CVE-2021-28676 in Pillow
Summary
by MITRE • 06/02/2021
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability identified as CVE-2021-28676 resides within the Pillow library, a popular Python imaging library used for processing various image formats including FLI or Flic files. This issue represents a classic denial of service vulnerability that can be exploited through improper input validation during image parsing operations. The FLI format, originally developed by Autodesk for animated graphics, is a legacy format that requires specific decoding mechanisms within image processing libraries. When Pillow attempts to decode FLI data, it employs a FliDecode function that handles the parsing of the file structure. The flaw manifests when the block advance parameter, which determines how many bytes to advance through the file during decoding, is not properly validated to ensure it remains non-zero. This validation gap allows an attacker to craft malicious FLI files where the block advance value could be set to zero or cause unexpected behavior. The vulnerability directly maps to CWE-691, which addresses insufficient control flow management, specifically concerning infinite loops and uncontrolled resource consumption. The operational impact of this vulnerability extends beyond simple resource exhaustion as it can cause applications using Pillow to become unresponsive or crash entirely when attempting to load maliciously crafted FLI files. In practical scenarios, this vulnerability affects any application that processes user-uploaded images or loads external image data without proper input sanitization, potentially leading to service disruption for web applications, content management systems, or any software that relies on Pillow for image handling. The infinite loop condition created by the zero block advance value causes the decoding process to continuously iterate without making progress, consuming CPU resources and potentially leading to system instability. Attackers can exploit this by uploading or providing FLI files with malformed block advance values that trigger the loop, effectively creating a denial of service condition. The vulnerability demonstrates a fundamental flaw in input validation and control flow management within the image parsing pipeline, where the decoder fails to implement proper bounds checking and advance validation. From an attacker's perspective, this represents a low-effort, high-impact method of service disruption, as the malicious payload requires minimal complexity to construct and can be delivered through standard file upload mechanisms. The issue aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion, as the infinite loop effectively exhausts CPU resources. Organizations using Pillow versions prior to 8.2.0 should immediately implement mitigation strategies including input validation, file type checking, and updating to the patched version. The fix implemented in Pillow 8.2.0 addresses this by introducing proper validation of the block advance parameter, ensuring that it remains within expected bounds and preventing the infinite loop condition. This vulnerability serves as a reminder of the importance of robust input validation and proper control flow management in image processing libraries, particularly when handling legacy or less common file formats that may contain unexpected edge cases in their parsing logic. The security implications extend to any system where user-provided image data is processed without proper sanitization, emphasizing the critical need for comprehensive testing of image parsing functions against malformed inputs and the implementation of defensive programming practices to prevent resource exhaustion attacks.