PT-2026-58072 · Pypi · Pillow
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-59204
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Pillow versions 8.2.0 through 12.2.0
Description
In the
src/libImaging/Jpeg2KDecode.c file, the library accumulates total component width across every tile in a JPEG2000 image instead of recomputing it per tile. This behavior allows a specially crafted tiled JPEG2000 file to cause significantly higher transient memory usage, which can lead to out-of-memory failures during the decoding process.Recommendations
Update to version 12.3.0.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pillow