PT-2026-55963 · Python Pillow · Pillow
Dino320
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-54060
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new("1", (xsize, ysize)) without calling Image. decompression bomb check(), allowing a font to trigger excessive allocation during conversion or saving. This issue is fixed in version 12.3.0.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pillow