PT-2026-58090 · Pypi · Pillow
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-59199
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Pillow versions prior to 12.3.0
Description
Public image coordinate APIs in the Pillow Python imaging library can trigger a native heap out-of-bounds write. This occurs when coordinates near the signed 32-bit integer limits are provided to the
Image.paste(), Image.crop(), or Image.alpha composite() functions.Recommendations
Update to version 12.3.0.
As a temporary mitigation, avoid providing coordinates near the signed 32-bit integer limits to the
Image.paste(), Image.crop(), and Image.alpha composite() functions.Exploit
Fix
Integer Overflow
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pillow