CVE-2026-25990

CVSS v4.0

9.3

Critical

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions 10.3.0 through 12.1.0

Description Pillow is a Python imaging library. An out-of-bounds write issue can occur when loading a specially crafted PSD image. This flaw exists within Pillow’s Photoshop Document (PSD) handler. The issue affects Pillow versions 10.3.0 and later.

Recommendations Update to Pillow version 12.1.1. As a workaround, use the formats parameter in Image.open() to prevent PSD images from being opened.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

BIT-PILLOW-2026-25990

CVE-2026-25990

GHSA-CFH3-3JMP-RVHC

OPENSUSE-SU-2026:10198-1

RHSA-2026:6277

RHSA-2026:6278

USN-8047-1

Affected Products

Pillow

Red Os

CVE-2026-25990

Weakness Enumeration

Related Identifiers

Affected Products

References · 33