CVE-2021-28675 — Unchecked Return Value in Pillow

CWE-252 — Unchecked Return Value CWE-233 — Improper Handling of Parameters CWE-20 — Improper Input Validation10 documents7 sources

Severity

5.5MEDIUMNVD

OSV9.1

EPSS

0.1%

top 69.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Fedoraproject Fedora

Timeline

PublishedJun 2

Latest updateMar 31

Description

An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDpython/pillow< 8.2.0

▶PyPIpython/pillow< 8.2.0

▶Debianpython/pillow< 8.1.2+dfsg-0.2+3

▶Ubuntupython/pillow< 2.3.0-1ubuntu3.4+esm5+2

Also affects: Fedora 33

🔴Vulnerability Details

OSV

pillow vulnerabilities↗2026-03-31

▶

GHSA

Pillow denial of service↗2021-06-08

▶

OSV

Pillow denial of service↗2021-06-08

▶

OSV

CVE-2021-28675: An issue was discovered in Pillow before 8↗2021-06-02

▶

CVEList

CVE-2021-28675: An issue was discovered in Pillow before 8↗2021-06-02

▶

📋Vendor Advisories

Ubuntu

Pillow vulnerabilities↗2026-03-31

▶

Ubuntu

Pillow vulnerabilities↗2021-05-19

▶

Red Hat

python-pillow: Excessive memory allocation in PSD image reader↗2021-04-01

▶

Debian

CVE-2021-28675: pillow - An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lack...↗2021

▶