PT-2026-55964 · Python Pillow · Pillow

X-Forwarded-Sudo

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-55379

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image. decompression bomb check(), bypassing Pillow's documented decompression bomb protection and allowing excessive memory allocation. This issue is fixed in version 12.3.0.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55379

Affected Products

Pillow