Skip to main content

Pillow CVE-2026-42311

HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-04 https://github.com/python-pillow/Pillow GHSA-pwv6-vv43-88gr
RCE Buffer Overflow Python Integer Overflow
8.6
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 09, 2026 - 06:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 09, 2026 - 06:22 vuln.today
cvss_changed
CVSS changed
May 09, 2026 - 06:22 NVD
8.6 (HIGH)
Source Code Evidence Fetched
May 04, 2026 - 21:02 vuln.today
Analysis Generated
May 04, 2026 - 21:02 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 355 pypi packages depend on pillow (296 direct, 65 indirect)

Ecosystem-wide dependent count for version 10.3.0.

DescriptionNVD

Impact

Processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution.

Patches

Patched version: 12.2.0

Pillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning a PSD image with carefully chosen tile dimensions could produce values that wrap around and bypass the checks, still triggering an out-of-bounds write in src/decode.c and src/encode.c. The fix avoids adding extents together before comparison.

Workarounds

Use any version but affected versions: >= 10.3.0, < 12.2.0

Resources

  • Fix: https://github.com/python-pillow/Pillow/pull/9520
  • Original issue: CVE-2026-25990 (Pillow 12.1.1)

AnalysisAI

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all systems and applications using Pillow versions 10.3.0-12.1.1 (check pip freeze, requirements.txt, Docker manifests, and dependency trees). Within 7 days: Deploy Pillow 12.2.0 or later across development, staging, and production environments; verify via pip show pillow. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42311 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy