{"id":"CVE-2016-3076","details":"Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.","aliases":["GHSA-v9pc-9mvp-x87g","PYSEC-2017-92"],"modified":"2026-03-12T22:18:02.166630Z","published":"2017-04-24T18:59:00.430Z","related":["MGASA-2016-0141","SUSE-SU-2018:1174-1","SUSE-SU-2018:1191-1","SUSE-SU-2019:1321-1","openSUSE-SU-2024:10511-1","openSUSE-SU-2024:11209-1","openSUSE-SU-2024:13827-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/98042"},{"type":"ADVISORY","url":"http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1321929"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python-pillow/pillow","events":[{"introduced":"0"},{"last_affected":"80d6137c860b9322572ee1390514df1975acb2e7"},{"introduced":"0"},{"last_affected":"1ab78b8fb7e1f7078dd110bc8d9fba3cc0006e51"},{"introduced":"0"},{"last_affected":"4081f9f6a504c9d3b83237fafdecf2be042976a8"},{"introduced":"0"},{"last_affected":"68c6904c280ad872620cc8d904e6d4e6ecc5b6f9"},{"introduced":"0"},{"last_affected":"9634e437efeeda906ad6bfcc275b17732d64f32a"},{"introduced":"0"},{"last_affected":"81ebc21abfdd9d152f05d8516b17efba26e4d5b7"},{"introduced":"0"},{"last_affected":"4a8471dea18f6196161e4444ce5625f46cecd1e1"},{"introduced":"0"},{"last_affected":"9f0ec3b0d7637e04fa735d7dfb94464301b02c1e"},{"introduced":"0"},{"last_affected":"0f05eb287a223ce106848cd048cfcb45e9faa565"},{"introduced":"0"},{"last_affected":"d754598f146f868e8cd7d247b3af6cf3f3c8d510"},{"introduced":"0"},{"last_affected":"3f09b8f1715b018e8249337f1432070301c61e18"},{"introduced":"0"},{"last_affected":"0222a059d62723fe056daa17f007f87dc46595b4"},{"introduced":"0"},{"last_affected":"80672b61e8596c7d6dab7b4ef3ef1e4783902f51"},{"introduced":"0"},{"last_affected":"efe925c26f4fb78613b5ed98d488f71a723d03e8"},{"introduced":"0"},{"last_affected":"96944e2dd664efb98e25d0e86671420af26fda40"},{"introduced":"0"},{"last_affected":"445a8c06fce647249e6a832f595fcdfff1743ad0"},{"introduced":"0"},{"last_affected":"0177cceac4adfd0020ecbf49fb44ad275dcc1f51"},{"introduced":"0"},{"last_affected":"fff5536b37c2d619c66c1189b6925fa0a8df3822"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"2.5.1"},{"introduced":"0"},{"last_affected":"2.5.2"},{"introduced":"0"},{"last_affected":"2.5.3"},{"introduced":"0"},{"last_affected":"2.6.0"},{"introduced":"0"},{"last_affected":"2.6.0-rc1"},{"introduced":"0"},{"last_affected":"2.6.1"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"2.7.0"},{"introduced":"0"},{"last_affected":"2.8.0"},{"introduced":"0"},{"last_affected":"2.8.1"},{"introduced":"0"},{"last_affected":"2.8.2"},{"introduced":"0"},{"last_affected":"2.9.0"},{"introduced":"0"},{"last_affected":"2.9.0-dev0"},{"introduced":"0"},{"last_affected":"2.9.0-dev1"},{"introduced":"0"},{"last_affected":"2.9.0-dev2"},{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.1.0"}]}}],"versions":["1.0","1.2","1.7.6","1.7.7","1.7.8","2.0.0","2.1.0","2.2.0","2.2.1","2.2.2","2.3.0","2.5.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.0.0-rc1"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-3076.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}