PT-2026-58072 · Pypi · Pillow

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-59204

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Pillow versions 8.2.0 through 12.2.0
Description In the src/libImaging/Jpeg2KDecode.c file, the library accumulates total component width across every tile in a JPEG2000 image instead of recomputing it per tile. This behavior allows a specially crafted tiled JPEG2000 file to cause significantly higher transient memory usage, which can lead to out-of-memory failures during the decoding process.
Recommendations Update to version 12.3.0.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59204
GHSA-VJC4-5QP5-M44J

Affected Products

Pillow