CVE-2022-30595
Description
libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in Pillow 9.1.0's TGA RLE decoder allows denial of service or potential code execution via crafted TGA file.
Vulnerability
A heap buffer overflow vulnerability exists in libImaging/TgaRleDecode.c in Pillow 9.1.0. The flaw occurs when processing invalid TGA image files that use run-length encoding (RLE). The decoder does not properly validate the size of the decoded data against the allocated buffer, leading to a write past the end of the heap buffer. This affects Pillow versions 9.1.0 and earlier [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted TGA image file to an application that uses Pillow to decode it. No authentication or special privileges are required if the application processes user-uploaded images. The attacker crafts a TGA file with malformed RLE data that causes the decoder to write beyond the allocated buffer during decompression [1][2].
Impact
Successful exploitation can lead to heap corruption, potentially resulting in a denial of service (application crash) or arbitrary code execution in the context of the Python process. The exact impact depends on how the application uses Pillow and the memory layout at the time of the overflow [1][3].
Mitigation
The vulnerability is fixed in Pillow 9.1.1, released on 2022-05-25. Users should upgrade to Pillow 9.1.1 or later. No workaround is available for affected versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PillowPyPI | >= 9.1.0, < 9.1.1 | 9.1.1 |
Affected products
3- Pillow/Pillowdescription
- osv-coords2 versions
>= 9.1.0, < 9.1.1+ 1 more
- (no CPE)range: >= 9.1.0, < 9.1.1
- (no CPE)range: >= 9.1.0, < 9.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-hr8g-f6r6-mr22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30595ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-43145.yamlghsaWEB
- github.com/python-pillow/Pillow/blob/main/src/libImaging/TgaRleDecode.cghsax_refsource_MISCWEB
- github.com/python-pillow/Pillow/commit/c846cc881ebe34e3518412c2e3636433d9947280ghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/9.1.1.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.