CVE-2026-40192 Pillow is vulnerable to a FITS GZIP decompression bomb

🗓️ 15 Apr 2026 22:53:56Reported by GitHub_MType

Pillow versions 10.3.0–12.1.1 are vulnerable to a gzipped data bomb in fits format causing memory exhaustion and denial of service.

Reporter	Title	Published	Views	Family All 79
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Pillow [CVE-2026-40192]	21 May 202615:21	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses pillow-11.3.0 which is vulnerable to CVE-2026-40192	15 Jun 202610:03	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses pillow-12.1.1-cp314-cp314-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl which is vulnerable to CVE-2026-40192	29 May 202610:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.	3 Jun 202607:18	–	ibm
ATTACKERKB	CVE-2026-40192	15 Apr 202622:53	–	attackerkb
Chainguard	CVE-2026-40192 vulnerabilities	17 Apr 202607:18	–	cgr
Circl	CVE-2026-40192	16 Apr 202600:48	–	circl
CNNVD	Pillow 安全漏洞	15 Apr 202600:00	–	cnnvd
CVE	CVE-2026-40192	15 Apr 202622:53	–	cve
Debian	[SECURITY] [DSA 6219-1] pillow security update	19 Apr 202618:22	–	debian

[
  {
    "vendor": "python-pillow",
    "product": "Pillow",
    "versions": [
      {
        "version": ">= 10.3.0, < 12.2.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
pillow	www.pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html
github	www.github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
github	www.github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j
github	www.github.com/python-pillow/Pillow/pull/9521

15 Apr 2026 22:53Current

CVSS 48.7

EPSS0.00485