PYSEC-2016-6 — Vulnetix

PYSEC-2016-6 PUBLISHED CVSS 9.300000190734863 CRITICAL

Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	pillow	0, 0, 1.0

Timeline

Apr 13, 2016 CVE Published
Nov 8, 2023 CVE Updated
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory
May 1, 2026 Security Advisory

References

https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst url
https://github.com/advisories/GHSA-8xjv-v9xq-m5h9 advisory
http://www.debian.org/security/2016/dsa-3499 advisory
https://github.com/python-pillow/Pillow/commit/893a40850c2d5da41537958e40569c029a6e127b fix
https://security.gentoo.org/glsa/201612-52 advisory

Open in Interactive Console →