CVE-2019-15939
Description
An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenCV 4.1.0 has a divide-by-zero in HOGDescriptor::getDescriptorSize() when cellSize is zero, causing FPE and crash.
The vulnerability is a divide-by-zero error in OpenCV's HOGDescriptor::getDescriptorSize() function, located in modules/objdetect/src/hog.cpp [2][4]. When the cellSize.width or cellSize.height parameters are set to zero, the division operation at line 93 results in an integer division by zero, leading to a floating point exception (FPE) [4]. The official description confirms this issue in version 4.1.0 [3].
An attacker can exploit this flaw by providing crafted input that sets cellSize dimensions to zero, for example, through maliciously crafted HOG parameters or by loading a tampered XML configuration file. The attack does not require authentication and can be triggered remotely if the application processes user-supplied data [3][4]. The lack of input validation before the division operation allows the condition to occur without any prerequisites [2].
The impact is a denial of service (DoS) via application crash caused by the FPE signal. The vulnerability does not appear to allow arbitrary code execution but can severely affect availability, especially in server environments processing untrusted images [3][4].
The issue has been fixed in OpenCV's repository via pull request #15382, which adds validation to ensure cellSize dimensions are greater than zero before performing the division [2]. Users should update to patched versions; OpenCV 4.1.0 and earlier are affected. References to the fix and issue details are available in the official advisory [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opencv-pythonPyPI | < 4.1.1.26 | 4.1.1.26 |
opencv-python-headlessPyPI | < 4.1.1.26 | 4.1.1.26 |
opencv-contrib-pythonPyPI | < 4.1.1.26 | 4.1.1.26 |
opencv-contrib-python-headlessPyPI | < 4.1.1.26 | 4.1.1.26 |
Affected products
11- OpenCV/OpenCVdescription
- ghsa-coords10 versionspkg:pypi/opencv-contrib-pythonpkg:pypi/opencv-contrib-python-headlesspkg:pypi/opencv-pythonpkg:pypi/opencv-python-headlesspkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP1pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP2pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP1pkg:rpm/suse/opencv&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2
< 4.1.1.26+ 9 more
- (no CPE)range: < 4.1.1.26
- (no CPE)range: < 4.1.1.26
- (no CPE)range: < 4.1.1.26
- (no CPE)range: < 4.1.1.26
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
- (no CPE)range: < 3.3.1-6.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2019-12/msg00025.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-hxfw-jm98-v4mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15939ghsaADVISORY
- github.com/OpenCV/opencv/issues/15287ghsax_refsource_MISCWEB
- github.com/opencv/opencv/pull/15382ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/10/msg00028.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.