Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Network-reachable only where the app exposes filter size to untrusted input, so AC:H; no auth at Pillow level (PR:N); crash-dominant (A:H) with limited memory-write integrity impact (I:L) and no confidentiality loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Pillow is a Python imaging library. Prior to 12.3.0, Pillow's public rank-filter API can trigger a native heap out-of-bounds write when given a very large odd filter size because ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before rank-filter size validation and ImagingExpand() computes output dimensions with unchecked signed int arithmetic. This issue is fixed in version 12.3.0.
Articles & Coverage 1
AnalysisAI
Heap out-of-bounds write in Python Pillow prior to 12.3.0 lets an attacker who controls the rank-filter size parameter corrupt native heap memory and crash or potentially manipulate the process. ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before validating the filter size, and the native ImagingExpand() routine computes output dimensions using unchecked signed-int arithmetic, so a very large odd size overflows and drives an out-of-bounds write (CWE-787). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the application pass an attacker-influenced filter size into ImageFilter.RankFilter (or its MedianFilter/MinFilter/MaxFilter subclasses), or otherwise reach im.expand() with an attacker-controlled margin, on Pillow before 12.3.0; the concrete trigger is a very large odd filter size (the regression test uses 23171) whose size//2 margin overflows signed-int arithmetic in native ImagingExpand(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 base is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H): network vector, no privileges, no user interaction, low integrity impact and high availability impact, with no confidentiality loss - consistent with a memory-corruption bug that most reliably yields a crash/DoS and only conditionally something more. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application exposes an image-processing endpoint that lets a user choose a rank/median filter radius, and passes that value into ImageFilter.RankFilter without an upper bound. An attacker submits a very large odd filter size, causing image.expand() to trigger the unchecked signed-int overflow in ImagingExpand() and a heap out-of-bounds write, crashing the worker process (denial of service) with the potential for further memory corruption. … |
| Remediation | Vendor-released patch: upgrade Pillow to 12.3.0 or later (pip install --upgrade 'Pillow>=12.3.0'), which adds bounds validation in both ImageFilter.py and the native ImagingExpand() path; see the advisory at https://github.com/python-pillow/Pillow/security/advisories/GHSA-xj96-63gp-2gmr and the tagged release https://github.com/python-pillow/Pillow/releases/tag/12.3.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all applications and systems using Python Pillow and document their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43734