Is there a patch available for CVE-2026-42308?

Yes, a patch is available for CVE-2026-42308. Update the affected software to the latest version immediately.

Pillow CVE-2026-42308

Q: What is the CVSS score of CVE-2026-42308?

CVE-2026-42308 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28900 MEDIUM

Integer Overflow or Wraparound (CWE-190)

2026-05-04 https://github.com/python-pillow/Pillow

GHSA-wjx4-4jcj-g98j

Buffer Overflow Integer Overflow Red Hat Suse

5.1

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 04, 2026 - 21:02 vuln.today

Analysis Generated

May 04, 2026 - 21:02 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

81,791 pypi packages depend on pillow (17,314 direct, 65,731 indirect)

Ecosystem-wide dependent count for version 12.2.0.

DescriptionNVD

If a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This has been fixed.

AnalysisAI

Integer overflow in Pillow's font glyph processing allows remote code execution or denial of service when handling maliciously crafted fonts with extremely large glyph advance values. Pillow versions before 12.2.0 are affected. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-42308 vulnerability details – vuln.today

Back

Pillow CVE-2026-42308

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

Pillow CVE-2026-42308

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code