pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attacker to bypass bounds checks by providing large image dimensions, resulting in a heap out-of-bounds read. This can lead to information disclosure (server heap memory leaking into encoded images) or denial of service (process crash). No special configuration is required — this triggers under default settings. Version 1.3.0 fixes the issue.
References
| Link | Resource |
|---|---|
| https://github.com/bigcat88/pillow_heif/commit/8305a15d3780c533b762578cbe987d27a2c59c7a | Patch |
| https://github.com/bigcat88/pillow_heif/releases/tag/v1.3.0 | Product Release Notes |
| https://github.com/bigcat88/pillow_heif/security/advisories/GHSA-5gjj-6r7v-ph3x | Exploit Mitigation Vendor Advisory |
Configurations
History
04 Mar 2026, 15:55
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Bigcat88
Bigcat88 pillow-heif |
|
| References | () https://github.com/bigcat88/pillow_heif/commit/8305a15d3780c533b762578cbe987d27a2c59c7a - Patch | |
| References | () https://github.com/bigcat88/pillow_heif/releases/tag/v1.3.0 - Product, Release Notes | |
| References | () https://github.com/bigcat88/pillow_heif/security/advisories/GHSA-5gjj-6r7v-ph3x - Exploit, Mitigation, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
| CPE | cpe:2.3:a:bigcat88:pillow-heif:*:*:*:*:*:python:*:* |
27 Feb 2026, 20:21
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-27 20:21
Updated : 2026-03-04 15:55
NVD link : CVE-2026-28231
Mitre link : CVE-2026-28231
CVE.ORG link : CVE-2026-28231
JSON object : View
Products Affected
bigcat88
- pillow-heif