CVE-2021-25291
Description
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.1.1 has an out-of-bounds read in TiffDecode.c via invalid tile boundaries during TIFF RGB(A) tile decoding.
Vulnerability
Description
The flaw resides in the TiffDecode.c file of Pillow, the Python Imaging Library fork. When decoding a TIFF image that uses tiles (as opposed to strips), the function TiffreadRGBATile does not properly validate tile boundary coordinates [1]. An attacker can craft a malicious TIFF file with invalid tile offsets or dimensions, leading to an out-of-bounds read (OOB read) [1][2].
Exploitation
Conditions
Exploitation requires the attacker to supply a specially crafted TIFF file to an application that uses Pillow to decode it. No special privileges or network position is necessary beyond the ability to deliver the file (e.g., via upload, email, or download). The vulnerability is triggered during the decoding process, meaning user interaction such as opening or processing the image is sufficient [2].
Impact
An out-of-bounds read can leak sensitive heap memory contents that may include data from other parts of the application, potentially aiding in further exploitation. In some cases, this memory access violation can lead to a denial of service (application crash) [1][2]. The severity is rated as high given the potential for information disclosure and system instability.
Mitigation
The vulnerability was patched in Pillow version 8.1.1 [1][3]. Users are strongly advised to upgrade to the latest release. No workaround is known, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.2.0 | 8.2.0 |
Affected products
6- Pillow/Pillowdescription
- osv-coords5 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweed
< 8.1.1+ 4 more
- (no CPE)range: < 8.1.1
- (no CPE)range: < 8.2.0
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 8.3.2-1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-mvg9-xffr-p774ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25291ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-37.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/8b8076bdcb3815be0ef0d279651d8d1342b8ea61ghsaWEB
- github.com/python-pillow/Pillow/commit/cbdce6c5d054fccaf4af34b47f212355c64ace7aghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.1.1.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.