CVE-2024-28219
Description
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 10.3.0 has a buffer overflow in _imagingcms.c due to strcpy being used instead of strncpy.
Root
Cause
In Pillow versions prior to 10.3.0, the _imagingcms.c file contained two instances where the strcpy function was used to copy input mode strings into fixed-length buffers. This could lead to a classic buffer overflow if the source string exceeded the destination buffer size, as strcpy performs no bounds checking [2][4].
Exploitation
The vulnerability is triggered when processing crafted ICC profile transform operations with overly long mode strings (e.g., "ABCDEFGHI") [4]. An attacker needs to supply a specially crafted image or ICC profile that, when processed by Pillow's color management functions, causes strcpy to write beyond the allocated buffer. No authentication is required, and the attack can be delivered via any vector that causes Pillow to open a malicious file (such as a user opening an email attachment or visiting a website) [1].
Impact
Successful exploitation results in a buffer overflow, which could corrupt adjacent memory and potentially allow an attacker to achieve arbitrary code execution or cause a denial of service. The overflow occurs within the core C extension module, increasing the severity of the issue [2].
Mitigation
The vulnerability was fixed in Pillow version 10.3.0 by replacing strcpy with strncpy, which limits the number of bytes copied and prevents buffer overruns [2][4]. Users are strongly advised to upgrade to Pillow 10.3.0 or later. Debian LTS users should apply the available security update [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 10.3.0 | 10.3.0 |
Affected products
53- Pillow/Pillowdescription
- osv-coords52 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/open-webuipkg:apk/chainguard/open-webui-compatpkg:apk/chainguard/py3.10-pillowpkg:apk/chainguard/py3.10-seabornpkg:apk/chainguard/py3.11-pillowpkg:apk/chainguard/py3.11-seabornpkg:apk/chainguard/py3.12-pillowpkg:apk/chainguard/py3.12-seabornpkg:apk/chainguard/py3.13-pillowpkg:apk/chainguard/py3.13-seabornpkg:apk/chainguard/py3-pillowpkg:apk/chainguard/py3-seabornpkg:apk/chainguard/py3-supported-pillowpkg:apk/chainguard/py3-supported-seabornpkg:apk/chainguard/pytorchpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/open-webuipkg:apk/wolfi/open-webui-compatpkg:apk/wolfi/py3.10-pillowpkg:apk/wolfi/py3.10-seabornpkg:apk/wolfi/py3.11-pillowpkg:apk/wolfi/py3.11-seabornpkg:apk/wolfi/py3.12-pillowpkg:apk/wolfi/py3.12-seabornpkg:apk/wolfi/py3.13-pillowpkg:apk/wolfi/py3.13-seabornpkg:apk/wolfi/py3-pillowpkg:apk/wolfi/py3-seabornpkg:apk/wolfi/py3-supported-pillowpkg:apk/wolfi/py3-supported-seabornpkg:apk/wolfi/pytorchpkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/almalinux/python3-pillow-develpkg:rpm/almalinux/python3-pillow-docpkg:rpm/almalinux/python3-pillow-tkpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208
< 2.2.0-r0+ 51 more
- (no CPE)range: < 2.2.0-r0
- (no CPE)range: < 0.6.36-r0
- (no CPE)range: < 0.6.36-r0
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 2.3.0-r0
- (no CPE)range: < 2.2.0-r0
- (no CPE)range: < 0.6.36-r0
- (no CPE)range: < 0.6.36-r0
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 10.3.0-r0
- (no CPE)range: < 0.13.2-r3
- (no CPE)range: < 2.3.0-r0
- (no CPE)range: >= 0
- (no CPE)range: < 10.3.0
- (no CPE)range: < 5.1.1-21.el8_10
- (no CPE)range: < 5.1.1-21.el8_10
- (no CPE)range: < 5.1.1-21.el8_10
- (no CPE)range: < 5.1.1-21.el8_10
- (no CPE)range: < 9.5.0-150400.5.15.1
- (no CPE)range: < 4.2.1-3.29.2
- (no CPE)range: < 9.5.0-150400.5.15.1
- (no CPE)range: < 9.5.0-150400.5.15.1
- (no CPE)range: < 9.5.0-150400.5.15.1
- (no CPE)range: < 9.5.0-150400.5.15.1
- (no CPE)range: < 9.5.0-150400.5.15.1
- (no CPE)range: < 4.2.1-3.29.2
- (no CPE)range: < 5.2.0-3.26.2
- (no CPE)range: < 4.2.1-3.29.2
- (no CPE)range: < 5.2.0-3.26.2
- (no CPE)range: < 12.0.5~dev6-14.58.2
- (no CPE)range: < 14.1.1~dev11-4.55.2
- (no CPE)range: < 12.0.5~dev6-14.58.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-44wm-f244-xhp3ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2024-28219ghsaADVISORY
- github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061ghsaWEB
- lists.debian.org/debian-lts-announce/2024/04/msg00008.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5MghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/10.3.0.htmlghsaWEB
News mentions
0No linked articles in our index yet.