Home / mailingsPDF  

[USN-8135-1] Pillow vulnerabilities

Posted on 31 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8135-1
March 31, 2026

pillow vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Pillow.

Software Description:
- pillow: Python Imaging Library

Details:

It was discovered that Pillow did not correctly handle reading J2K files,
which could lead to an out-of-bounds read vulnerability. If a user or
automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288)

It was discovered that Pillow did not correctly handle certain integer
arithmetic, which could lead to a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290)

It was discovered that Pillow did not correctly perform bounds checking
for certain operations. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2021-28675, CVE-2021-28676, CVE-2021-28677)

It was discovered that Pillow did not correctly handle certain memory
operations. An attacker could possibly use this issue to cause a denial
of service. (CVE-2023-44271)

It was discovered that Pillow did not correctly sanitize certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2023-50447)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
python-pil 5.1.0-1ubuntu0.8+esm2
Available with Ubuntu Pro
python3-pil 5.1.0-1ubuntu0.8+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
python-pil 3.1.2-0ubuntu1.6+esm3
Available with Ubuntu Pro
python3-pil 3.1.2-0ubuntu1.6+esm3
Available with Ubuntu Pro

Ubuntu 14.04 LTS
python-pil 2.3.0-1ubuntu3.4+esm5
Available with Ubuntu Pro
python3-pil 2.3.0-1ubuntu3.4+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8135-1
CVE-2021-25287, CVE-2021-25288, CVE-2021-25290, CVE-2021-28675,
CVE-2021-28676, CVE-2021-28677, CVE-2023-44271, CVE-2023-50447

--===============5320038305218175372==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :