CVE-2026-25990

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Pillow versions 10.3.0 through 12.1.0

Description Pillow is a Python imaging library. An out-of-bounds write issue can occur when loading a specially crafted PSD image. This flaw exists within Pillow’s Photoshop Document (PSD) handler. The issue affects Pillow versions 10.3.0 and later.

Recommendations Update to Pillow version 12.1.1. As a workaround, use the formats parameter in Image.open() to prevent PSD images from being opened.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

BDU:2026-05702

BIT-PILLOW-2026-25990

CVE-2026-25990

GHSA-CFH3-3JMP-RVHC

OPENSUSE-SU-2026:10198-1

OPENSUSE-SU-2026:20458-1

RHSA-2026:14873

RHSA-2026:14874

RHSA-2026:6277

RHSA-2026:6278

SUSE-SU-2026:20992-1

USN-8047-1

Affected Products

Pillow

Red Os

CVE-2026-25990

Weakness Enumeration

Related Identifiers

Affected Products

References · 42