PT-2026-55964 · Python Pillow · Pillow
X-Forwarded-Sudo
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-55379
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image. decompression bomb check(), bypassing Pillow's documented decompression bomb protection and allowing excessive memory allocation. This issue is fixed in version 12.3.0.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pillow