CWE-789
AllowedMemory Allocation with Excessive Size Value
Abstraction: Variant · Status: Draft
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
319 vulnerabilities reference this CWE, most recent first.
CVE-2026-59938 (GCVE-0-2026-59938)
Vulnerability from cvelistv5 – Published: 2026-07-08 17:24 – Updated: 2026-07-09 13:58- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/py-pdf/pypdf/security/advisori… | x_refsource_CONFIRM |
| https://github.com/py-pdf/pypdf/pull/3888 | x_refsource_MISC |
| https://github.com/py-pdf/pypdf/commit/c64583be16… | x_refsource_MISC |
| https://github.com/py-pdf/pypdf/releases/tag/6.14.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59938",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:58:08.413307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:58:17.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pypdf",
"vendor": "py-pdf",
"versions": [
{
"status": "affected",
"version": "\u003c 6.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.14.0, an attacker can craft a PDF with declared image size values that are much too large compared to the actual data, causing large memory usage in pypdf image parsing. This issue is fixed in version 6.14.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T17:24:29.959Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-5qjq-93h5-hrgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-5qjq-93h5-hrgp"
},
{
"name": "https://github.com/py-pdf/pypdf/pull/3888",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/pull/3888"
},
{
"name": "https://github.com/py-pdf/pypdf/commit/c64583be16b8e8763d8777075f8ecbf382014b7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/commit/c64583be16b8e8763d8777075f8ecbf382014b7a"
},
{
"name": "https://github.com/py-pdf/pypdf/releases/tag/6.14.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.14.0"
}
],
"source": {
"advisory": "GHSA-5qjq-93h5-hrgp",
"discovery": "UNKNOWN"
},
"title": "pypdf: Possible large memory usage for wrong image dimensions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59938",
"datePublished": "2026-07-08T17:24:29.959Z",
"dateReserved": "2026-07-07T18:20:06.127Z",
"dateUpdated": "2026-07-09T13:58:17.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59204 (GCVE-0-2026-59204)
Vulnerability from cvelistv5 – Published: 2026-07-14 15:38 – Updated: 2026-07-14 15:38- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/python-pillow/Pillow/security/… | x_refsource_CONFIRM |
| https://github.com/python-pillow/Pillow/pull/9704 | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/commit/13… | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| python-pillow | Pillow |
Affected:
>= 8.2.0, < 12.3.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Pillow",
"vendor": "python-pillow",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.2.0, \u003c 12.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pillow is a Python imaging library. From 8.2.0 through 12.2.0, src/libImaging/Jpeg2KDecode.c accumulates total_component_width across every tile in a JPEG2000 image instead of recomputing it per tile, allowing a crafted tiled JPEG2000 file to force substantially higher transient memory usage and trigger out-of-memory failures during decoding. This issue is fixed in version 12.3.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:38:29.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-vjc4-5qp5-m44j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-vjc4-5qp5-m44j"
},
{
"name": "https://github.com/python-pillow/Pillow/pull/9704",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/pull/9704"
},
{
"name": "https://github.com/python-pillow/Pillow/commit/13ada41172142f2fd9f0906f615a00ea623a11ca",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/commit/13ada41172142f2fd9f0906f615a00ea623a11ca"
},
{
"name": "https://github.com/python-pillow/Pillow/releases/tag/12.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/releases/tag/12.3.0"
}
],
"source": {
"advisory": "GHSA-vjc4-5qp5-m44j",
"discovery": "UNKNOWN"
},
"title": "Pillow JPEG2000 tiled decode retains a growing scratch buffer and can be used for denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59204",
"datePublished": "2026-07-14T15:38:29.545Z",
"dateReserved": "2026-07-02T21:05:02.923Z",
"dateUpdated": "2026-07-14T15:38:29.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55782 (GCVE-0-2026-55782)
Vulnerability from cvelistv5 – Published: 2026-07-10 16:46 – Updated: 2026-07-14 02:00| URL | Tags |
|---|---|
| https://github.com/M2Team/NanaZip/security/adviso… | x_refsource_CONFIRM |
| https://github.com/M2Team/NanaZip/commit/1ce90f2d… | x_refsource_MISC |
| https://github.com/M2Team/NanaZip/commit/56aee890… | x_refsource_MISC |
| https://github.com/M2Team/NanaZip/commit/92b12a6e… | x_refsource_MISC |
| https://github.com/M2Team/NanaZip/releases/tag/6.… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55782",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T02:00:08.437231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T02:00:57.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-qxhc-2v6p-wm8m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NanaZip",
"vendor": "M2Team",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.1749.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip\u0027s WebAssembly archive handler in NanaZip.Codecs.Archive.WebAssembly.cpp allocates buffers from attacker-controlled 32-bit section and custom-name length fields without validating them against the data present in the file. A tiny crafted module can force multi-gigabyte allocations during listing or extraction through NameSize, Information.Size, and std::string or vector allocation paths, causing memory exhaustion or process termination. This issue is fixed in version 6.5.1749.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T16:46:38.842Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-qxhc-2v6p-wm8m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-qxhc-2v6p-wm8m"
},
{
"name": "https://github.com/M2Team/NanaZip/commit/1ce90f2d14a984476d0407a835273705607facf2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/M2Team/NanaZip/commit/1ce90f2d14a984476d0407a835273705607facf2"
},
{
"name": "https://github.com/M2Team/NanaZip/commit/56aee89037947410dd5e66f3a087e0f290484bae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/M2Team/NanaZip/commit/56aee89037947410dd5e66f3a087e0f290484bae"
},
{
"name": "https://github.com/M2Team/NanaZip/commit/92b12a6e1eb0cf8e88fcc277aa7508ca1ff27db6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/M2Team/NanaZip/commit/92b12a6e1eb0cf8e88fcc277aa7508ca1ff27db6"
},
{
"name": "https://github.com/M2Team/NanaZip/releases/tag/6.5.1749.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/M2Team/NanaZip/releases/tag/6.5.1749.0"
}
],
"source": {
"advisory": "GHSA-qxhc-2v6p-wm8m",
"discovery": "UNKNOWN"
},
"title": "NanaZip: Unbounded memory allocation (DoS) in NanaZip WebAssembly parser via attacker-controlled section/name length fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55782",
"datePublished": "2026-07-10T16:46:38.842Z",
"dateReserved": "2026-06-17T14:40:28.379Z",
"dateUpdated": "2026-07-14T02:00:57.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55781 (GCVE-0-2026-55781)
Vulnerability from cvelistv5 – Published: 2026-07-10 16:50 – Updated: 2026-07-10 20:58| URL | Tags |
|---|---|
| https://github.com/M2Team/NanaZip/security/adviso… | x_refsource_CONFIRM |
| https://github.com/M2Team/NanaZip/commit/6415b6bf… | x_refsource_MISC |
| https://github.com/M2Team/NanaZip/releases/tag/6.… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:46:24.470182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:58:43.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NanaZip",
"vendor": "M2Team",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.1749.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip\u0027s UFS and FFS image handler in NanaZip.Codecs.Archive.Ufs.cpp validates the superblock block size only against the MINBSIZE lower bound and does not validate the fs_fsize fragment size, allowing attacker-controlled 32-bit fields to flow into indirect-block, directory, and extraction buffer allocations. A tiny crafted UFS image can force multi-gigabyte allocations during open or extraction, causing memory exhaustion or process termination. This issue is fixed in version 6.5.1749.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T16:50:24.371Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-m34h-jf84-m74h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-m34h-jf84-m74h"
},
{
"name": "https://github.com/M2Team/NanaZip/commit/6415b6bff70bc9c486b49cbbc1982724c67f8338",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/M2Team/NanaZip/commit/6415b6bff70bc9c486b49cbbc1982724c67f8338"
},
{
"name": "https://github.com/M2Team/NanaZip/releases/tag/6.5.1749.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/M2Team/NanaZip/releases/tag/6.5.1749.0"
}
],
"source": {
"advisory": "GHSA-m34h-jf84-m74h",
"discovery": "UNKNOWN"
},
"title": "NanaZip: Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated fs_bsize/fs_fsize superblock fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55781",
"datePublished": "2026-07-10T16:50:24.371Z",
"dateReserved": "2026-06-17T14:40:28.379Z",
"dateUpdated": "2026-07-10T20:58:43.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55380 (GCVE-0-2026-55380)
Vulnerability from cvelistv5 – Published: 2026-07-06 18:50 – Updated: 2026-07-06 19:23- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/python-pillow/Pillow/security/… | x_refsource_CONFIRM |
| https://github.com/python-pillow/Pillow/commit/f3… | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/blob/main… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| python-pillow | Pillow |
Affected:
< 12.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55380",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:23:03.405538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:23:30.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pillow",
"vendor": "python-pillow",
"versions": [
{
"status": "affected",
"version": "\u003c 12.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile._open() read image dimensions from the GD 2.x header and stored them in self._size without calling Image._decompression_bomb_check(), allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This issue is fixed in version 12.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:51:08.092Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm"
},
{
"name": "https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675"
},
{
"name": "https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst"
}
],
"source": {
"advisory": "GHSA-phj9-mv4w-65pm",
"discovery": "UNKNOWN"
},
"title": "Pillow GdImageFile decompression bomb protection bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55380",
"datePublished": "2026-07-06T18:50:14.789Z",
"dateReserved": "2026-06-16T18:57:40.182Z",
"dateUpdated": "2026-07-06T19:23:30.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55379 (GCVE-0-2026-55379)
Vulnerability from cvelistv5 – Published: 2026-07-06 18:52 – Updated: 2026-07-06 19:17- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/python-pillow/Pillow/security/… | x_refsource_CONFIRM |
| https://github.com/python-pillow/Pillow/commit/0a… | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/blob/main… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| python-pillow | Pillow |
Affected:
< 12.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55379",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:16:56.631649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:17:03.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pillow",
"vendor": "python-pillow",
"versions": [
{
"status": "affected",
"version": "\u003c 12.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf_char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image._decompression_bomb_check(), bypassing Pillow\u0027s documented decompression bomb protection and allowing excessive memory allocation. This issue is fixed in version 12.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:52:11.633Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc"
},
{
"name": "https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d"
},
{
"name": "https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst"
}
],
"source": {
"advisory": "GHSA-45hq-cxwh-f6vc",
"discovery": "UNKNOWN"
},
"title": "Pillow BdfFontFile`: `Image.new()` called without `_decompression_bomb_check()` \u2014 bomb protection bypass via font loading"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55379",
"datePublished": "2026-07-06T18:52:11.633Z",
"dateReserved": "2026-06-16T18:57:40.181Z",
"dateUpdated": "2026-07-06T19:17:03.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55213 (GCVE-0-2026-55213)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:49 – Updated: 2026-07-13 14:14- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/h2o/h2o/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/h2o/h2o/commit/edd7a120bfc4af1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T14:14:29.008624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T14:14:45.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "h2o",
"vendor": "h2o",
"versions": [
{
"status": "affected",
"version": "\u003c edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:49:58.764Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/h2o/h2o/security/advisories/GHSA-432c-8xmj-frmq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-432c-8xmj-frmq"
},
{
"name": "https://github.com/h2o/h2o/commit/edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/h2o/h2o/commit/edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1"
}
],
"source": {
"advisory": "GHSA-432c-8xmj-frmq",
"discovery": "UNKNOWN"
},
"title": "h2o: musl libc stack overflow (QPACK)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55213",
"datePublished": "2026-07-10T20:49:58.764Z",
"dateReserved": "2026-06-16T16:16:32.627Z",
"dateUpdated": "2026-07-13T14:14:45.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55079 (GCVE-0-2026-55079)
Vulnerability from cvelistv5 – Published: 2026-07-07 23:50 – Updated: 2026-07-08 12:53- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/coder/coder/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/coder/coder/pull/25710 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.29.17 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.32.7 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.33.8 | x_refsource_MISC |
| https://github.com/coder/coder/releases/tag/v2.34.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T12:53:26.878982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T12:53:41.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coder",
"vendor": "coder",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.34.0, \u003c 2.34.2"
},
{
"status": "affected",
"version": "\u003e= 2.33.0, \u003c 2.33.8"
},
{
"status": "affected",
"version": "\u003e= 2.30.0, \u003c 2.32.7"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.29.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T23:50:37.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coder/coder/security/advisories/GHSA-f962-qm93-mj4c"
},
{
"name": "https://github.com/coder/coder/pull/25710",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/pull/25710"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.29.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.29.17"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.32.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.32.7"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.33.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.33.8"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.34.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.34.2"
}
],
"source": {
"advisory": "GHSA-f962-qm93-mj4c",
"discovery": "UNKNOWN"
},
"title": "Coder\u0027s unbounded memory allocation in provisioner file upload allows authenticated denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55079",
"datePublished": "2026-07-07T23:50:37.197Z",
"dateReserved": "2026-06-16T14:33:35.711Z",
"dateUpdated": "2026-07-08T12:53:41.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54448 (GCVE-0-2026-54448)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:27 – Updated: 2026-06-25 18:55| URL | Tags |
|---|---|
| https://github.com/aquasecurity/trivy/security/ad… | x_refsource_CONFIRM |
| https://github.com/aquasecurity/trivy/pull/10718 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| aquasecurity | trivy |
Affected:
< 0.71.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54448",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:55:22.152737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:55:50.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/aquasecurity/trivy/pull/10718"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "trivy",
"vendor": "aquasecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 0.71.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:27:33.659Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4"
},
{
"name": "https://github.com/aquasecurity/trivy/pull/10718",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/aquasecurity/trivy/pull/10718"
}
],
"source": {
"advisory": "GHSA-q3fv-x8vg-qqm4",
"discovery": "UNKNOWN"
},
"title": "Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54448",
"datePublished": "2026-06-25T16:27:33.659Z",
"dateReserved": "2026-06-15T15:30:40.317Z",
"dateUpdated": "2026-06-25T18:55:50.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54060 (GCVE-0-2026-54060)
Vulnerability from cvelistv5 – Published: 2026-07-06 18:49 – Updated: 2026-07-07 14:08- CWE-789 - Memory Allocation with Excessive Size Value
| URL | Tags |
|---|---|
| https://github.com/python-pillow/Pillow/security/… | x_refsource_CONFIRM |
| https://github.com/python-pillow/Pillow/commit/0a… | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/blob/main… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| python-pillow | Pillow |
Affected:
< 12.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54060",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T14:07:46.646415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T14:08:14.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-5x94-69rx-g8h2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pillow",
"vendor": "python-pillow",
"versions": [
{
"status": "affected",
"version": "\u003c 12.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new(\"1\", (xsize, ysize)) without calling Image._decompression_bomb_check(), allowing a font to trigger excessive allocation during conversion or saving. This issue is fixed in version 12.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T18:49:23.788Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-5x94-69rx-g8h2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-5x94-69rx-g8h2"
},
{
"name": "https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d"
},
{
"name": "https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst"
}
],
"source": {
"advisory": "GHSA-5x94-69rx-g8h2",
"discovery": "UNKNOWN"
},
"title": "Pillow: `FontFile.compile()`: `Image.new()` called without `_decompression_bomb_check()`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54060",
"datePublished": "2026-07-06T18:49:23.788Z",
"dateReserved": "2026-06-11T18:24:35.096Z",
"dateUpdated": "2026-07-07T14:08:14.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation
Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
No CAPEC attack patterns related to this CWE.