CVE-2021-25293
Description
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.1.1 has an out-of-bounds read in SGIRleDecode.c, enabling denial of service or memory disclosure via crafted SGI images.
Vulnerability
Overview
CVE-2021-25293 is an out-of-bounds read vulnerability in the SGI RLE decoder of the Pillow image processing library (versions prior to 8.1.1). The root cause is the absence of bounds checking in the expandrow function within SGIRleDecode.c. When decoding RLE-compressed scanlines, the code reads bytes from the source buffer without verifying that the pointer remains within the allocated memory region, leading to out-of-bounds access [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted SGI image file. The attack vector is network-based with low complexity, requires no privileges, and only needs user interaction (e.g., opening the image) [3]. By manipulating the RLE offset and length tables in the SGI header, the attacker can cause the decoder to read beyond the intended buffer boundaries during the RLE chunk processing [1][2].
Impact
Successful exploitation can result in a denial of service (application crash) or, in some cases, the disclosure of sensitive memory contents (information leakage) [3][4]. The CVSS score reflects a medium severity, with potential for partial confidentiality and availability impacts.
Mitigation
The issue was addressed in Pillow version 8.1.1, released in March 2021. Users are strongly advised to upgrade to this version or later. No workarounds are available; updating the library is the only reliable fix [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PillowPyPI | >= 4.3.0, < 8.1.1 | 8.1.1 |
Affected products
11- Pillow/Pillowdescription
- osv-coords10 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.1.1+ 9 more
- (no CPE)range: < 8.1.1
- (no CPE)range: >= 4.3.0, < 8.1.1
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 8.3.2-1.2
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-p43w-g3c5-g5mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25293ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-39.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/4853e522bddbec66022c0915b9a56255d0188bf9ghsaWEB
- github.com/python-pillow/Pillow/commit/f891baa604636cd2506a9360d170bc2cf4963cc5ghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.1.1.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.