CVE-2026-28231 MEDIUM

CVE-2026-28231: pillow_heif Has Integer Overflow in Encode Path Buffer Validation that Leads to Heap Out-of-Bounds Read

Vendor Bigcat88
Product pillow_heif
Weakness CWE-125
Published February 27, 2026
Last update March 3, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

pillow_heif is a Python library for working with HEIF images and plugin for Pillow. Prior to version 1.3.0, an integer overflow in the encode path buffer validation of `_pillow_heif.c` allows an attacker to bypass bounds checks by providing large image dimensions, resulting in a heap out-of-bounds read. This can lead to information disclosure (server heap memory leaking into encoded images) or denial of service (process crash). No special configuration is required — this triggers under default settings. Version 1.3.0 fixes the issue.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 3, 2026 Record updated