CVE-2021-28676

Name: CVE-2021-28676
Creator: NVD / NIST
Published: 2021-06-02T16:15:08.797+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 2.45%

Last modified Jun 17, 2026

CVE-2021-28676 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.. EPSS estimates a 2.45% chance of exploitation in the next 30 days.

Description

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

2.45%

82.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-835

Affected Software

Vendor	Product	Versions
Python	Pillow	< 8.2.0
Fedoraproject	Fedora	33

References

https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856Patch
https://github.com/python-pillow/Pillow/pull/5377Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/Mailing List
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dosRelease Notes, Third Party Advisory
https://security.gentoo.org/glsa/202107-33Third Party Advisory
https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856Patch
https://github.com/python-pillow/Pillow/pull/5377Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/Mailing List
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dosRelease Notes, Third Party Advisory
https://security.gentoo.org/glsa/202107-33Third Party Advisory

Timeline

Published: Jun 2, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-28676?

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

How severe is CVE-2021-28676?

CVE-2021-28676 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 2.45% probability of exploitation in the next 30 days.

How do I fix CVE-2021-28676?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-28676?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST