CVE-2021-20176
Description
A divide-by-zero flaw in ImageMagick's gem.c allows attackers to trigger undefined behavior via a crafted file, primarily affecting system availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A divide-by-zero flaw in ImageMagick's gem.c allows attackers to trigger undefined behavior via a crafted file, primarily affecting system availability.
Vulnerability
The vulnerability is a divide-by-zero flaw in ImageMagick, located in the MagickCore/gem.c file. It affects ImageMagick versions prior to 7.0.10-56 and also version 6.9.10.23+dfsg-2.1. An attacker can trigger this flaw by submitting a crafted file that is processed by ImageMagick, leading to undefined behavior due to a division by zero. [1]
Exploitation
An attacker needs to provide a specially crafted file that, when processed by ImageMagick, reaches the vulnerable code path in gem.c. No special privileges or network access beyond the ability to submit the file are required, as the processing can occur locally or via a service that uses ImageMagick. The undefined behavior results from a math division by zero. [1]
Impact
The primary impact is on system availability, as the division by zero can cause the application to crash or enter an undefined state. While the highest threat is to availability, undefined behavior could potentially lead to other consequences, such as denial of service. The issue does not directly enable code execution or privilege escalation based on available references. [1]
Mitigation
A fix was addressed in ImageMagick version 7.0.10-56. Users should update to version 7.0.10-56 or later to resolve the issue. For version 6.9.11-57, the vulnerability was also fixed in subsequent releases. As of the publication date (2021-02-05), no workaround was provided for affected versions; updating is the recommended mitigation. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- ImageMagick/ImageMagickdescription
- Range: = 6.9.11-57, 7.0.10-57
- osv-coords13 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 7.0.7.34-lp152.12.18.1+ 12 more
- (no CPE)range: < 7.0.7.34-lp152.12.18.1
- (no CPE)range: < 7.0.7.34-10.18.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-10.18.1
- (no CPE)range: < 7.0.7.34-10.18.1
- (no CPE)range: < 7.0.7.34-10.18.1
- (no CPE)range: < 7.0.7.34-10.18.1
- (no CPE)range: < 6.8.8.1-71.159.2
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.159.2
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.159.2
- (no CPE)range: < 6.8.8.1-71.159.2
Patches
21 file changed · +1 −1
ChangeLog+1 −1 modified@@ -1,5 +1,5 @@ 2021-01-09 6.9.11-57 <quetzlzacatenango@image...> - * Release ImageMagick version 6.9.11-57 GIT revision 16299:653bda373:20210109 + * Release ImageMagick version 6.9.11-57 GIT revision 16301:c2f75ef89:20210109 2021-01-08 6.9.11-57 <quetzlzacatenango@image...> * update automake/autoconf configuration files.
1 file changed · +1 −1
ChangeLog+1 −1 modified@@ -1,5 +1,5 @@ 2021-01-05 7.0.10-56 <quetzlzacatenango@image...> - * Release ImageMagick version 7.0.10-56 GIT revision 18190:db93320db:20210105 + * Release ImageMagick version 7.0.10-56 GIT revision 18192:2fb74f026:20210105 2021-01-05 7.0.10-56 <quetzlzacatenango@image...> * Fix rounding error for CSS colors (reference
Vulnerability mechanics
Root cause
"Missing divisor validation in MagickCore/gem.c allows a division by zero when processing a crafted image file."
Attack vector
An attacker crafts a malicious image file that, when processed by ImageMagick, triggers a division-by-zero operation in `MagickCore/gem.c` [ref_id=1]. The attacker does not require any special privileges or authentication; the only precondition is that the victim (or an automated service) opens the crafted file with ImageMagick. The division by zero causes undefined behavior, most likely resulting in a crash that denies service to legitimate users [ref_id=1].
Affected code
The vulnerability resides in `MagickCore/gem.c` within ImageMagick [ref_id=1]. The advisory identifies this file as the location of the divide-by-zero flaw, but the provided patches only update version strings in ChangeLog files and do not contain any code changes to `gem.c` or elsewhere [patch_id=2271355][patch_id=2271354].
What the fix does
The provided patches [patch_id=2271355][patch_id=2271354] only update the GIT revision strings in the ChangeLog files and do not introduce any code changes to address the divide-by-zero flaw. The advisory [ref_id=1] states that the fix is included in ImageMagick version 7.0.10-56 and later, but the actual code-level remediation in `gem.c` is not present in the supplied patch bundle. Without the substantive patch, the specific defensive logic (e.g., a divisor check or guard condition) cannot be described from this input.
Preconditions
- inputThe victim must process a crafted image file using ImageMagick.
- networkNo authentication or special network access is required; the attacker only needs to deliver the file.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.debian.org/debian-lts-announce/2021/03/msg00030.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/05/msg00020.htmlmitremailing-list
- bugzilla.redhat.com/show_bug.cgimitre
News mentions
0No linked articles in our index yet.