CVE-2021-28676
Description
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.2.0 has an infinite loop in FliDecode when loading a crafted FLI image, causing denial of service.
Vulnerability
In Pillow versions prior to 8.2.0, the FliDecode function in FliDecode.c did not properly verify that the block advance was non-zero. This flaw allows a specially crafted FLI image file to trigger an infinite loop during image loading. The issue dates back to the PIL fork and was discovered via OSS-Fuzz [1][4].
Exploitation
An attacker can exploit this vulnerability by providing a malicious FLI image file to a user or application that loads it using Pillow. No authentication or special privileges are required; the victim only needs to open the crafted image using Pillow's open() or load() functions. The infinite loop occurs immediately upon processing the image data, consuming CPU resources indefinitely [2][3].
Impact
Successful exploitation results in a denial of service (DoS) condition, as the application becomes unresponsive due to the infinite loop. The attack consumes CPU resources, potentially impacting the availability of the system or service running Pillow. No data integrity or confidentiality is affected [1][3].
Mitigation
This vulnerability is fixed in Pillow version 8.2.0, released on April 1, 2021 [1]. Users should upgrade to Pillow 8.2.0 or later to mitigate the issue. As of the current information, no workarounds are available for older versions [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.2.0 | 8.2.0 |
Affected products
11- Pillow/Pillowdescription
- osv-coords10 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.0+ 9 more
- (no CPE)range: < 8.2.0
- (no CPE)range: < 8.2.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.12.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-7r7m-5h27-29hpghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-28676ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-92.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856ghsaWEB
- github.com/python-pillow/Pillow/pull/5377ghsaWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FLghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.2.0.htmlghsaWEB
News mentions
0No linked articles in our index yet.