Search for vulnerabilities
Vulnerability details: VCID-mchq-1526-aaad
Vulnerability ID VCID-mchq-1526-aaad
Aliases CVE-2016-4009
GHSA-hvr8-466p-75rh
PYSEC-2016-7
Summary Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-190 Integer Overflow or Wraparound
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4009.html
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01339 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.01483 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.05251 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1327134
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4009
cvssv2 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-hvr8-466p-75rh
cvssv3.1 9.8 https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
generic_textual CRITICAL https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
cvssv3.1 6.7 https://github.com/python-pillow/Pillow
generic_textual MODERATE https://github.com/python-pillow/Pillow
cvssv3.1 9.8 https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
generic_textual CRITICAL https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
cvssv3.1 9.8 https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
generic_textual CRITICAL https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
cvssv3.1 9.8 https://github.com/python-pillow/Pillow/pull/1714
generic_textual CRITICAL https://github.com/python-pillow/Pillow/pull/1714
cvssv2 10.0 https://nvd.nist.gov/vuln/detail/CVE-2016-4009
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2016-4009
cvssv3.1 7.8 https://security.gentoo.org/glsa/201612-52
generic_textual HIGH https://security.gentoo.org/glsa/201612-52
cvssv3.1 9.8 http://www.securityfocus.com/bid/86064
generic_textual CRITICAL http://www.securityfocus.com/bid/86064
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4009.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-4009.json
https://api.first.org/data/v1/epss?cve=CVE-2016-4009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4009
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
https://github.com/python-pillow/Pillow/pull/1714
https://security.gentoo.org/glsa/201612-52
http://www.securityfocus.com/bid/86064
1327134 https://bugzilla.redhat.com/show_bug.cgi?id=1327134
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
CVE-2016-4009 https://nvd.nist.gov/vuln/detail/CVE-2016-4009
GHSA-hvr8-466p-75rh https://github.com/advisories/GHSA-hvr8-466p-75rh
No exploits are available.
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow/pull/1714
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2016-4009
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-4009
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/201612-52
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/86064
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.78197
EPSS Score 0.01339
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.