Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
Pillow HEIF Plugin Crashes or Discloses Data with Malformed Images
CVE-2026-28231
Summary
A security issue in the Pillow HEIF plugin allows attackers to make it crash or leak sensitive information by sending a specially crafted image. This can happen even with the plugin's default settings. Update to version 1.3.0 or later to fix the problem.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| bigcat88 | pillow-heif | <= 1.3.0 | – |
Original title
pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an at...
Original description
pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attacker to bypass bounds checks by providing large image dimensions, resulting in a heap out-of-bounds read. This can lead to information disclosure (server heap memory leaking into encoded images) or denial of service (process crash). No special configuration is required — this triggers under default settings. Version 1.3.0 fixes the issue.
nvd CVSS3.1
9.1
nvd CVSS4.0
5.5
Vulnerability type
CWE-125
Out-of-bounds Read
CWE-190
Integer Overflow
- https://github.com/bigcat88/pillow_heif/commit/8305a15d3780c533b762578cbe987d27a... Patch
- https://github.com/bigcat88/pillow_heif/releases/tag/v1.3.0 Product Release Notes
- https://github.com/bigcat88/pillow_heif/security/advisories/GHSA-5gjj-6r7v-ph3x Exploit Mitigation Vendor Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026