CVE-2019-16865

HIGH

Pillow <6.2.0 - Memory Corruption

Title source: llm

Description

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

References (11)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0566

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0578

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0580

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0681

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0683

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0694

[Release Notes, Vendor Advisory] https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html

[Vendor Advisory] https://usn.ubuntu.com/4272-1/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4631

Scores

CVSS v3 7.5

EPSS 0.0394

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770

Status published

Affected Products (4)

python/pillow < 6.2.0

fedoraproject/fedora

pypi/pillow < 6.2.0PyPI

Timeline

Published Oct 04, 2019

Tracked Since Feb 18, 2026