GHSA-xg8h-j46f-w952

Source

https://github.com/advisories/GHSA-xg8h-j46f-w952

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xg8h-j46f-w952/GHSA-xg8h-j46f-w952.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xg8h-j46f-w952

Aliases

Related

CGA-mcc5-m7hf-h365

Published

2025-07-01T17:29:37Z

Modified

2025-07-03T06:45:24.024944Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

Pillow vulnerability can cause write buffer overflow on BCn encoding

Details

There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space.

This only affects users who save untrusted data as a compressed DDS image.

Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily deterministic. It may be practically unbounded.
Unclear if there's a restriction on the bytes that could be emitted. It's likely that the only restriction is that the bytes would be emitted in chunks of 8 or 16.

This was introduced in Pillow 11.2.0 when the feature was added.

Database specific

{
    "github_reviewed_at": "2025-07-01T17:29:37Z",
    "severity": "HIGH",
    "nvd_published_at": "2025-07-01T19:15:27Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-122"
    ]
}

GHSA-xg8h-j46f-w952

Affected packages

PyPI / pillow

Package

Affected ranges

Affected versions

11.*