Medium severity5.5NVD Advisory· Published Nov 4, 2016· Updated May 6, 2026

CVE-2016-9189

Description

Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pillowPyPI	< 3.3.2	3.3.2

Affected products

Python (programming language)/Pillow
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Range: <=3.3.1
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/python-pillow/Pillow/issues/2105nvdIssue TrackingPatchThird Party AdvisoryWEB
github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0fnvdIssue TrackingPatchThird Party AdvisoryWEB
pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.htmlnvdVendor AdvisoryWEB
www.debian.org/security/2016/dsa-3710nvdThird Party AdvisoryWEB
www.securityfocus.com/bid/94234nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-rwr3-c2q8-gm56ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-9189ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-8.yamlghsaWEB
security.gentoo.org/glsa/201612-52nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000