Unrated severityNVD Advisory· Published May 11, 2021· Updated Aug 3, 2024

CVE-2021-20311

Description

A division by zero in ImageMagick's sRGBTransformImage() before 7.0.11 can cause undefined behavior via crafted image, leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A division by zero in ImageMagick's sRGBTransformImage() before 7.0.11 can cause undefined behavior via crafted image, leading to denial of service.

Vulnerability

A division by zero flaw exists in the sRGBTransformImage() function in MagickCore/colorspace.c in ImageMagick versions before 7.0.11. When processing a specially crafted image file, the function performs a division operation with a zero denominator, triggering undefined behavior. The vulnerability is reachable when an application using ImageMagick processes a malicious image provided by an attacker [1].

Exploitation

An attacker can exploit this vulnerability by submitting a crafted image file to an application that uses ImageMagick to process images. No authentication or special privileges are required; the attacker only needs the ability to supply a malicious image. The undefined behavior occurs during the sRGB color space transformation when the division by zero is encountered [1].

Impact

Successful exploitation leads to undefined behavior, which in practice often results in a denial of service (system availability). The highest threat from this vulnerability is to system availability, as the application may crash or become unresponsive. There is no indication of information disclosure or remote code execution [1].

Mitigation

The vulnerability is fixed in ImageMagick version 7.0.11 and later. Users should upgrade to this version or newer. For Red Hat Enterprise Linux, versions 6 and 7 are out of support scope, and version 8 does not ship ImageMagick, so no fix is provided for those distributions. No workarounds are documented [1].

References

Division by zero in sRGBTransformImage() in MagickCore/colorspace.c

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

ImageMagick/ImageMagickdescription
ImageMagick/Imagemagickllm-fuzzy
Range: <7.0.11
osv-coords14 versions
pkg:apk/chainguard/imagemagick-6 pkg:apk/chainguard/imagemagick-6-dev pkg:apk/chainguard/imagemagick-6-doc pkg:apk/chainguard/imagemagick-6-static pkg:rpm/opensuse/ImageMagick&distro=openSUSE%20Leap%2015.2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 0+ 13 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.0.7.34-lp152.12.15.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 7.0.7.34-10.15.1
- (no CPE)range: < 7.0.7.34-10.15.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 7.0.7.34-150000.3.123.1
- (no CPE)range: < 6.8.8.1-71.165.1
- (no CPE)range: < 6.8.8.1-71.165.1

Patches

dc69067b7cf8

pending release

https://github.com/imagemagick/imagemagickCristyFeb 13, 2021via osv

commit

2 files changed · +19 −19

ChangeLog+2 −2 modified

@@ -1,5 +1,5 @@
-2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
-  * Release ImageMagick version 7.0.11-0 GIT revision 18
+2021-02-13  7.0.11-0  <quetzlzacatenango@image...>
+  * Release ImageMagick version 7.0.11-0 GIT revision 18438:ff3ef50ab:20210213
 
 2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
   * bump minor version #

index.html+17 −17 modified

@@ -5,30 +5,30 @@
 <!doctype html>
 <html lang="en">
 <head>
-  <meta charset="utf-8" >
-  <meta name="viewport" content="width=device-width, initial-scale=1" >
+  <meta charset="utf-8"  />
+  <meta name="viewport" content="width=device-width, initial-scale=1"  />
   <title>ImageMagick - Convert, Edit, or Compose Digital Images</title>
-  <meta name="application-name" content="ImageMagick">
-  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more.">
-  <meta name="application-url" content="https://imagemagick.org">
-  <meta name="generator" content="PHP">
-  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software">
-  <meta name="rating" content="GENERAL">
-  <meta name="robots" content="INDEX, FOLLOW">
-  <meta name="generator" content="ImageMagick Studio LLC">
-  <meta name="author" content="ImageMagick Studio LLC">
-  <meta name="revisit-after" content="2 DAYS">
-  <meta name="resource-type" content="document">
-  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC">
-  <meta name="distribution" content="Global">
-  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1">
+  <meta name="application-name" content="ImageMagick" />
+  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more." />
+  <meta name="application-url" content="https://imagemagick.org" />
+  <meta name="generator" content="PHP" />
+  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software" />
+  <meta name="rating" content="GENERAL" />
+  <meta name="robots" content="INDEX, FOLLOW" />
+  <meta name="generator" content="ImageMagick Studio LLC" />
+  <meta name="author" content="ImageMagick Studio LLC" />
+  <meta name="revisit-after" content="2 DAYS" />
+  <meta name="resource-type" content="document" />
+  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC" />
+  <meta name="distribution" content="Global" />
+  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" />
   <meta property='og:url' content='./' />
   <meta property='og:title' content='ImageMagick' />
   <meta property='og:image' content='./images/logo.png' />
   <meta property='og:type' content='website' />
   <meta property='og:site_name' content='ImageMagick' />
   <meta property='og:description' content="Create, Edit, Compose, or Convert Digital Images" />
-  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4">
+  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
   <link href="./www/index.html" rel="canonical" />
   <link href="images/wand.png" rel="icon" />
   <link href="images/wand.ico" rel="shortcut icon" />

Vulnerability mechanics

Root cause

"Missing division-by-zero guard in sRGBTransformImage() in MagickCore/colorspace.c allows undefined behavior via a crafted image."

Attack vector

An attacker crafts a malicious image file that, when processed by an application using ImageMagick (versions before 7.0.11), triggers a division-by-zero error inside `sRGBTransformImage()` in `MagickCore/colorspace.c`. The crafted image causes the denominator in a division operation to become zero, leading to undefined behavior. The primary impact is denial of service, as the undefined behavior can crash the application, affecting system availability.

Affected code

The vulnerability resides in the `sRGBTransformImage()` function within `MagickCore/colorspace.c`. The patch provided does not modify any source code in that file; it only updates an HTML index file and the ChangeLog, so the actual fix for the division-by-zero defect is not visible in this patch bundle.

What the fix does

The patch shown (commit `dc69067b7cf84c0c8abddb07649abcc566323eda`) only updates an HTML index file and the ChangeLog entry; it does not contain any source-code changes to `MagickCore/colorspace.c` or any other functional code. Therefore, the actual remediation for the division-by-zero flaw is not present in this patch bundle. The advisory indicates the fix was included in ImageMagick version 7.0.11, but the specific defensive check (e.g., verifying the divisor is non-zero before performing the division) is not shown here.

Preconditions

configThe target application must use a vulnerable version of ImageMagick (before 7.0.11).
inputThe attacker must supply a crafted image file that triggers the division-by-zero in sRGBTransformImage().

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000