CVE-2021-34552
Description
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow/PIL convert function buffer overflow via controlled parameters allows potential memory corruption; fixed in Pillow 8.3.0.
Vulnerability
A buffer overflow vulnerability exists in the Convert.c file of Pillow (through 8.2.0) and PIL (through 1.1.7). The convert function uses sprintf without bounds checking, allowing an attacker to pass controlled parameters directly into the function and trigger a buffer overflow [1][4]. This affects all versions of Pillow up to and including 8.2.0 and PIL up to 1.1.7.
Exploitation
An attacker can exploit this vulnerability by providing crafted parameters to the convert function, typically through image processing operations that accept user-supplied arguments. No authentication is required if the application processes untrusted images. The attacker must be able to influence the parameters passed to the conversion routine, which is often possible when an application allows user-controlled image transformations [3].
Impact
Successful exploitation results in a buffer overflow, which can lead to memory corruption. This may allow an attacker to achieve arbitrary code execution or cause a denial of service, depending on the context of the application using the vulnerable library. The privilege level attained is that of the process running Pillow or PIL [2][3].
Mitigation
The vulnerability is fixed in Pillow version 8.3.0, released on 2021-07-01 [4]. Users should upgrade to Pillow 8.3.0 or later. For PIL (Python Imaging Library), no official fix exists; users are advised to migrate to Pillow. Debian LTS users can apply the patch referenced in the advisory [2]. No workaround is available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.3.0 | 8.3.0 |
Affected products
12- Pillow/Pillowdescription
- osv-coords11 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 1.0.0, < 1.1.8+ 10 more
- (no CPE)range: >= 1.0.0, < 1.1.8
- (no CPE)range: < 8.3.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 4.2.1-3.17.1
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 2.8.1-4.25.1
- (no CPE)range: < 4.2.1-3.17.1
- (no CPE)range: < 5.2.0-3.11.1
- (no CPE)range: < 4.2.1-3.17.1
- (no CPE)range: < 5.2.0-3.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-7534-mm45-c74vghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-34552ghsaADVISORY
- security.gentoo.org/glsa/202211-10ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-331.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83fghsaWEB
- github.com/python-pillow/Pillow/pull/5567ghsaWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.3.0.htmlghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/index.htmlghsaWEB
News mentions
0No linked articles in our index yet.