CVE-2022-22816
Description
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-22816 is a buffer over-read in Pillow's ImagePath.Path initialization affecting versions before 9.0.0, enabling information disclosure.
Vulnerability
In Pillow (Pillow) before 9.0.0, the function path_getbbox in src/path.c suffers from a buffer over-read (CWE-665) during initialization of ImagePath.Path. The issue is fixed in version 9.0.0 (released 2022-01-02) [1][4]. The vulnerable code path is triggered when creating an ImagePath.Path object with certain array inputs, leading to out-of-bounds memory access.
Exploitation
An attacker can trigger the vulnerability by crafting a malformed array and passing it to ImagePath.Path initializer. No authentication or special privileges are required; the attack vector is network-based with low attack complexity [2]. The attacker must only supply a specially crafted input that causes the internal path initialization logic to read beyond the allocated buffer.
Impact
Successful exploitation allows an attacker to read adjacent memory, potentially leaking sensitive information from the process's address space. This information disclosure could expose secrets such as cryptographic keys, credentials, or other confidential data handled by the same Python process [1][2][3].
Mitigation
Users should upgrade to Pillow 9.0.0 or later, which contains the fix [1][4]. The fix is included in the official release and backported to security-supported branches. No workaround is available for unpatched versions; upgrading immediately is recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 9.0.0 | 9.0.0 |
Affected products
54- Pillow/Pillowdescription
- osv-coords53 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/almalinux/python3-pillow-develpkg:rpm/almalinux/python3-pillow-docpkg:rpm/almalinux/python3-pillow-tkpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/ardana-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-lxml&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-lxml&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-XStatic-jquery-ui&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-XStatic-jquery-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-sinatra&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209
< 9.0.0+ 52 more
- (no CPE)range: < 9.0.0
- (no CPE)range: < 9.0.0
- (no CPE)range: < 5.1.1-18.el8_5
- (no CPE)range: < 5.1.1-18.el8_5
- (no CPE)range: < 5.1.1-18.el8_5
- (no CPE)range: < 5.1.1-18.el8_5
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 9.0+git.1644879908.8a641c1-3.13.1
- (no CPE)range: < 6.7.4-3.26.1
- (no CPE)range: < 6.7.4-3.26.1
- (no CPE)range: < 7.0.1~dev24-3.14.1
- (no CPE)range: < 7.0.1~dev24-3.14.1
- (no CPE)range: < 13.0.10~dev24-3.34.2
- (no CPE)range: < 13.0.10~dev24-3.34.2
- (no CPE)range: < 14.0.1~dev4-3.9.1
- (no CPE)range: < 14.0.1~dev4-3.9.1
- (no CPE)range: < 14.0.1~dev3-3.9.1
- (no CPE)range: < 14.0.1~dev3-3.9.1
- (no CPE)range: < 11.1.5~dev18-3.28.2
- (no CPE)range: < 11.1.5~dev18-3.28.2
- (no CPE)range: < 14.2.1~dev9-3.28.2
- (no CPE)range: < 14.2.1~dev9-3.28.2
- (no CPE)range: < 13.0.8~dev206-3.40.1
- (no CPE)range: < 13.0.8~dev206-3.40.1
- (no CPE)range: < 14.0.1~dev33-3.31.1
- (no CPE)range: < 14.0.1~dev33-3.31.1
- (no CPE)range: < 4.2.4-3.3.1
- (no CPE)range: < 4.2.4-3.3.1
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 5.2.0-3.17.1
- (no CPE)range: < 5.2.0-3.17.1
- (no CPE)range: < 1.13.0.1-4.3.1
- (no CPE)range: < 1.13.0.1-4.3.1
- (no CPE)range: < 9.20220413-3.30.1
- (no CPE)range: < 9.20220413-3.30.1
- (no CPE)range: < 1.4.6-4.3.1
- (no CPE)range: < 7.0.1~dev24-3.35.2
- (no CPE)range: < 13.0.10~dev24-3.38.1
- (no CPE)range: < 7.0.2~dev2-3.35.1
- (no CPE)range: < 17.0.1~dev30-3.33.1
- (no CPE)range: < 11.0.4~dev4-3.35.1
- (no CPE)range: < 14.1.1~dev11-4.39.1
- (no CPE)range: < 11.1.5~dev18-4.33.1
- (no CPE)range: < 14.2.1~dev9-3.36.1
- (no CPE)range: < 7.2.1~dev1-4.35.1
- (no CPE)range: < 7.4.2~dev60-3.41.1
- (no CPE)range: < 1.8.2~dev3-3.35.1
- (no CPE)range: < 2.7.1~dev10-3.37.1
- (no CPE)range: < 13.0.8~dev206-6.39.1
- (no CPE)range: < 18.3.1~dev91-3.39.1
- (no CPE)range: < 3.2.3~dev7-4.35.1
- (no CPE)range: < 9.0.2~dev15-3.35.1
- (no CPE)range: < 2.19.2~dev48-2.30.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-xrcv-f9gm-v42cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22816ghsaADVISORY
- security.gentoo.org/glsa/202211-10ghsavendor-advisoryWEB
- www.debian.org/security/2022/dsa-5053ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yamlghsaWEB
- github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.cghsaWEB
- github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31fghsaWEB
- github.com/python-pillow/Pillow/pull/5920ghsaWEB
- lists.debian.org/debian-lts-announce/2022/01/msg00018.htmlghsamailing-listWEB
- pillow.readthedocs.io/en/stable/releasenotes/9.0.0.htmlghsaWEB
News mentions
0No linked articles in our index yet.