High severity7.8NVD Advisory· Published Nov 4, 2016· Updated May 6, 2026

CVE-2016-9190

Description

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
PillowPyPI	< 3.3.2	3.3.2

Affected products

Python (programming language)/Pillow
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Range: <=3.3.1
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/python-pillow/Pillow/issues/2105nvdIssue TrackingPatchThird Party AdvisoryWEB
github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144afnvdIssue TrackingPatchThird Party AdvisoryWEB
pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.htmlnvdVendor AdvisoryWEB
www.debian.org/security/2016/dsa-3710nvdThird Party AdvisoryWEB
www.securityfocus.com/bid/94234nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-w4vg-rf63-f3j3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-9190ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-9.yamlghsaWEB
security.gentoo.org/glsa/201612-52nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000