Skip to main content

Pillow EUVDEUVD-2026-28901

| CVE-2026-42309 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-04 https://github.com/python-pillow/Pillow GHSA-5xmw-vc9v-4wf2
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 21:02 vuln.today
Analysis Generated
May 04, 2026 - 21:02 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 185 pypi packages depend on pillow (153 direct, 32 indirect)

Ecosystem-wide dependent count for version 11.2.1.

DescriptionGitHub Advisory

Passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This was introduced in Pillow 11.2.1.

AnalysisAI

Heap buffer overflow in Pillow 11.2.1 through 12.1.x allows local attackers to cause denial of service or potentially execute arbitrary code by passing deeply nested list structures as coordinates to ImagePath.Path, ImageDraw.polygon, or ImageDraw.line APIs, which recursively unpack coordinates beyond allocated buffer boundaries.

Technical ContextAI

Pillow is a Python imaging library that provides APIs for drawing operations on images. The vulnerability exists in coordinate handling for drawing primitives (polygon, line) and path operations. When processing coordinate arguments, the code failed to validate that coordinate pairs were properly formed two-element numeric tuples; instead, it recursively unpacked nested list structures without bounds checking. This classic heap buffer overflow (CWE-122: Stack-based Buffer Overflow / Heap-based) occurs because the unpacking logic did not account for the depth of nesting and continued writing beyond the pre-allocated buffer. The affected CPE is pip/pillow, a Python package distributed via PyPI.

RemediationAI

Upgrade Pillow to version 12.2.0 or later immediately via 'pip install --upgrade pillow>=12.2.0'. If immediate upgrade is not feasible, apply input validation at the application layer by sanitizing coordinate data before passing to ImagePath.Path, ImageDraw.polygon, or ImageDraw.line: validate that each coordinate is a two-element tuple or list containing only numeric values, and reject any nested list structures. This workaround has minimal performance impact but requires code changes in all calling code paths. Refer to the official advisory at https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2 for additional technical details and verification steps.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-28901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy