CVE-2023-44271
Description
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 10.0.0 has a denial-of-service vulnerability where processing long text strings with ImageFont can cause uncontrolled memory allocation and service crash.
Vulnerability
Description
CVE-2023-44271 is a denial-of-service (DoS) vulnerability in the Pillow Python imaging library, affecting versions before 10.0.0. The issue resides in the truetype font handling within ImageFont, specifically when the textlength method (or related methods like getbbox, getlength, getmask2) of an ImageDraw instance is called with an excessively long text string. The root cause is that the library does not validate the length of the text input before processing, leading to uncontrolled memory allocation that can exhaust available memory and crash the application [1][2][4].
Exploitation and
Attack Vector
An attacker can exploit this vulnerability by providing a very long text string to any Pillow application that uses ImageFont methods such as textlength, getbbox, getlength, or getmask2. No special privileges or authentication are required; the attack vector is over the network if the application accepts user-supplied text (e.g., in a web server, image processing service, or GUI). The vulnerability does not require any prior access, making it remotely exploitable with low complexity [2]. The issue was addressed in Pillow 10.0.0 by introducing a MAX_STRING_LENGTH constant (default 100,000 characters) and a _string_length_check function that raises a ValueError if the input exceeds this limit, preventing unbounded memory allocation [1][3].
Impact
Successful exploitation results in a denial-of-service condition: the Pillow process may consume all available memory and crash, disrupting the service availability for other users. Since the vulnerability is easily triggered by a single long string, it poses a significant risk to applications that process untrusted text input using Pillow's font metrics functions. There is no confidentiality or integrity impact, but the availability impact is high [2].
Mitigation
The vulnerability is fixed in Pillow version 10.0.0 and later. Users should upgrade immediately. No workarounds are available other than upgrading, as the fix introduces input length validation that prevents the memory exhaustion [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 10.0.0 | 10.0.0 |
Affected products
16- Pillow/Pillowdescription
- osv-coords15 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/almalinux/python3-pillow-develpkg:rpm/almalinux/python3-pillow-docpkg:rpm/almalinux/python3-pillow-tkpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP4pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 10.0.0+ 14 more
- (no CPE)range: < 10.0.0
- (no CPE)range: < 10.0.0
- (no CPE)range: < 5.1.1-20.el8
- (no CPE)range: < 5.1.1-20.el8
- (no CPE)range: < 5.1.1-20.el8
- (no CPE)range: < 5.1.1-20.el8
- (no CPE)range: < 9.5.0-150400.5.6.1
- (no CPE)range: < 9.5.0-150400.5.6.1
- (no CPE)range: < 4.2.1-3.23.2
- (no CPE)range: < 9.5.0-150400.5.6.1
- (no CPE)range: < 9.5.0-150400.5.6.1
- (no CPE)range: < 4.2.1-3.23.2
- (no CPE)range: < 5.2.0-3.20.1
- (no CPE)range: < 4.2.1-3.23.2
- (no CPE)range: < 5.2.0-3.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-8ghj-p4vj-mr35ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-44271ghsaADVISORY
- devhub.checkmarx.com/cve-details/CVE-2023-44271ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7ghsaWEB
- github.com/python-pillow/Pillow/pull/7244ghsaWEB
- lists.debian.org/debian-lts-announce/2024/03/msg00021.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4ghsaWEB
- devhub.checkmarx.com/cve-details/CVE-2023-44271/mitre
News mentions
0No linked articles in our index yet.