CWE-369
AllowedDivide By Zero
Abstraction: Base · Status: Draft
The product divides a value by zero.
577 vulnerabilities reference this CWE, most recent first.
GHSA-QM97-G575-P78Q
Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Assign linear_pitch_alignment even for VM
[Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments
{
"affected": [],
"aliases": [
"CVE-2024-46732"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T07:15:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign linear_pitch_alignment even for VM\n\n[Description]\nAssign linear_pitch_alignment so we don\u0027t cause a divide by 0\nerror in VM environments",
"id": "GHSA-qm97-g575-p78q",
"modified": "2025-11-04T00:31:28Z",
"published": "2024-09-18T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46732"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bd7710f2fecfc5fb2dda1ca2adc69db8a66b8b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/984debc133efa05e62f5aa1a7a1dd8ca0ef041f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c44b568931d23aed9d37ecbb31fb5fbdd198bf7b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d219f902b16d42f0cb8c499ea8f31cf3c0f36349"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2fe7ac613a1ea8c346c9f5c89dc6ecc27232997"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMRV-48WX-3C53
Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 21:31In EmberZNet v9.0.2 and earlier, a malformed Level Control Step command can terminate the process through a divide-by-zero fault. This command must come from a device that has already joined the network. Only devices supporting the Level Control cluster may be impacted.
{
"affected": [],
"aliases": [
"CVE-2026-47153"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T14:16:41Z",
"severity": "HIGH"
},
"details": "In EmberZNet v9.0.2 and earlier, a malformed Level Control Step command can terminate the process through a divide-by-zero fault. This command must come from a device that has already joined the network. Only devices supporting the Level Control cluster may be impacted.",
"id": "GHSA-qmrv-48wx-3c53",
"modified": "2026-06-25T21:31:28Z",
"published": "2026-06-25T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47153"
},
{
"type": "WEB",
"url": "https://github.com/SiliconLabsSoftware/sisdk-release"
},
{
"type": "WEB",
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000pEGPQIA4?operationContext=S1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QPG3-72FQ-2RQH
Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
The isd200 sub-driver in usb-storage uses the HEADS and SECTORS values in the ATA ID information to calculate cylinder and head values when creating a CDB for READ or WRITE commands. The calculation involves division and modulus operations, which will cause a crash if either of these values is 0. While this never happens with a genuine device, it could happen with a flawed or subversive emulation, as reported by the syzbot fuzzer.
Protect against this possibility by refusing to bind to the device if either the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID information is 0. This requires isd200_Initialization() to return a negative error code when initialization fails; currently it always returns 0 (even when there is an error).
{
"affected": [],
"aliases": [
"CVE-2024-27059"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T13:15:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device\u0027s ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).",
"id": "GHSA-qpg3-72fq-2rqh",
"modified": "2026-05-12T12:31:45Z",
"published": "2024-05-01T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27059"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQJQ-59G6-GV8W
Vulnerability from github – Published: 2022-05-17 00:47 – Updated: 2022-05-17 00:47NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiCreateAllocation where untrusted user input is used as a divisor without validation while processing block linear information which may lead to a potential divide by zero and denial of service.
{
"affected": [],
"aliases": [
"CVE-2017-6271"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-22T17:29:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiCreateAllocation where untrusted user input is used as a divisor without validation while processing block linear information which may lead to a potential divide by zero and denial of service.",
"id": "GHSA-qqjq-59g6-gv8w",
"modified": "2022-05-17T00:47:33Z",
"published": "2022-05-17T00:47:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6271"
},
{
"type": "WEB",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4544"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QV87-XF2V-GGHW
Vulnerability from github – Published: 2024-11-28 00:39 – Updated: 2024-12-18 18:30In VideoFrameScheduler.cpp of VideoFrameScheduler::PLL::fit, there is a possible remote denial of service due to divide by 0. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2018-9354"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-27T23:15:04Z",
"severity": "MODERATE"
},
"details": "In VideoFrameScheduler.cpp of VideoFrameScheduler::PLL::fit, there is a\u00a0possible remote denial of service due to divide by 0. This could lead to\u00a0remote denial of service with no additional execution privileges needed.\u00a0User interaction is needed for exploitation.",
"id": "GHSA-qv87-xf2v-gghw",
"modified": "2024-12-18T18:30:50Z",
"published": "2024-11-28T00:39:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9354"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/pixel/2018-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX67-F44J-4WQ4
Vulnerability from github – Published: 2022-05-17 00:33 – Updated: 2025-04-20 03:46decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.
{
"affected": [],
"aliases": [
"CVE-2017-15025"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-05T01:29:00Z",
"severity": "MODERATE"
},
"details": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.",
"id": "GHSA-qx67-f44j-4wq4",
"modified": "2025-04-20T03:46:20Z",
"published": "2022-05-17T00:33:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15025"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22186"
},
{
"type": "WEB",
"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=d8010d3e75ec7194a4703774090b27486b742d48"
},
{
"type": "WEB",
"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QXV7-458J-GMMX
Vulnerability from github – Published: 2022-05-14 02:05 – Updated: 2022-05-14 02:05The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.
{
"affected": [],
"aliases": [
"CVE-2016-5323"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-20T15:59:00Z",
"severity": "HIGH"
},
"details": "The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.",
"id": "GHSA-qxv7-458j-gmmx",
"modified": "2022-05-14T02:05:04Z",
"published": "2022-05-14T02:05:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5323"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-16"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00017.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3762"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/15/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R35G-4525-29FQ
Vulnerability from github – Published: 2021-05-21 14:23 – Updated: 2024-10-31 20:53Impact
An attacker can cause a denial of service via a FPE runtime error in tf.raw_ops.FusedBatchNorm:
import tensorflow as tf
x = tf.constant([], shape=[1, 1, 1, 0], dtype=tf.float32)
scale = tf.constant([], shape=[0], dtype=tf.float32)
offset = tf.constant([], shape=[0], dtype=tf.float32)
mean = tf.constant([], shape=[0], dtype=tf.float32)
variance = tf.constant([], shape=[0], dtype=tf.float32)
epsilon = 0.0
exponential_avg_factor = 0.0
data_format = "NHWC"
is_training = False
tf.raw_ops.FusedBatchNorm(
x=x, scale=scale, offset=offset, mean=mean,
variance=variance, epsilon=epsilon,
exponential_avg_factor=exponential_avg_factor,
data_format=data_format, is_training=is_training)
This is because the implementation performs a division based on the last dimension of the x tensor:
const int depth = x.dimension(3);
const int rest_size = size / depth;
Since this is controlled by the user, an attacker can trigger a denial of service.
Patches
We have patched the issue in GitHub commit 1a2a87229d1d61e23a39373777c056161eb4084d.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29555"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T20:54:44Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.FusedBatchNorm`:\n\n```python\nimport tensorflow as tf\n\nx = tf.constant([], shape=[1, 1, 1, 0], dtype=tf.float32)\nscale = tf.constant([], shape=[0], dtype=tf.float32)\noffset = tf.constant([], shape=[0], dtype=tf.float32)\nmean = tf.constant([], shape=[0], dtype=tf.float32)\nvariance = tf.constant([], shape=[0], dtype=tf.float32)\nepsilon = 0.0\nexponential_avg_factor = 0.0\ndata_format = \"NHWC\"\nis_training = False\n\ntf.raw_ops.FusedBatchNorm(\n x=x, scale=scale, offset=offset, mean=mean,\n variance=variance, epsilon=epsilon,\n exponential_avg_factor=exponential_avg_factor,\n data_format=data_format, is_training=is_training)\n``` \n \nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/828f346274841fa7505f7020e88ca36c22e557ab/tensorflow/core/kernels/fused_batch_norm_op.cc#L295-L297) performs a division based on the last dimension of the `x` tensor:\n\n```cc \nconst int depth = x.dimension(3);\nconst int rest_size = size / depth;\n```\n\nSince this is controlled by the user, an attacker can trigger a denial of service.\n\n### Patches\nWe have patched the issue in GitHub commit [1a2a87229d1d61e23a39373777c056161eb4084d](https://github.com/tensorflow/tensorflow/commit/1a2a87229d1d61e23a39373777c056161eb4084d).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
"id": "GHSA-r35g-4525-29fq",
"modified": "2024-10-31T20:53:45Z",
"published": "2021-05-21T14:23:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r35g-4525-29fq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29555"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/1a2a87229d1d61e23a39373777c056161eb4084d"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-483.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-681.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-192.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Division by 0 in `FusedBatchNorm`"
}
GHSA-R46J-88X4-7J3F
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31GoPro gpmf-parser 1.5 has a division-by-zero vulnerability in GPMF_Decompress(). Parsing malicious input can result in a crash.
{
"affected": [],
"aliases": [
"CVE-2020-16160"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-19T18:15:00Z",
"severity": "HIGH"
},
"details": "GoPro gpmf-parser 1.5 has a division-by-zero vulnerability in GPMF_Decompress(). Parsing malicious input can result in a crash.",
"id": "GHSA-r46j-88x4-7j3f",
"modified": "2022-05-24T17:31:13Z",
"published": "2022-05-24T17:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16160"
},
{
"type": "WEB",
"url": "https://blog.inhq.net/posts/gopro-gpmf-parser-vuln-1"
},
{
"type": "WEB",
"url": "https://github.com/gopro/gpmf-parser/blob/2cc0af7ffee6f12934e2d57750bdf292f62b0a97/GPMF_parser.c#L1744"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R4PJ-74MG-8868
Vulnerability from github – Published: 2021-05-21 14:21 – Updated: 2024-10-30 23:16Impact
An attacker can trigger a division by 0 in tf.raw_ops.Conv2DBackpropFilter:
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 1, 0], dtype=tf.float32)
filter_sizes = tf.constant([1, 1, 1, 1], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([], shape=[0, 0, 1, 1], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(input=input_tensor, filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 66, 18, 1], use_cudnn_on_gpu=True,
padding='SAME', explicit_paddings=[],
data_format='NHWC', dilations=[1, 1, 1, 1])
This is because the implementation does a modulus operation where the divisor is controlled by the caller:
if (dims->in_depth % filter_shape.dim_size(num_dims - 2)) { ... }
Patches
We have patched the issue in GitHub commit fca9874a9b42a2134f907d2fb46ab774a831404a.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29524"
],
"database_specific": {
"cwe_ids": [
"CWE-369"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T23:19:06Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropFilter`:\n\n```python\nimport tensorflow as tf\n\ninput_tensor = tf.constant([], shape=[0, 0, 1, 0], dtype=tf.float32)\nfilter_sizes = tf.constant([1, 1, 1, 1], shape=[4], dtype=tf.int32)\nout_backprop = tf.constant([], shape=[0, 0, 1, 1], dtype=tf.float32)\n\ntf.raw_ops.Conv2DBackpropFilter(input=input_tensor, filter_sizes=filter_sizes,\n out_backprop=out_backprop,\n strides=[1, 66, 18, 1], use_cudnn_on_gpu=True,\n padding=\u0027SAME\u0027, explicit_paddings=[],\n data_format=\u0027NHWC\u0027, dilations=[1, 1, 1, 1])\n``` \n \nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/496c2630e51c1a478f095b084329acedb253db6b/tensorflow/core/kernels/conv_grad_shape_utils.cc#L130) does a modulus operation where the divisor is controlled by the caller:\n\n```cc \n if (dims-\u003ein_depth % filter_shape.dim_size(num_dims - 2)) { ... }\n```\n \n### Patches\nWe have patched the issue in GitHub commit [fca9874a9b42a2134f907d2fb46ab774a831404a](https://github.com/tensorflow/tensorflow/commit/fca9874a9b42a2134f907d2fb46ab774a831404a).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n \n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
"id": "GHSA-r4pj-74mg-8868",
"modified": "2024-10-30T23:16:52Z",
"published": "2021-05-21T14:21:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r4pj-74mg-8868"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29524"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/fca9874a9b42a2134f907d2fb46ab774a831404a"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-452.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-650.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-161.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Division by 0 in `Conv2DBackpropFilter`"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.