1. Ubuntu Security Notices
  2. USN-8135-1

USN-8135-1: Pillow vulnerabilities

Publication date

31 March 2026

Overview

Several security issues were fixed in Pillow.

Releases

Packages

  • pillow - Python Imaging Library

Details

It was discovered that Pillow did not correctly handle reading J2K files,
which could lead to an out-of-bounds read vulnerability. If a user or
automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288)

It was discovered that Pillow did not correctly handle certain integer
arithmetic, which could lead to a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290)

It was discovered that Pillow did not correctly perform bounds checking
for certain operations. An attacker could possibly use this issue to
cause a denial of service. This issue only...

It was discovered that Pillow did not correctly handle reading J2K files,
which could lead to an out-of-bounds read vulnerability. If a user or
automated system were tricked into opening a specially crafted file, an
attacker could possibly use this issue to cause a denial of service. This
issue only affected Ubuntu 16.04 LTS. (CVE-2021-25287, CVE-2021-25288)

It was discovered that Pillow did not correctly handle certain integer
arithmetic, which could lead to a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2021-25290)

It was discovered that Pillow did not correctly perform bounds checking
for certain operations. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2021-28675, CVE-2021-28676, CVE-2021-28677)

It was discovered that Pillow did not correctly handle certain memory
operations. An attacker could possibly use this issue to cause a denial
of service. (CVE-2023-44271)

It was discovered that Pillow did not correctly sanitize certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2023-50447)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
18.04 LTS bionic python-pil –  5.1.0-1ubuntu0.8+esm2  
python3-pil –  5.1.0-1ubuntu0.8+esm2  
16.04 LTS xenial python-pil –  3.1.2-0ubuntu1.6+esm3  
python3-pil –  3.1.2-0ubuntu1.6+esm3  
14.04 LTS trusty python-pil –  2.3.0-1ubuntu3.4+esm5  
python3-pil –  2.3.0-1ubuntu3.4+esm5  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›