CVE-2021-20309
Description
ImageMagick before 6.9.12/7.0.11 has a division-by-zero in WaveImage() leading to undefined behavior and potential denial of service via crafted image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick before 6.9.12/7.0.11 has a division-by-zero in WaveImage() leading to undefined behavior and potential denial of service via crafted image.
Vulnerability
A division by zero vulnerability exists in WaveImage() of MagickCore/visual-effects.c in ImageMagick versions before 6.9.12 and 7.0.11 [1]. This flaw can be triggered when processing a specially crafted image file, leading to undefined behavior.
Exploitation
An attacker can exploit this vulnerability by providing a malicious image file to an application that uses ImageMagick for image processing. No special privileges or network position are required beyond the ability to submit a crafted image [1].
Impact
Successful exploitation results in undefined behavior, which in this case primarily affects system availability. The highest threat is denial of service, potentially causing the application to crash or hang [1].
Mitigation
The vulnerability is fixed in ImageMagick versions 6.9.12 and 7.0.11 [1]. Users should update to these or later versions. For Red Hat Enterprise Linux, versions 6 and 7 are out of support scope, and version 8 does not ship ImageMagick, so no fix is provided for those platforms [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- ImageMagick/ImageMagickdescription
- Range: <7.0.11 AND <6.9.12
- osv-coords10 versionspkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 7.0.7.34-lp152.12.15.1+ 9 more
- (no CPE)range: < 7.0.7.34-lp152.12.15.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-10.15.1
- (no CPE)range: < 7.0.7.34-10.15.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 6.8.8.1-71.165.1
Patches
22 files changed · +19 −19
ChangeLog+2 −2 modified@@ -1,5 +1,5 @@ -2021-02-10 7.0.11-0 <quetzlzacatenango@image...> - * Release ImageMagick version 7.0.11-0 GIT revision 18 +2021-02-13 7.0.11-0 <quetzlzacatenango@image...> + * Release ImageMagick version 7.0.11-0 GIT revision 18438:ff3ef50ab:20210213 2021-02-10 7.0.11-0 <quetzlzacatenango@image...> * bump minor version #
index.html+17 −17 modified@@ -5,30 +5,30 @@ <!doctype html> <html lang="en"> <head> - <meta charset="utf-8" > - <meta name="viewport" content="width=device-width, initial-scale=1" > + <meta charset="utf-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1" /> <title>ImageMagick - Convert, Edit, or Compose Digital Images</title> - <meta name="application-name" content="ImageMagick"> - <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more."> - <meta name="application-url" content="https://imagemagick.org"> - <meta name="generator" content="PHP"> - <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software"> - <meta name="rating" content="GENERAL"> - <meta name="robots" content="INDEX, FOLLOW"> - <meta name="generator" content="ImageMagick Studio LLC"> - <meta name="author" content="ImageMagick Studio LLC"> - <meta name="revisit-after" content="2 DAYS"> - <meta name="resource-type" content="document"> - <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC"> - <meta name="distribution" content="Global"> - <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1"> + <meta name="application-name" content="ImageMagick" /> + <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more." /> + <meta name="application-url" content="https://imagemagick.org" /> + <meta name="generator" content="PHP" /> + <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software" /> + <meta name="rating" content="GENERAL" /> + <meta name="robots" content="INDEX, FOLLOW" /> + <meta name="generator" content="ImageMagick Studio LLC" /> + <meta name="author" content="ImageMagick Studio LLC" /> + <meta name="revisit-after" content="2 DAYS" /> + <meta name="resource-type" content="document" /> + <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC" /> + <meta name="distribution" content="Global" /> + <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" /> <meta property='og:url' content='./' /> <meta property='og:title' content='ImageMagick' /> <meta property='og:image' content='./images/logo.png' /> <meta property='og:type' content='website' /> <meta property='og:site_name' content='ImageMagick' /> <meta property='og:description' content="Create, Edit, Compose, or Convert Digital Images" /> - <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4"> + <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" /> <link href="./www/index.html" rel="canonical" /> <link href="images/wand.png" rel="icon" /> <link href="images/wand.ico" rel="shortcut icon" />
1 file changed · +2 −2
ChangeLog+2 −2 modified@@ -1,5 +1,5 @@ -2021-02-10 6.9.12-0 <quetzlzacatenango@image...> - * Release ImageMagick version 6.9.12-0 GIT revision 16... +2021-02-13 6.9.12-0 <quetzlzacatenango@image...> + * Release ImageMagick version 6.9.12-0 GIT revision 16464:dab48bafd:20210213 2021-02-10 6.9.12-0 <quetzlzacatenango@image...> * bump minor version #.
Vulnerability mechanics
Root cause
"Division by zero in WaveImage() of MagickCore/visual-effects.c when processing a crafted image file."
Attack vector
An attacker crafts a malicious image file that, when processed by an application using ImageMagick, triggers a division by zero in the `WaveImage()` function of `MagickCore/visual-effects.c`. The attacker does not require authentication; the attack vector is network-based via submission of the crafted image file. The division by zero leads to undefined behavior, which can crash the application, resulting in a denial of service. The highest threat is to system availability.
Affected code
The vulnerability resides in the `WaveImage()` function within `MagickCore/visual-effects.c`. The patch files provided (patch_id=2271520 and patch_id=2271521) only update version metadata and do not contain a code-level fix, so the exact code path where the division by zero occurs is not shown in the supplied patches.
What the fix does
The supplied patches (patch_id=2271520 and patch_id=2271521) only update version metadata and the ChangeLog; they do not contain any code-level changes to `WaveImage()` or any other source file. The advisory states the fix was applied in ImageMagick versions 7.0.11 and 6.9.12, but the actual code correction (e.g., adding a divisor check before the division operation) is not present in the provided patch diffs. Without the code-level diff, the specific remediation cannot be described from the bundle alone.
Preconditions
- configThe target application must use ImageMagick to process user-supplied image files.
- networkThe attacker must be able to submit a crafted image file to the application (network access).
- inputThe crafted image must trigger the WaveImage() code path with a divisor value of zero.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- lists.debian.org/debian-lts-announce/2021/06/msg00000.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/05/msg00020.htmlmitremailing-list
- bugzilla.redhat.com/show_bug.cgimitre
News mentions
0No linked articles in our index yet.