Search for vulnerabilities
Vulnerability details: VCID-ztzc-n13b-5fcw
Vulnerability ID VCID-ztzc-n13b-5fcw
Aliases CVE-2016-4009
GHSA-hvr8-466p-75rh
PYSEC-2016-7
Summary Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-190 Integer Overflow or Wraparound
System Score Found at
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
epss 0.03498 https://api.first.org/data/v1/epss?cve=CVE-2016-4009
cvssv2 6.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 9.8 https://github.com/advisories/GHSA-hvr8-466p-75rh
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-hvr8-466p-75rh
generic_textual CRITICAL https://github.com/advisories/GHSA-hvr8-466p-75rh
cvssv3.1 9.8 https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
generic_textual CRITICAL https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
cvssv3.1 9.8 https://github.com/python-pillow/Pillow
generic_textual CRITICAL https://github.com/python-pillow/Pillow
cvssv3.1 9.8 https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
generic_textual CRITICAL https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
cvssv3.1 9.8 https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
generic_textual CRITICAL https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
cvssv3.1 9.8 https://github.com/python-pillow/Pillow/pull/1714
generic_textual CRITICAL https://github.com/python-pillow/Pillow/pull/1714
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2016-4009
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2016-4009
cvssv3.1 9.8 https://security.gentoo.org/glsa/201612-52
generic_textual CRITICAL https://security.gentoo.org/glsa/201612-52
cvssv3.1 9.8 http://www.securityfocus.com/bid/86064
generic_textual CRITICAL http://www.securityfocus.com/bid/86064
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-4009.json
https://api.first.org/data/v1/epss?cve=CVE-2016-4009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4009
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-hvr8-466p-75rh
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
https://github.com/python-pillow/Pillow/pull/1714
https://nvd.nist.gov/vuln/detail/CVE-2016-4009
https://security.gentoo.org/glsa/201612-52
http://www.securityfocus.com/bid/86064
1327134 https://bugzilla.redhat.com/show_bug.cgi?id=1327134
No exploits are available.
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-hvr8-466p-75rh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-7.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow/commit/4e0d9b0b9740d258ade40cce248c93777362ac1e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow/pull/1714
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-4009
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/201612-52
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/86064
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.87151
EPSS Score 0.03498
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:05:47.799080+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2016-7.yaml 37.0.0