CVE-2024-28219 — Integer Overflow to Buffer Overflow in Pillow

CWE-680 — Integer Overflow to Buffer Overflow CWE-120 — Classic Buffer Overflow CWE-676 — Use of Potentially Dangerous Function13 documents9 sources

Severity

5.9MEDIUMNVD

CNA6.7

EPSS

0.3%

top 50.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Debian Linux

Timeline

PublishedApr 3

Latest updateFeb 26

Description

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDpython/pillow< 10.3.0

▶PyPIpython/pillow< 10.3.0

▶Debianpython/pillow< 8.1.2+dfsg-0.3+deb11u2+3

Also affects: Debian Linux 10.0

🔴Vulnerability Details

CVEList

CVE-2024-28219: In _imagingcms↗2024-04-03

▶

OSV

Pillow buffer overflow vulnerability↗2024-04-03

▶

GHSA

Pillow buffer overflow vulnerability↗2024-04-03

▶

OSV

CVE-2024-28219: In _imagingcms↗2024-04-03

▶

📋Vendor Advisories

CISA ICS

Schneider Electric EcoStruxure Power Operation (Update A)↗2026-02-26

▶

Oracle

Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Pillow) — CVE-2024-28219↗2025-04-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install (Pillow) — CVE-2024-28219↗2025-01-15

▶

Ubuntu

Pillow vulnerability↗2024-04-29

▶

Ubuntu

Pillow vulnerability↗2024-04-22

▶