CVE-2021-27922
Description
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.1.2 fails to validate the reported image size in ICNS containers, leading to excessive memory allocation and denial of service.
Root
Cause
Pillow, the Python Imaging Library fork, contains a denial-of-service vulnerability in its handling of ICNS (Apple Icon Image) container files. The library does not properly check the reported size of a contained image within an ICNS container [1]. This allows an attacker to craft a malicious ICNS file that advertises an extremely large image dimension, causing Pillow to attempt an enormous memory allocation [1][2].
Attack
Vector
An attacker can exploit this issue by providing a specially crafted ICNS image file to an application that uses Pillow to process it. No authentication is required; the attack is triggered simply by the application attempting to open or decode the malicious file [1]. The vulnerability is present in all versions of Pillow before 8.1.2 [1][2][3].
Impact
Successful exploitation leads to uncontrolled memory consumption, potentially exhausting system resources and resulting in a denial of service (DoS) condition for the affected application or the entire host [1][3]. This can cause the application to crash or become unresponsive, disrupting services that rely on Pillow's image processing capabilities.
Mitigation
The vulnerability was patched in Pillow version 8.1.2 [1][2]. Users should upgrade to Pillow 8.1.2 or later. For users unable to upgrade, there is no known workaround [3]. The Gentoo security advisory (GLSA 202107-33) also lists this CVE and recommends upgrading to >=8.2.0 [3]. Additionally, Fedora package announcements have informed users of the fix [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.1.2 | 8.1.2 |
Affected products
12- Pillow/Pillowdescription
- osv-coords11 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.1.1+ 10 more
- (no CPE)range: < 8.1.1
- (no CPE)range: < 8.1.2
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- github.com/advisories/GHSA-3wvg-mj6g-m9cvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-27922ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-41.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2MLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2MLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.1.1.htmlghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.1.2.htmlghsaWEB
News mentions
0No linked articles in our index yet.