CVE-2026-42309

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Pillow versions 11.2.1 through 12.1.x

Description Passing nested lists as coordinates to APIs that accept coordinates, such as 'ImagePath.Path', 'ImageDraw.ImageDraw.polygon', and 'ImageDraw.ImageDraw.line', can cause a heap buffer overflow. This occurs because nested lists are recursively unpacked beyond the allocated buffer. A heap buffer overflow is a memory corruption issue where data is written past the end of a buffer allocated on the heap, potentially leading to crashes or arbitrary code execution.

Recommendations Update to version 12.2.0.

Fix

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-122

Related Identifiers

BIT-PILLOW-2026-42309

CVE-2026-42309

ECHO-7EB6-969E-18B8

GHSA-5XMW-VC9V-4WF2

Affected Products

Pillow

CVE-2026-42309

Weakness Enumeration

Related Identifiers

Affected Products

References · 16