{"id":"CVE-2016-3076","details":"Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.","aliases":["GHSA-v9pc-9mvp-x87g","PYSEC-2017-92"],"modified":"2026-05-28T04:03:15.501307457Z","published":"2017-04-24T18:59:00.430Z","related":["SUSE-SU-2018:1174-1","SUSE-SU-2018:1191-1","SUSE-SU-2019:1321-1","openSUSE-SU-2024:10511-1","openSUSE-SU-2024:11209-1","openSUSE-SU-2024:13827-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","vendor_product":"python:pillow","cpes":["cpe:2.3:a:python:pillow:3.0.0:rc1:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"3.0.0-rc1"}]}]},"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/98042"},{"type":"ADVISORY","url":"http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1321929"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python-pillow/pillow","events":[{"introduced":"0"},{"last_affected":"80d6137c860b9322572ee1390514df1975acb2e7"},{"last_affected":"1ab78b8fb7e1f7078dd110bc8d9fba3cc0006e51"},{"last_affected":"4081f9f6a504c9d3b83237fafdecf2be042976a8"},{"last_affected":"68c6904c280ad872620cc8d904e6d4e6ecc5b6f9"},{"last_affected":"9634e437efeeda906ad6bfcc275b17732d64f32a"},{"last_affected":"81ebc21abfdd9d152f05d8516b17efba26e4d5b7"},{"last_affected":"4a8471dea18f6196161e4444ce5625f46cecd1e1"},{"last_affected":"9f0ec3b0d7637e04fa735d7dfb94464301b02c1e"},{"last_affected":"0f05eb287a223ce106848cd048cfcb45e9faa565"},{"last_affected":"d754598f146f868e8cd7d247b3af6cf3f3c8d510"},{"last_affected":"3f09b8f1715b018e8249337f1432070301c61e18"},{"last_affected":"0222a059d62723fe056daa17f007f87dc46595b4"},{"last_affected":"80672b61e8596c7d6dab7b4ef3ef1e4783902f51"},{"last_affected":"efe925c26f4fb78613b5ed98d488f71a723d03e8"},{"last_affected":"96944e2dd664efb98e25d0e86671420af26fda40"},{"last_affected":"445a8c06fce647249e6a832f595fcdfff1743ad0"},{"last_affected":"0177cceac4adfd0020ecbf49fb44ad275dcc1f51"},{"last_affected":"fff5536b37c2d619c66c1189b6925fa0a8df3822"}],"database_specific":{"cpe":["cpe:2.3:a:python:pillow:2.5.0:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.5.1:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.5.2:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.5.3:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.6.0:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.6.0:rc1:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.6.1:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.6.2:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.7.0:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.8.0:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.8.1:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.8.2:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.9.0:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.9.0:dev0:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.9.0:dev1:*:*:*:*:*:*","cpe:2.3:a:python:pillow:2.9.0:dev2:*:*:*:*:*:*","cpe:2.3:a:python:pillow:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:python:pillow:3.1.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"0"},{"last_affected":"2.5.0"},{"last_affected":"2.5.1"},{"last_affected":"2.5.2"},{"last_affected":"2.5.3"},{"last_affected":"2.6.0"},{"last_affected":"2.6.0-rc1"},{"last_affected":"2.6.1"},{"last_affected":"2.6.2"},{"last_affected":"2.7.0"},{"last_affected":"2.8.0"},{"last_affected":"2.8.1"},{"last_affected":"2.8.2"},{"last_affected":"2.9.0"},{"last_affected":"2.9.0-dev0"},{"last_affected":"2.9.0-dev1"},{"last_affected":"2.9.0-dev2"},{"last_affected":"3.0.0"},{"last_affected":"3.1.0"}]}}],"versions":["3.1.0","3.1.0-rc1","3.0.0","2.9.0","2.9.0.dev2","2.9.0.dev1","2.9.0.dev0","2.8.2","2.8.1","2.8.0","2.7.0","2.6.2","2.6.1","2.6.0","2.6.0-rc1","2.5.3","2.5.2","2.5.1","2.5.0","2.3.0","2.2.1","2.2.0","2.1.0","2.0.0","1.7.8","1.7.7","1.2","1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3076.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}