CVE-2021-27921

Description

The vulnerability in Pillow (Python Imaging Library fork) before version 8.1.2 arises from insufficient validation of the reported size of a contained image within a BLP (Blizzard Texture) container. When processing a specially crafted BLP file, the library trusts the dimensions declared in the container header without proper bounds checking, leading to an attempt to allocate an arbitrarily large memory buffer. This flaw can be triggered by simply opening a malicious image file, making it a low-complexity attack vector [1][3].

Exploitation

An attacker can exploit this vulnerability by crafting a BLP file that advertises an unrealistically large image size within its container metadata. When Pillow's BLP image decoder processes the file, it calculates the required memory allocation based on the attacker-supplied dimensions without verifying them against reasonable limits. No special privileges or network access beyond the ability to deliver the file (e.g., via upload, email attachment, or web service) is required. The attack does not depend on a specific user interaction beyond opening the file [1][2].

Impact

Successful exploitation results in denial of service (DoS) due to memory exhaustion. The attempted memory allocation can exhaust available system memory, potentially causing the application (or the entire system) to become unresponsive or crash. This is particularly impactful in environments where Pillow processes user-supplied images, such as web applications, content management systems, or image processing pipelines [1][3].

Mitigation

The issue is fixed in Pillow version 8.1.2. Users are strongly advised to upgrade to at least that release. Gentoo's GLSA 202107-33 also recommends upgrading to Pillow 8.2.0 or later to address this and several other vulnerabilities. No workaround is known other than avoiding the processing of untrusted BLP files [3][4].