VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 7, 2022· Updated Aug 3, 2024

CVE-2022-22815

CVE-2022-22815

Description

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pillow before 9.0.0 improperly initializes ImagePath.Path leading to out-of-bounds read and buffer overflow.

Vulnerability

CVE-2022-22815 is an out-of-bounds read vulnerability in Pillow, a Python imaging library. The bug exists in the path_getbbox function in path.c (line 331) and is triggered during initialization of ImagePath.Path objects. The improper initialization leads to reading memory beyond allocated buffers. Affected versions are Pillow before 9.0.0, with the fix introduced in version 9.0.0 released on 2022-01-02 [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted image file that is processed by ImagePath.Path. The attack requires no authentication or special privileges; the attacker only needs to convince a user or an automated system to open the malicious file with Pillow. The out-of-bounds read occurs when the getbbox method is called on the crafted path, reading from uninitialized memory [2].

Impact

Successful exploitation allows an attacker to read sensitive memory contents (information disclosure) as the out-of-bounds read may leak data from adjacent heap memory. While the primary impact is information disclosure, improper initialization (CWE-665) may also lead to application crashes or unexpected behavior under certain conditions [2][4].

Mitigation

The vulnerability is fixed in Pillow version 9.0.0 released on 2022-01-02 [2][4]. Users should upgrade to Pillow >= 9.0.0. No workaround is available for earlier versions as the fix addresses the root cause in path initialization. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of January 2022 [1][3].

References
  1. CVE-2022-22815, CVE-2022-22816: Fixed ImagePath.Path array handling by radarhere · Pull Request #5920 · python-pillow/Pillow
  2. CVE-2022-22815 - GitHub Advisory Database
  3. NVD - CVE-2022-22815
  4. 9.0.0 (2022-01-02)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pillowPyPI
< 9.0.09.0.0

Affected products

50

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

0

No linked articles in our index yet.