PT-2026-32580 · Pypi · Pillow

Published

2024-03-25

Updated

2026-05-22

CVE-2026-40192

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions 10.3.0 through 12.1.1

Description Lack of limits on the amount of GZIP-compressed data read when decoding a FITS image allows for decompression bomb attacks. A specially crafted FITS file can cause unbounded memory consumption, resulting in a denial of service through an OOM (Out of Memory) crash or severe performance degradation.

Recommendations Update to version 12.2.0. As a temporary workaround, only open specific image formats, excluding FITS.

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

BDU:2026-05627

BIT-PILLOW-2026-40192

CVE-2026-40192

ECHO-1C52-724C-58AD

GHSA-WHJ4-6X5X-4V2J

OESA-2026-2064

OESA-2026-2065

OESA-2026-2066

OPENSUSE-SU-2026:10575-1

OPENSUSE-SU-2026:20617-1

USN-8211-1

Affected Products

Pillow

PT-2026-32580 · Pypi · Pillow

CVE-2026-40192

Weakness Enumeration

Related Identifiers

Affected Products

References · 34