{"id":"USN-8135-1","summary":"pillow vulnerabilities","details":"It was discovered that Pillow did not correctly handle reading J2K files,\nwhich could lead to an out-of-bounds read vulnerability. If a user or\nautomated system were tricked into opening a specially crafted file, an\nattacker could possibly use this issue to cause a denial of service. This\nissue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288)\n\nIt was discovered that Pillow did not correctly handle certain integer\narithmetic, which could lead to a buffer overflow. An attacker could\npossibly use this issue to cause a denial of service or execute arbitrary\ncode. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290)\n\nIt was discovered that Pillow did not correctly perform bounds checking\nfor certain operations. An attacker could possibly use this issue to\ncause a denial of service. This issue only affected Ubuntu 14.04 LTS\nand Ubuntu 16.04 LTS. (CVE-2021-28675, CVE-2021-28676, CVE-2021-28677)\n\nIt was discovered that Pillow did not correctly handle certain memory\noperations. An attacker could possibly use this issue to cause a denial\nof service. (CVE-2023-44271)\n\nIt was discovered that Pillow did not correctly sanitize certain inputs.\nAn attacker could possibly use this issue to execute arbitrary code.\n(CVE-2023-50447)","modified":"2026-04-02T19:29:21.486414786Z","published":"2026-03-31T00:19:20Z","related":["UBUNTU-CVE-2021-25287","UBUNTU-CVE-2021-25288","UBUNTU-CVE-2021-25290","UBUNTU-CVE-2021-28675","UBUNTU-CVE-2021-28676","UBUNTU-CVE-2021-28677","UBUNTU-CVE-2023-44271","UBUNTU-CVE-2023-50447"],"upstream":["CVE-2021-25287","CVE-2021-25288","CVE-2021-25290","CVE-2021-28675","CVE-2021-28676","CVE-2021-28677","CVE-2023-44271","CVE-2023-50447","UBUNTU-CVE-2021-25287","UBUNTU-CVE-2021-25288","UBUNTU-CVE-2021-25290","UBUNTU-CVE-2021-28675","UBUNTU-CVE-2021-28676","UBUNTU-CVE-2021-28677","UBUNTU-CVE-2023-44271","UBUNTU-CVE-2023-50447"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8135-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-25287"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-25288"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-25290"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-28675"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-28676"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-28677"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-44271"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-50447"}],"affected":[{"package":{"name":"pillow","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/pillow@2.3.0-1ubuntu3.4+esm5?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.3.0-1ubuntu3.4+esm5"}]}],"versions":["2.2.1-1ubuntu2","2.2.1-2ubuntu1","2.2.1-3ubuntu2","2.2.1-3ubuntu3","2.2.1-3ubuntu4","2.2.1-3ubuntu6","2.3.0-1ubuntu1","2.3.0-1ubuntu2","2.3.0-1ubuntu3","2.3.0-1ubuntu3.2","2.3.0-1ubuntu3.3","2.3.0-1ubuntu3.4","2.3.0-1ubuntu3.4+esm1","2.3.0-1ubuntu3.4+esm2","2.3.0-1ubuntu3.4+esm3","2.3.0-1ubuntu3.4+esm4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro","binaries":[{"binary_name":"python-imaging","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python-imaging-compat","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python-imaging-sane","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python-imaging-tk","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python-pil","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python-pil.imagetk","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python-sane","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python3-imaging","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python3-imaging-sane","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python3-imaging-tk","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python3-pil","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python3-pil.imagetk","binary_version":"2.3.0-1ubuntu3.4+esm5"},{"binary_name":"python3-sane","binary_version":"2.3.0-1ubuntu3.4+esm5"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-25290"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-28675"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-28676"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-28677"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2023-44271"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-50447"}],"ecosystem":"Ubuntu:Pro:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8135-1.json"}},{"package":{"name":"pillow","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/pillow@3.1.2-0ubuntu1.6+esm3?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.2-0ubuntu1.6+esm3"}]}],"versions":["2.9.0-1","3.0.0-1","3.0.0-1build1","3.1.0-1","3.1.1-1","3.1.2-0ubuntu1","3.1.2-0ubuntu1.1","3.1.2-0ubuntu1.3","3.1.2-0ubuntu1.4","3.1.2-0ubuntu1.5","3.1.2-0ubuntu1.6","3.1.2-0ubuntu1.6+esm1","3.1.2-0ubuntu1.6+esm2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"python-imaging","binary_version":"3.1.2-0ubuntu1.6+esm3"},{"binary_name":"python-pil","binary_version":"3.1.2-0ubuntu1.6+esm3"},{"binary_name":"python-pil.imagetk","binary_version":"3.1.2-0ubuntu1.6+esm3"},{"binary_name":"python3-pil","binary_version":"3.1.2-0ubuntu1.6+esm3"},{"binary_name":"python3-pil.imagetk","binary_version":"3.1.2-0ubuntu1.6+esm3"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-25287"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-25288"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-28675"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-28676"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2021-28677"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2023-44271"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-50447"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8135-1.json"}},{"package":{"name":"pillow","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/pillow@5.1.0-1ubuntu0.8+esm2?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.1.0-1ubuntu0.8+esm2"}]}],"versions":["4.1.1-3build2","4.3.0-2ubuntu1","5.0.0-1","5.1.0-1","5.1.0-1ubuntu0.2","5.1.0-1ubuntu0.3","5.1.0-1ubuntu0.4","5.1.0-1ubuntu0.5","5.1.0-1ubuntu0.6","5.1.0-1ubuntu0.7","5.1.0-1ubuntu0.8","5.1.0-1ubuntu0.8+esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"python-pil","binary_version":"5.1.0-1ubuntu0.8+esm2"},{"binary_name":"python-pil.imagetk","binary_version":"5.1.0-1ubuntu0.8+esm2"},{"binary_name":"python3-pil","binary_version":"5.1.0-1ubuntu0.8+esm2"},{"binary_name":"python3-pil.imagetk","binary_version":"5.1.0-1ubuntu0.8+esm2"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2023-44271"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2023-50447"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8135-1.json"}}],"schema_version":"1.7.5"}