CVE-2024-28219

Aliases:GHSA-44wm-f244-xhp3BIT-pillow-2024-28219

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DEBIAN-CVE-2024-28219 DLA-3786-1 DSA-5704-1 MGASA-2024-0133 OPENSUSE-SU-2024:13827-1 RHSA-2024:3781

Modified

Published: 03 Apr 2024, 00:00

Last modified:04 Nov 2025, 18:30

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

6.7 MEDIUM

v3.1 (cve.org)

EPSS Score

0.35% LOW

0% probability +0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

03 Apr 2024, 00:00

Published

Vulnerability first disclosed

04 Nov 2025, 18:30

Last Modified

Vulnerability information updated

Description

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

CVSS Metrics

v4.0•HIGH•Score: 7.3CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
v3.1•MEDIUM•Score: 6.7CVSS:3.1/AC:H/AV:L/A:H/C:H/I:H/PR:L/S:U/UI:R
v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
v3.1•MEDIUM•Score: 6.7CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.35%• Percentile: 58%

Techniques & Countermeasures

CWE-680•Integer Overflow to Buffer Overflow
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

Affected Systems

debian•debian_linux
10.0
PyPI•pillow
< 10.3.0
python•pillow
< 10.3.0