PT-2026-55962 · Python Pillow · Pillow

X-Forwarded-Sudo

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-54059

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py load bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image. decompression bomb check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54059

Affected Products

Pillow