CVE-2021-25288
Description
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow versions before 8.2.0 have an out-of-bounds read in the J2kDecode function when processing JPEG 2000 images with multiple bands of differing widths.
Vulnerability
An out-of-bounds (OOB) read vulnerability exists in the J2kDecode function of Pillow (Python Imaging Library fork) before version 8.2.0. The issue is triggered when decoding JPEG 2000 images (J2k format) that contain multiple bands with different widths for each band — for example, 1 byte for luminance (L) and 4 bytes for alpha (A). This behavior has been present since Pillow 2.4.0 [1][4].
Exploitation
An attacker can craft a J2k image file with bands of varying widths to trigger the OOB read. The attack requires no special network position or authentication; it is a classic file‑based vulnerability where the victim only needs to open the malicious image using Pillow’s J2kDecode. The vulnerability was discovered via OSS‑Fuzz, indicating that a specially crafted file is sufficient to reproduce the read beyond the allocated buffer [1][2].
Impact
Successful exploitation results in an out‑of‑bounds read, which may lead to information disclosure (leaking adjacent memory contents) or a denial‑of‑service (crash) if the read accesses unmapped memory. The attacker does not gain code execution or elevated privileges; the impact is limited to reading memory that should not be accessible or causing a segmentation fault [1][2].
Mitigation
Pillow version 8.2.0, released on 2021‑04‑01, contains the fix for this vulnerability [1]. All users should upgrade to Pillow >= 8.2.0. There is no known workaround for older versions; users unable to upgrade should avoid processing untrusted JPEG 2000 images. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 2.4.0, < 8.2.0 | 8.2.0 |
Affected products
11- Pillow/Pillowdescription
- osv-coords10 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.0+ 9 more
- (no CPE)range: < 8.2.0
- (no CPE)range: >= 2.4.0, < 8.2.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.12.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-rwv7-3v45-hg29ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-25288ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-138.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87ghsaWEB
- github.com/python-pillow/Pillow/pull/5377ghsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FLghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.2.0.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.