n \n ```c\n if ((image-\u003ecolumns % tile_info.width) != 0)\n tile_info.x=(ssize_t) (tile_info.width-(image-\u003ecolumns % tile_info.width));\n tile_info.y=0;\n if ((image-\u003erows % tile_info.height) != 0)\n tile_info.y=(ssize_t) (tile_info.height-(image-\u003erows % tile_info.height));\n ```\n \n- Root cause\n \n Missing input validation / bounds checks after computing default tile dimensions:\n \n If either `tile_info.width` or `tile_info.height` is 0, this triggers a division by zero. Zeros can reach this point through:\n \n 1. Exact tiles: CLI `clahe 0x0!` (the `!` forces zero to be used verbatim).\n 2. Auto tiles on tiny images: When a requested tile is `0` (no `!`), the code derives a default from the image size (e.g., `dim \u003e\u003e 3`). For images with `dim \u003c 8`, this result is 0 unless clamped.\n\n---\n\n## Reproduction\n\n### **Unsigned underflow**\n\n**Environment**\n\nBuilt with AddressSanitizer and UndefinedBehaviorSanitizer enabled.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick xc:black -clahe 0x0 null:\n```\n\n**Output**\n\n```\nMagickCore/enhance.c:609:6: runtime error: addition of unsigned offset overflowed\nSUMMARY: UndefinedBehaviorSanitizer: undefined-behavior MagickCore/enhance.c:609:6 in CLAHEImage\n```\n\n`./magick -size 10x10 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1068\" height=\"64\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9637ee-1d03-4066-834d-fda22410dd8b\" /\u003e\n\nmemory region corruption.\n\n`./magick -size 2000x2000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"1069\" height=\"70\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ecbab79c-a3c2-4e8c-96c9-8e2aa8f0d2b2\" /\u003e\n\n\u2192 Significant memory consumption and evidence of memory region corruption.\n\n`./magick -size 4000x4000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"776\" height=\"49\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63a7cec5-616b-4aa5-87f3-a546a87e6625\" /\u003e\n\n\u2192 Much larger memory usage; process appears to be aggressively consuming cache and address space.\n\n`./magick -size 8000x8000 xc:black -clahe 0x0 null:`\n\n\u003cimg width=\"748\" height=\"46\" alt=\"image\" src=\"https://github.com/user-attachments/assets/48b3aac8-98b3-4fbb-a5ca-4e7936bca44b\" /\u003e\n\n\u2192 Memory usage escalates further and begins exhausting available cache. If left running, the process is likely to crash (DoS) after sustained allocation attempts.\n\n### **Division-by-zero**\n\n**Environment:** ASan/UBSan-enabled build.\n\n```c\nexport UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1\nexport ASAN_OPTIONS=abort_on_error=1:allocator_may_return_null=1:detect_leaks=0\n```\n\n**Command**\n\n```bash\n./magick -size 16x2 gradient: -type TrueColor -depth 8 -clahe 0x0! null:\n```\n\n**Output**\n\n\u003cimg width=\"1915\" height=\"818\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cfe44432-b429-49e4-8673-2ed55ba9a961\" /\u003e\n\n**Notes:** Without sanitizers, the process may terminate with just `Aborted` (still DoS).\n\n---\n\n## Impact\n\n- Primary: Denial-of-Service \u2014 crash or sustained resource exhaustion (memory/cache thrash) when processing crafted parameters or small images via CLI or API. Attackers can trivially trigger via `clahe 0x0!` or by uploading very small images to services using ImageMagick.\n- Secondary (theoretical): OOB memory accesses and memory corruption could potentially be combined with other vulnerabilities to achieve more severe outcomes; however, no reliable code execution was demonstrated from these PoCs alone.\n\n---\n\n## Suggested concrete patch snippets\n\nApply in `CLAHEImage()` after `tile_info` is computed but **before** any division/modulus/pointer arithmetic:\n\n```c\nif (exact_tiles_requested \u0026\u0026 (tile_info.width == 0 || tile_info.height == 0)) {\n ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"CLAHEInvalidTile\", \"%lux%lu\",\n (unsigned long) tile_info.width,\n (unsigned long) tile_info.height);\n return (Image *) NULL;\n}\n\nif (!exact_tiles_requested) {\n tile_info.width = (tile_info.width == 0) ? MagickMax((size_t)1, image-\u003ecolumns \u003e\u003e 3) : tile_info.width;\n tile_info.height = (tile_info.height == 0) ? MagickMax((size_t)1, image-\u003erows \u003e\u003e 3) : tile_info.height;\n}\n\nif (tile_info.width == 0 || tile_info.height == 0) {\n ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"CLAHEInvalidTile\", \"%lux%lu\",\n (unsigned long) tile_info.width,\n (unsigned long) tile_info.height);\n return (Image *) NULL;\n}\n\nssize_t tile_h_minus1 = (ssize_t)tile_info.height - 1;\nif (tile_h_minus1 \u003c 0) {\n ThrowMagickException(exception, GetMagickModule(), OptionError,\n \"CLAHEInvalidTile\", \"%lux%lu\",\n (unsigned long) tile_info.width,\n (unsigned long) tile_info.height);\n return (Image *) NULL;\n}\np += (ptrdiff_t) clahe_info-\u003ewidth * tile_h_minus1;\n```\n\nNotes about `exact_tiles_requested`: if the CLI/Wand parser already exposes whether `!` was present, use it. If not, add a parse-time flag so CLAHEImage can know whether `0` is literal or auto.\n\n---\n\n## Credit\n\n### Team Whys \n\n**Bug Hunting Master Program, HSpace/Findthegap**\n\n**Youngmin Kim** \nkunshim@naver.com\n\n**Woojin Park**\n\n[@jin-156](https://github.com/jin-156)\n[1203kids@gmail.com](mailto:1203kids@gmail.com)\n\n**Youngin Won**\n\n[@amethyst0225](https://github.com/amethyst0225)\n[youngin04@korea.ac.kr](mailto:youngin04@korea.ac.kr)\n\n**Siyeon Han**\n\n[@hanbunny](https://github.com/hanbunny)\n[kokosyeon@gmail.com](mailto:kokosyeon@gmail.com)\n\n**Shinyoung Won**\n\n[@yosiimich](yosimich123@gmail.com)\n[yosimich123@gmail.com](mailto:yosimich123@gmail.com)",
"id": "GHSA-wpp4-vqfq-v4hp",
"modified": "2025-10-27T23:33:10Z",
"published": "2025-10-27T23:33:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wpp4-vqfq-v4hp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62594"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/7b47fe369eda90483402fcd3d78fa4167d3bb129"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)"
}
GHSA-WPV6-5Q5M-QPH7
Vulnerability from github – Published: 2022-05-01 17:41 – Updated: 2022-05-01 17:41Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2007-0063"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-09-21T19:17:00Z",
"severity": "HIGH"
},
"details": "Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.",
"id": "GHSA-wpv6-5q5m-qph7",
"modified": "2022-05-01T17:41:31Z",
"published": "2022-05-01T17:41:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0063"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33103"
},
{
"type": "WEB",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26890"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27694"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27706"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200711-23.xml"
},
{
"type": "WEB",
"url": "http://www.iss.net/threats/275.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/25729"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1018717"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-543-1"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/ace/doc/releasenotes_ace.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/player/doc/releasenotes_player.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/player2/doc/releasenotes_player2.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/server/doc/releasenotes_server.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html"
},
{
"type": "WEB",
"url": "http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/3229"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WQ8F-46WW-6C2H
Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 22:27A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "untrusted"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-20989"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:24:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn\u0027t properly check for errors returned by untrusted. Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software. The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It\u0027s also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.",
"id": "GHSA-wq8f-46ww-6c2h",
"modified": "2023-06-13T22:27:01Z",
"published": "2021-08-25T20:43:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20989"
},
{
"type": "WEB",
"url": "https://github.com/briansmith/untrusted/pull/20"
},
{
"type": "PACKAGE",
"url": "https://github.com/briansmith/untrusted"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Integer underflow in untrusted"
}
GHSA-WW7R-JW8R-PPWC
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03An issue was discovered in YottaDB through r1.32 and V7.0-000. Using crafted input, attackers can cause an integer underflow of the size of calls to memset in op_fnj3 in sr_port/op_fnj3.c in order to cause a segmentation fault and crash the application. This is a "- digs" subtraction.
{
"affected": [],
"aliases": [
"CVE-2021-44489"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in YottaDB through r1.32 and V7.0-000. Using crafted input, attackers can cause an integer underflow of the size of calls to memset in op_fnj3 in sr_port/op_fnj3.c in order to cause a segmentation fault and crash the application. This is a \"- digs\" subtraction.",
"id": "GHSA-ww7r-jw8r-ppwc",
"modified": "2022-04-23T00:03:17Z",
"published": "2022-04-16T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44489"
},
{
"type": "WEB",
"url": "https://gitlab.com/YottaDB/DB/YDB/-/issues/828"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWPV-HJ37-M43G
Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47Integer underflow in the mov_read_default function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file.
{
"affected": [],
"aliases": [
"CVE-2015-1208"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-09T16:29:00Z",
"severity": "MODERATE"
},
"details": "Integer underflow in the mov_read_default function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file.",
"id": "GHSA-wwpv-hj37-m43g",
"modified": "2022-05-14T03:47:43Z",
"published": "2022-05-14T03:47:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1208"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/chromium/issues/detail?id=444546"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/blob/n2.4.6/Changelog"
},
{
"type": "WEB",
"url": "http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3ebd76a9c57558e284e94da367dd23b435e6a6d0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WX39-GWC4-8CJF
Vulnerability from github – Published: 2022-05-01 02:03 – Updated: 2024-02-08 18:30The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.
{
"affected": [],
"aliases": [
"CVE-2005-1891"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-06-09T04:00:00Z",
"severity": "MODERATE"
},
"details": "The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.",
"id": "GHSA-wx39-gwc4-8cjf",
"modified": "2024-02-08T18:30:37Z",
"published": "2022-05-01T02:03:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1891"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=111816939928640\u0026w=2"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=111817881214343\u0026w=2"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1014145"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/13880"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.