CVE-2016-3076

MEDIUM

Python Pillow < 3.1.2 - Memory Corruption

Title source: rule

Description

Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.

References (3)

[Release Notes, Vendor Advisory] http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html

[Issue Tracking, Third Party Advisory, VDB Entry] https://bugzilla.redhat.com/show_bug.cgi?id=1321929

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/98042

Scores

CVSS v3 5.5

EPSS 0.0046

EPSS Percentile 63.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-119

Status published

Affected Products (21)

n/a/n/a

python/pillow

... and 6 more

Timeline

Published Apr 24, 2017

Tracked Since Feb 18, 2026