Skip to content

Add CVSS 3.1 score for GHSA-cfh3-3jmp-rvhc (Pillow OOB Write via PSD)#6851

Open
sunnypatell wants to merge 1 commit intogithub:sunnypatell/advisory-improvement-6851from
sunnypatell:add-cvss31-GHSA-cfh3-3jmp-rvhc
Open

Add CVSS 3.1 score for GHSA-cfh3-3jmp-rvhc (Pillow OOB Write via PSD)#6851
sunnypatell wants to merge 1 commit intogithub:sunnypatell/advisory-improvement-6851from
sunnypatell:add-cvss31-GHSA-cfh3-3jmp-rvhc

Conversation

@sunnypatell
Copy link

@sunnypatell sunnypatell commented Feb 12, 2026

Changes

Added missing CVSS 3.1 scoring to GHSA-cfh3-3jmp-rvhc (Pillow Out-of-Bounds Write via PSD Images).

Added:

  • CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 High)

Reason for change

This advisory had no CVSS 3.1 score. NVD only provides CVSS 4.0 scoring (8.9) for CVE-2026-25990. Adding a CVSS 3.1 vector ensures broader compatibility with vulnerability management tools that rely on CVSS 3.1 for severity assessment.

CVSS justification

  • AV:N because crafted PSD files can be delivered over the network (web uploads, image processing APIs, email attachments)
  • AC:L because the OOB write triggers reliably when Pillow processes any crafted PSD file, with no special conditions needed
  • PR:N because no authentication is required to submit a crafted image to a processing service
  • UI:R because a user or application must actively open/process the crafted PSD file (this differs from the CVSS 4.0 vector which uses UI:N, but file parsing vulnerabilities in CVSS 3.1 conventionally require user interaction since the victim must choose to process the file)
  • C:H/I:H/A:H because an out-of-bounds write in Pillow's native C image decoder gives full memory corruption potential: arbitrary code execution, data exfiltration, and process crash

The CVSS 4.0 vector uses UI:N and E:P (PoC exists), resulting in 8.9. The CVSS 3.1 translation uses UI:R per standard practice for file-parsing vulnerabilities, resulting in 8.8.

Supporting links

Copilot AI review requested due to automatic review settings February 12, 2026 03:38
@github-actions github-actions bot changed the base branch from main to sunnypatell/advisory-improvement-6851 February 12, 2026 03:39
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a missing CVSS 3.1 vector to the GHSA advisory so consumers that rely on CVSS v3 can compute severity consistently alongside existing CVSS v4 data.

Changes:

  • Add a CVSS_V3 entry with a CVSS:3.1 vector to the advisory’s severity list
  • Normalize/fix the JSON file ending/formatting

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2026/02/GHSA-cfh3-3jmp-rvhc/GHSA-cfh3-3jmp-rvhc.json
Comment on lines +12 to 18
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The JSON will be invalid if there isn’t a comma separating the CVSS_V3 object from the following CVSS_V4 object. Ensure line 15 ends with a comma (i.e., },) before the next object begins.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunnypatell