1. Home
  2. CWE Database
  3. CWE-369
Base · Medium

CWE-369: Divide By Zero

The product divides a value by zero.

CWE-369 · Base Level ·3 CVEs

Description

The product divides a value by zero.

This weakness typically occurs when an unexpected value is provided to the product, or if an error occurs that is not properly detected. It frequently occurs in calculations involving physical dimensions such as size, length, width, and height.

Potential Impact

Availability

DoS: Crash, Exit, or Restart

Demonstrative Examples

The following Java example contains a function to compute an average but does not validate that the input value used as the denominator is not zero. This will create an exception for attempting to divide by zero. If this error is not handled by Java exception handling, unexpected results can occur.
Bad
public int computeAverageResponseTime (int totalTime, int numRequests) {return totalTime / numRequests;}
By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. The following Java code example will validate the input value, output an error message, and throw an exception.
Good
public int computeAverageResponseTime (int totalTime, int numRequests) throws ArithmeticException {if (numRequests == 0) {System.out.println("Division by zero attempted!");throw ArithmeticException;}return totalTime / numRequests;}
The following C/C++ example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur.
Bad
double divide(double x, double y){return x/y;}
By validating the input value used as the denominator the following code will ensure that a divide by zero error will not cause unexpected results. If the method is called and a zero is passed as the second argument a DivideByZero error will be thrown and should be caught by the calling block with an output message indicating the error.
Good
const int DivideByZero = 10;double divide(double x, double y){if ( 0 == y ){throw DivideByZero;}return x/y;}...try{divide(10, 0);}catch( int i ){if(i==DivideByZero) {cerr<<"Divide by zero error";}}
The following C# example contains a function that divides two numeric values without verifying that the input value used as the denominator is not zero. This will create an error for attempting to divide by zero, if this error is not caught by the error handling capabilities of the language, unexpected results can occur.
Bad
int Division(int x, int y){return (x / y);}
The method can be modified to raise, catch and handle the DivideByZeroException if the input value used as the denominator is zero.
Good
int SafeDivision(int x, int y){try{return (x / y);}catch (System.DivideByZeroException dbz){System.Console.WriteLine("Division by zero attempted!");return 0;}}

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
  • Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,

Real-World CVE Examples

CVE IDDescription
CVE-2007-3268Invalid size value leads to divide by zero.
CVE-2007-2723"Empty" content triggers divide by zero.
CVE-2007-2237Height value of 0 triggers divide by zero.

CWE-682: Incorrect Calculation

The product performs a calculation that generates incorrect or unintended results that are later used in security-critic...

Taxonomy Mappings

  • OWASP Top Ten 2004: A9 — Denial of Service
  • CERT C Secure Coding: FLP03-C — Detect and handle floating point errors
  • CERT C Secure Coding: INT33-C — Ensure that division and remainder operations do not result in divide-by-zero errors
  • The CERT Oracle Secure Coding Standard for Java (2011): NUM02-J — Ensure that division and modulo operations do not result in divide-by-zero errors
  • Software Fault Patterns: SFP1 — Glitch in computation

Frequently Asked Questions

What is CWE-369?

CWE-369 (Divide By Zero) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product divides a value by zero.

How can CWE-369 be exploited?

Attackers can exploit CWE-369 (Divide By Zero) to dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-369?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-369?

CWE-369 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.