CVE-2021-25287
Description
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Pillow before 8.2.0, a crafted JPEG 2000 image with multiple bands having different widths triggers an out-of-bounds read in J2kDecode, potentially causing information disclosure or crash.
Vulnerability
An out-of-bounds read vulnerability exists in the J2kDecode function of Pillow (Python Imaging Library) prior to version 8.2.0. The flaw resides in the j2ku_graya_la unpacker and is reachable when processing JPEG 2000 images with multiple bands (e.g., L and A) where each band may have a different width. This behavior is legal per the JPEG 2000 specification and has been present since Pillow 2.4.0 [1]. The vulnerable code path does not properly validate the total buffer size against the sum of the component byte sizes, leading to an out-of-bounds read during the shuffle stage [4].
Exploitation
An attacker can trigger this vulnerability by providing a specially crafted JPEG 2000 image to an application that uses Pillow to decode it. No authentication or special privileges are required; the attacker only needs the ability to supply the malicious image file (e.g., via upload, email, or web service). The issue was discovered via OSS-Fuzz, indicating that the attack vector is network-based with low attack complexity [1][2]. The exploit does not require user interaction beyond the application opening the file.
Impact
Successful exploitation results in an out-of-bounds read of heap memory, which could lead to information disclosure (exposure of sensitive data) or a denial-of-service (application crash). The out-of-bounds read occurs in the context of the Pillow process, and the impact is limited to the data accessible from that process's heap [1][2]. Confidentiality and availability are affected, while integrity is not compromised.
Mitigation
The vulnerability is fixed in Pillow version 8.2.0, released on 2021-04-01 [1]. Users should upgrade to Pillow 8.2.0 or later. The fix includes proper bounds checking in the j2k_decode_entry function to prevent the out-of-bounds read [4]. No workaround is available for affected versions. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of June 2021.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 2.4.0, < 8.2.0 | 8.2.0 |
Affected products
11- Pillow/Pillowdescription
- osv-coords10 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.0+ 9 more
- (no CPE)range: < 8.2.0
- (no CPE)range: >= 2.4.0, < 8.2.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.12.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-77gc-v2xv-rvvhghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-25287ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-137.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87ghsaWEB
- github.com/python-pillow/Pillow/pull/5377ghsax_refsource_MISCWEB
- github.com/python-pillow/Pillow/pull/5377/commits/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FLghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.2.0.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.