CVE-2020-35655
Description
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.1.0 has a 4-byte buffer over-read in SGIRleDecode when decoding crafted SGI RLE images due to unsanitized offsets and length tables.
Vulnerability
Overview
In Pillow before version 8.1.0, the SGIRleDecode function mishandles offsets and length tables when processing SGI RLE image files, leading to a 4-byte buffer over-read [1][2]. The root cause is that the decoder reads offset and length entries from the file header without validating that the total space required for these tables fits within the allocated buffer, allowing an attacker to craft an image with malicious table sizes that cause out-of-bounds reads [4].
Exploitation
Conditions
An attacker can exploit this vulnerability by providing a specially crafted SGI RLE image file to a Pillow-based application. No authentication or special privileges are required if the application processes user-supplied images, as the vulnerability can be triggered through standard image loading functions such as Image.open() [1]. The attack complexity is low, as the crafted file is the only requirement.
Impact
Successful exploitation results in reading up to 4 bytes beyond the allocated buffer boundary. This memory disclosure could leak sensitive information from adjacent memory regions [1][2]. While the over-read is limited in size, it may be leveraged by an attacker as part of a broader attack chain to achieve information disclosure or potentially cause a crash, depending on application context.
Mitigation
Pillow fixed the issue in version 8.1.0 by adding proper size checks before allocating starttab and lengthtab arrays [4]. Users are strongly advised to upgrade to Pillow 8.1.0 or later. As of early 2021, the vulnerability was patched and listed in the PyPA advisory database, but no evidence suggests active exploitation in the wild [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 4.3.0, < 8.1.0 | 8.1.0 |
Affected products
9- Pillow/Pillowdescription
- osv-coords8 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 4.3.0, < 8.1.0+ 7 more
- (no CPE)range: >= 4.3.0, < 8.1.0
- (no CPE)range: >= 4.3.0, < 8.1.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 8.3.2-1.2
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-hf64-x4gq-p99hghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-35655ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bfghsaWEB
- github.com/python-pillow/Pillow/commit/7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YDghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/index.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.