Description
pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attacker to bypass bounds checks by providing large image dimensions, resulting in a heap out-of-bounds read. This can lead to information disclosure (server heap memory leaking into encoded images) or denial of service (process crash). No special configuration is required — this triggers under default settings. Version 1.3.0 fixes the issue.
Published: 2026-02-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure or denial of service via heap out-of-bounds read
Action: Patch now
AI Analysis

Impact

The flaw is an integer overflow during buffer validation in the encode path of pillow_heif. An attacker can supply large image dimensions, causing bounds checks to be bypassed, which results in a heap out-of-bounds read. This can leak private information from process memory into encoded images or cause the process to crash, leading to information disclosure or denial of service.

Affected Systems

Any deployment of the pillow_heif Python package before version 1.3.0 is affected. The package functions as a plugin for the Pillow image library and is commonly used in projects that process HEIF images. Versions earlier than 1.3.0 need to be patched. The pillow_heif Python package from bigcat88 is the affected component.

Risk and Exploitability

The CVSS base score of 5.5 yields a medium severity, and the EPSS score of less than 1 % indicates a very low probability of exploitation. The vulnerability is not present in CISA’s KEV catalog. Exploitation requires an attacker to supply a crafted HEIF image with oversized dimensions to an application that imports pillow_heif under default settings. In web services or image processing pipelines that accept external files, the attack vector is remote; local users could also trigger the flaw by processing a malicious image.

Generated by OpenCVE AI on April 17, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pillow_heif to version 1.3.0 or later.
  • Ensure all users and environments install the patched version of pillow_heif.
  • If upgrade is not immediately possible, block or rigorously validate external HEIF images before processing.

Generated by OpenCVE AI on April 17, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Bigcat88 pillow-heif
CPEs cpe:2.3:a:bigcat88:pillow-heif:*:*:*:*:*:python:*:*
Vendors & Products Bigcat88 pillow-heif
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Bigcat88
Bigcat88 pillow Heif
Vendors & Products Bigcat88
Bigcat88 pillow Heif

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attacker to bypass bounds checks by providing large image dimensions, resulting in a heap out-of-bounds read. This can lead to information disclosure (server heap memory leaking into encoded images) or denial of service (process crash). No special configuration is required — this triggers under default settings. Version 1.3.0 fixes the issue.
Title pillow_heif Has Integer Overflow in Encode Path Buffer Validation that Leads to Heap Out-of-Bounds Read
Weaknesses CWE-125
CWE-190
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bigcat88 Pillow-heif Pillow Heif
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:25:30.145Z

Reserved: 2026-02-25T15:28:40.651Z

Link: CVE-2026-28231

cve-icon Vulnrichment

Updated: 2026-03-03T20:25:27.680Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:40.697

Modified: 2026-03-04T15:55:20.027

Link: CVE-2026-28231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses