Skip to main content

Python Pillow CVE-2026-59197

| EUVDEUVD-2026-43734 HIGH
Out-of-bounds Write (CWE-787)
2026-07-14 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable only where the app exposes filter size to untrusted input, so AC:H; no auth at Pillow level (PR:N); crash-dominant (A:H) with limited memory-write integrity impact (I:L) and no confidentiality loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Patch available
Jul 14, 2026 - 18:20 EUVD
Source Code Evidence Fetched
Jul 14, 2026 - 17:00 vuln.today
Analysis Generated
Jul 14, 2026 - 17:00 vuln.today
CVE Published
Jul 14, 2026 - 16:25 cve.org
HIGH 8.2

DescriptionCVE.org

Pillow is a Python imaging library. Prior to 12.3.0, Pillow's public rank-filter API can trigger a native heap out-of-bounds write when given a very large odd filter size because ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before rank-filter size validation and ImagingExpand() computes output dimensions with unchecked signed int arithmetic. This issue is fixed in version 12.3.0.

AnalysisAI

Heap out-of-bounds write in Python Pillow prior to 12.3.0 lets an attacker who controls the rank-filter size parameter corrupt native heap memory and crash or potentially manipulate the process. ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before validating the filter size, and the native ImagingExpand() routine computes output dimensions using unchecked signed-int arithmetic, so a very large odd size overflows and drives an out-of-bounds write (CWE-787). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach image endpoint exposing filter size
Delivery
Submit oversized odd rank-filter size
Exploit
image.expand computes overflowed margin
Execution
ImagingExpand under-allocates buffer
Persist
Native heap out-of-bounds write
Impact
Worker crash or memory corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application pass an attacker-influenced filter size into ImageFilter.RankFilter (or its MedianFilter/MinFilter/MaxFilter subclasses), or otherwise reach im.expand() with an attacker-controlled margin, on Pillow before 12.3.0; the concrete trigger is a very large odd filter size (the regression test uses 23171) whose size//2 margin overflows signed-int arithmetic in native ImagingExpand(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base is 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H): network vector, no privileges, no user interaction, low integrity impact and high availability impact, with no confidentiality loss - consistent with a memory-corruption bug that most reliably yields a crash/DoS and only conditionally something more. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application exposes an image-processing endpoint that lets a user choose a rank/median filter radius, and passes that value into ImageFilter.RankFilter without an upper bound. An attacker submits a very large odd filter size, causing image.expand() to trigger the unchecked signed-int overflow in ImagingExpand() and a heap out-of-bounds write, crashing the worker process (denial of service) with the potential for further memory corruption. …
Remediation Vendor-released patch: upgrade Pillow to 12.3.0 or later (pip install --upgrade 'Pillow>=12.3.0'), which adds bounds validation in both ImageFilter.py and the native ImagingExpand() path; see the advisory at https://github.com/python-pillow/Pillow/security/advisories/GHSA-xj96-63gp-2gmr and the tagged release https://github.com/python-pillow/Pillow/releases/tag/12.3.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all applications and systems using Python Pillow and document their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-59197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy