PT-2026-22391 · Unknown · Pillow Heif

Kaizawa97

Published

2026-02-27

Updated

2026-03-04

CVE-2026-28231

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions pillow heif versions prior to 1.3.0

Description An integer overflow in the encode path buffer validation within pillow heif.c allows an attacker to bypass bounds checks by providing large image dimensions. This can lead to a heap out-of-bounds read, potentially resulting in information disclosure or denial of service. The issue triggers under default settings and does not require any special configuration.

Recommendations Update to pillow heif version 1.3.0 or later.

Exploit

Fix

DoS

Out of bounds Read

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-190

Related Identifiers

CVE-2026-28231

GHSA-5GJJ-6R7V-PH3X

OPENSUSE-SU-2026:10285-1

Affected Products

Pillow Heif

PT-2026-22391 · Unknown · Pillow Heif

CVE-2026-28231

Weakness Enumeration

Related Identifiers

Affected Products

References · 11