Unrated severityNVD Advisory· Published May 11, 2021· Updated Aug 3, 2024

CVE-2021-20310

Description

ImageMagick before 7.0.11 has a division-by-zero in ConvertXYZToJzazbz() causing denial of service via crafted image.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick before 7.0.11 has a division-by-zero in ConvertXYZToJzazbz() causing denial of service via crafted image.

Vulnerability

The vulnerability is a division by zero in the ConvertXYZToJzazbz() function within MagickCore/colorspace.c in ImageMagick versions before 7.0.11. This can be triggered when processing a specially crafted image file, leading to undefined behavior.

Exploitation

An attacker can exploit this vulnerability by submitting a crafted image file to an application that uses ImageMagick to process images. No authentication or special privileges are required; the attacker only needs to deliver the malicious file to the target application.

Impact

Successful exploitation results in a denial of service (DoS) due to undefined behavior caused by the division by zero. The primary threat is to system availability, as the application may crash or become unresponsive.

Mitigation

The issue is fixed in ImageMagick version 7.0.11 [1]. Users should update to this version or later. For Red Hat Enterprise Linux, versions 6 and 7 are out of support scope for this flaw, and version 8 does not ship ImageMagick, so no fix is provided [1].

References

Division by zero in ConvertXYZToJzazbz() of MagickCore/colorspace.c

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/ImageMagickdescription
ImageMagick/Imagemagickllm-fuzzy
Range: <7.0.11
osv-coords4 versions
pkg:apk/chainguard/imagemagick-6 pkg:apk/chainguard/imagemagick-6-dev pkg:apk/chainguard/imagemagick-6-doc pkg:apk/chainguard/imagemagick-6-static
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0

Patches

dc69067b7cf8

pending release

https://github.com/imagemagick/imagemagickCristyFeb 13, 2021via osv

commit

2 files changed · +19 −19

ChangeLog+2 −2 modified

@@ -1,5 +1,5 @@
-2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
-  * Release ImageMagick version 7.0.11-0 GIT revision 18
+2021-02-13  7.0.11-0  <quetzlzacatenango@image...>
+  * Release ImageMagick version 7.0.11-0 GIT revision 18438:ff3ef50ab:20210213
 
 2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
   * bump minor version #

index.html+17 −17 modified

@@ -5,30 +5,30 @@
 <!doctype html>
 <html lang="en">
 <head>
-  <meta charset="utf-8" >
-  <meta name="viewport" content="width=device-width, initial-scale=1" >
+  <meta charset="utf-8"  />
+  <meta name="viewport" content="width=device-width, initial-scale=1"  />
   <title>ImageMagick - Convert, Edit, or Compose Digital Images</title>
-  <meta name="application-name" content="ImageMagick">
-  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more.">
-  <meta name="application-url" content="https://imagemagick.org">
-  <meta name="generator" content="PHP">
-  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software">
-  <meta name="rating" content="GENERAL">
-  <meta name="robots" content="INDEX, FOLLOW">
-  <meta name="generator" content="ImageMagick Studio LLC">
-  <meta name="author" content="ImageMagick Studio LLC">
-  <meta name="revisit-after" content="2 DAYS">
-  <meta name="resource-type" content="document">
-  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC">
-  <meta name="distribution" content="Global">
-  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1">
+  <meta name="application-name" content="ImageMagick" />
+  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more." />
+  <meta name="application-url" content="https://imagemagick.org" />
+  <meta name="generator" content="PHP" />
+  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software" />
+  <meta name="rating" content="GENERAL" />
+  <meta name="robots" content="INDEX, FOLLOW" />
+  <meta name="generator" content="ImageMagick Studio LLC" />
+  <meta name="author" content="ImageMagick Studio LLC" />
+  <meta name="revisit-after" content="2 DAYS" />
+  <meta name="resource-type" content="document" />
+  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC" />
+  <meta name="distribution" content="Global" />
+  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" />
   <meta property='og:url' content='./' />
   <meta property='og:title' content='ImageMagick' />
   <meta property='og:image' content='./images/logo.png' />
   <meta property='og:type' content='website' />
   <meta property='og:site_name' content='ImageMagick' />
   <meta property='og:description' content="Create, Edit, Compose, or Convert Digital Images" />
-  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4">
+  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
   <link href="./www/index.html" rel="canonical" />
   <link href="images/wand.png" rel="icon" />
   <link href="images/wand.ico" rel="shortcut icon" />

Vulnerability mechanics

Root cause

"Division by zero in ConvertXYZToJzazbz() of MagickCore/colorspace.c when processing a crafted image file."

Attack vector

An attacker crafts a malicious image file that, when processed by an application using ImageMagick (versions before 7.0.11), triggers a division by zero in the `ConvertXYZToJzazbz()` function of `MagickCore/colorspace.c`. This causes undefined behavior, which can lead to a crash and denial of service. The attack requires no special privileges—only the ability to submit a crafted image to a vulnerable ImageMagick instance.

Affected code

The vulnerability resides in the `ConvertXYZToJzazbz()` function within `MagickCore/colorspace.c`. The patch provided (commit dc69067b7cf84c0c8abddb07649abcc566323eda) does not contain any changes to source code files—it only updates HTML meta tags and a changelog entry. Therefore, the actual fix for the division-by-zero defect is not visible in this patch bundle.

What the fix does

The supplied patch (commit dc69067b7cf84c0c8abddb07649abcc566323eda) only updates HTML meta tag formatting and a changelog date; it does not include any code changes to `MagickCore/colorspace.c`. The advisory states that the fix was released in ImageMagick version 7.0.11, but the actual division-by-zero correction is not present in this diff. Without seeing the real fix, the remediation guidance is to upgrade to ImageMagick 7.0.11 or later.

Preconditions

configThe target application must use a vulnerable version of ImageMagick (before 7.0.11) to process image files.
inputThe attacker must be able to supply a crafted image file to the vulnerable application.

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000