CVE-2016-3076

MEDIUM

Pillow 2.5.0-3.1.1 - Heap-Based Buffer Overflow in j2k_encode_entry

Title source: llm
STIX 2.1

Description

Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.

References (3)

Core 3
Core References
Release Notes, Vendor Advisory x_refsource_confirm
http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1321929
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98042

Scores

CVSS v3 5.5
EPSS 0.0046
EPSS Percentile 64.1%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-119
Status published
Products (15)
pypi/pillow 2.5.0 - 3.1.2PyPI
python/pillow 2.5.0
python/pillow 2.5.1
python/pillow 2.5.2
python/pillow 2.5.3
python/pillow 2.6.0 (2 CPE variants)
python/pillow 2.6.1
python/pillow 2.6.2
python/pillow 2.7.0
python/pillow 2.8.0
... and 5 more
Published Apr 24, 2017
Tracked Since Feb 18, 2026