PT-2026-37199 · Pypi · Pillow
Kexinoh
·
Published
2026-05-04
·
Updated
2026-05-12
·
CVE-2026-42310
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Pillow versions 4.2.0 through 12.1.x
Description
A flaw in the
PdfParser allows an attacker to supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This occurs because the parser follows Prev pointers in PDF trailers to read cross-reference sections; if a pointer references an offset already processed, either by pointing to itself or forming a cycle, the parser enters an infinite loop.Recommendations
Update to version 12.2.0.
Fix
Infinite Loop
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pillow