CVE-2021-25290
Description
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Pillow before 8.1.1, a negative-offset memcpy in TiffDecode.c can cause memory corruption or crash.
Vulnerability
Overview
CVE-2021-25290 is a memory corruption vulnerability in Pillow, the Python Imaging Library, before version 8.1.1. The issue resides in the file TiffDecode.c, where a negative-offset memcpy operation is performed with an invalid size, leading to out-of-bounds memory access [1][2].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by crafting a malicious TIFF image file that triggers the flawed decoding logic. No authentication is required, and the attack vector is local: the victim simply needs to open the crafted file using Pillow's TIFF decoder [2]. This makes it easily exploitable in scenarios where users process untrusted image files, such as web applications or email attachments.
Impact
If successfully exploited, the vulnerability can cause a denial of service (DoS) due to application crash. More critically, the memory corruption could potentially be leveraged for arbitrary code execution, depending on the system's memory layout and the attacker's ability to control the corrupted data [2].
Mitigation
Pillow version 8.1.1 includes a fix for this issue. Users are strongly advised to update to this version or later. The fix addresses the negative-offset and size validation in the TIFF decoding routine [1][3]. The official Pillow repository contains the source code fix [4]. As this vulnerability was disclosed in 2021 and a patch is available, it is recommended to apply it promptly.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.1.1 | 8.1.1 |
Affected products
12- Pillow/Pillowdescription
- osv-coords11 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.1.1+ 10 more
- (no CPE)range: < 8.1.1
- (no CPE)range: < 8.1.1
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-8xjq-8fcg-g5hwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25290ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-36.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/86f02f7c70862a0954bfe8133736d352db978eaaghsaWEB
- github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9ghsaWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.1.1.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.