319 matches found
CVE-2026-54060
A flaw was found in Pillow, a Python imaging library. When processing a specially crafted font file, the library's font compilation function does not adequately check for excessive memory allocation. This oversight allows a remote attacker to trigger an unreasonable consumption of system memory,...
CVE-2026-55380
A flaw was found in Pillow, a Python imaging library. A remote attacker could exploit this vulnerability by providing a specially crafted GD 2.x image file. The GdImageFile.open function reads image dimensions without proper validation, leading to excessive memory allocation. This can result in a...
CVE-2026-55379
A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to cause a Denial of Service DoS by providing a specially crafted BDF font file. The library's image processing function fails to properly validate dimensions from the font file, bypassing a critical...
Linux Distros Unpatched Vulnerability : CVE-2026-55380
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile.open read image dimensions from the GD 2.x header and stored them in self.si...
Linux Distros Unpatched Vulnerability : CVE-2026-54059
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py loadbitmaps read glyph dimensions from the PCF METRICS section and passed them directly ...
CVE-2026-55379 Pillow BdfFontFile`: `Image.new()` called without `_decompression_bomb_check()` — bomb protection bypass via font loading
Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdfchar read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new without calling Image.decompressionbombcheck, bypassing Pillow's documented decompression bomb protection...
CVE-2026-55380
Pillow (Python imaging library) vulnerability: Prior to 12.3.0, in GdImageFile._open(), image dimensions were read from the GD 2.x header and stored in self._size without invoking Image._decompression_bomb_check(), allowing a crafted .gd file to trigger excessive C-heap allocation. Impact: potent...
CVE-2026-54059
Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py loadbitmaps read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes without calling Image.decompressionbombcheck, allowing crafted PCF font data to cause excessive memory allocation. Thi...
PT-2026-55965
Name of the Vulnerable Software and Affected Versions Pillow versions prior to 12.3.0 Description In the Python imaging library, the GdImageFile. open function in PIL/GdImageFile.py reads image dimensions from the GD 2.x header and stores them in self. size without invoking Image. decompression...
Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service DoS by providing a specially crafted FITS image file. The library's failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory...
Important: Red Hat Security Advisory: Satellite 6.17.9 Async Update
A new release is now available for Red Hat Satellite 6.17 for RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...
EulerOS 2.0 SP15 : python-pillow (EulerOS-SA-2026-2502)
According to the versions of the python-pillow packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP- compressed data read when decoding a...
RHEL 9 : Satellite 6.18.6 Async Update (Important) (RHSA-2026:28385)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:28385 advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity t...
RHEL 8 / 9 : Satellite 6.16.9 Async Update (Important) (RHSA-2026:27076)
The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:27076 advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessi...
Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service DoS by providing a specially crafted FITS image file. The library's failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory...
Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses pillow-11.3.0 which is vulnerable to CVE-2026-40192
Summary IBM Maximo Application Suite - Visual Inspection component uses pillow-11.3.0 which is vulnerable to CVE-2026-40192, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-40192 DESCRIPTION: Pillow is a Python imaging...
Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service DoS by providing a specially crafted FITS image file. The library's failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory...
Security Bulletin: IBM Edge Data Collector uses pillow-12.1.1-cp314-cp314-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl which is vulnerable to CVE-2026-40192
Summary IBM Edge Data Collector Component uses pillow-12.1.1-cp314-cp314-manylinux227x8664.manylinux228x8664.whl which is vulnerable to CVE-2026-40192. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-40192 DESCRIPTION: Pillow is a Python imagi...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-pillow (UTSA-2026-016601)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016601 advisory. pathgetbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. Tenable has extracted the preceding description block...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-pillow (UTSA-2026-016600)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016600 advisory. Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. Tenable has extracted the preceding description block directly from the Unity Linux security...