CVE-2021-27923

Vulnerability

Overview

CVE-2021-27923 is a denial of service vulnerability in the Pillow Python imaging library affecting versions prior to 8.1.2. The root cause lies in the ICO container image processing code, where the reported size of a contained image is not properly validated. When an attacker supplies a crafted ICO file with an artificially inflated size value, Pillow attempts to allocate memory proportionate to that reported size, which can lead to an extremely large memory allocation [1][4].

Exploitation

An attacker can exploit this vulnerability by providing a malicious ICO file to an application that uses Pillow to process user-supplied images. No authentication or elevated privileges are required; the attack can be triggered remotely via a network or through any vector that delivers the crafted image to the vulnerable software. The flaw is classified with low attack complexity, meaning no special conditions or specific target configuration are needed to mount the attack [1].

Impact

Successful exploitation results in excessive memory consumption, causing the application or system to become unresponsive or crash. This is a standard denial of service scenario, and the vulnerability does not appear to allow code execution or data exfiltration [1][4].

Mitigation

The issue is fixed in Pillow version 8.1.2 and later. Users should upgrade their Pillow installations to version 8.1.2 or higher. As of the advisory publication date (2021-03-03), there are no known workarounds; upgrading is the recommended mitigation [1][4].