Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.
CVE-2016-0775
This medium-severity CVE scores 6.5 under NVD CVSS v3. EPSS exploit probability: 1.1%, top 22% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
A fix is available — apply it.
- CVSS v3
- 6.5
- EG Score
- 6.5(medium)
- EPSS
- 84.1%
- KEV
- Not listed
Published
April 13, 2016
Last Modified
May 6, 2026
References (8)
- secalert@redhathttp://www.debian.org/security/2016/dsa-3499
- secalert@redhathttps://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
- secalert@redhathttps://github.com/python-pillow/Pillow/commit/893a40850c2d5da41537958e40569c029a6e127b
- secalert@redhathttps://security.gentoo.org/glsa/201612-52
- af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2016/dsa-3499
- af854a3a-2127-422b-91ae-364da2661108https://github.com/python-pillow/Pillow/blob/c3cb690fed5d4bf0c45576759de55d054916c165/CHANGES.rst
- af854a3a-2127-422b-91ae-364da2661108https://github.com/python-pillow/Pillow/commit/893a40850c2d5da41537958e40569c029a6e127b
- af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/201612-52
Patch Availability(2)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | python3-sane (2.3.0-1ubuntu3.2) @ trusty | 2026-05-22 | ubuntu |
| ubuntu | python-imaging (1.1.7-4ubuntu0.12.04.2) @ precise | 2026-05-22 | ubuntu |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| pillow | 1.0 ... 3.1.0rc1 (41 versions) | 3.1.1 | — |
All Vendor Advisories
(2)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
Frequently asked(5)
What is CVE-2016-0775?
When was CVE-2016-0775 disclosed?
Is CVE-2016-0775 actively exploited?
What is the CVSS score of CVE-2016-0775?
How do I remediate CVE-2016-0775?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2016-0775
Is Your Infrastructure Affected by CVE-2016-0775?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.