CVE-2023-44271Allocation of Resources Without Limits or Throttling in Pillow

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption13 documents9 sources
Severity
7.5HIGHNVD
OSV9.1
EPSS
0.2%
top 55.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Python PillowFedoraproject FedoraPaloalto Pan-os
Timeline
PublishedNov 3
Latest updateMar 31

Description

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDpython/pillow< 10.0.0
PyPIpython/pillow< 10.0.0
Debianpython/pillow< 8.1.2+dfsg-0.3+deb11u2+3
Ubuntupython/pillow< 7.0.0-4ubuntu0.8+4
Palo Altopaloalto/pan-os

Also affects: Fedora 38

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
pillow vulnerabilities2026-03-31
OSV
pillow vulnerabilities2024-01-30
OSV
CVE-2023-44271: An issue was discovered in Pillow before 102023-11-03
CVEList
CVE-2023-44271: An issue was discovered in Pillow before 102023-11-03
OSV
Pillow Denial of Service vulnerability2023-11-03

📋Vendor Advisories

6
Ubuntu
Pillow vulnerabilities2026-03-31
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Common (Pillow) — CVE-2023-442712024-04-15
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Ubuntu
Pillow vulnerabilities2024-01-30
Red Hat
python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument2023-06-30
CVE-2023-44271 — Python Pillow vulnerability | cvebase