From d07aa6fd17d356b8f09f89a5c485fc8b1532635f Mon Sep 17 00:00:00 2001
From: Andrew Murray <3112309+radarhere@users.noreply.github.com>
Date: Sat, 28 Jun 2025 00:30:22 +1000
Subject: [PATCH] Added release notes for #9041 (#9042)

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---
 docs/releasenotes/11.3.0.rst | 38 +++++++++++-------------------------
 1 file changed, 11 insertions(+), 27 deletions(-)

diff --git a/docs/releasenotes/11.3.0.rst b/docs/releasenotes/11.3.0.rst
index 654a7e6b6..2d35d8228 100644
--- a/docs/releasenotes/11.3.0.rst
+++ b/docs/releasenotes/11.3.0.rst
@@ -4,21 +4,21 @@
 Security
 ========
 
-TODO
-^^^^
+:cve:`2025-48379`: Write buffer overflow on BCn encoding
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-TODO
+There is a heap buffer overflow when writing a sufficiently large (>64k encoded with
+default settings) image in the DDS format due to writing into a buffer without checking
+for available space.
 
-:cve:`YYYY-XXXXX`: TODO
-^^^^^^^^^^^^^^^^^^^^^^^
+This only affects users who save untrusted data as a compressed DDS image.
 
-TODO
+* Unclear how large the potential write could be. It is likely limited by process
+  segfault, so it's not necessarily deterministic. It may be practically unbounded.
+* Unclear if there's a restriction on the bytes that could be emitted. It's likely that
+  the only restriction is that the bytes would be emitted in chunks of 8 or 16.
 
-Backwards incompatible changes
-==============================
-
-TODO
-^^^^
+This was introduced in Pillow 11.2.0 when the feature was added.
 
 Deprecations
 ============
@@ -41,22 +41,6 @@ another mode before saving::
     im = Image.new("I", (1, 1))
     im.convert("I;16").save("out.png")
 
-API changes
-===========
-
-TODO
-^^^^
-
-TODO
-
-API additions
-=============
-
-TODO
-^^^^
-
-TODO
-
 Other changes
 =============