Action not permitted
Modal body text goes here.
Modal Title
Modal Body
GHSA-PWV6-VV43-88GR
Vulnerability from github – Published: 2026-05-04 20:20 – Updated: 2026-05-13 13:41Impact
Processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution.
Patches
Patched version: 12.2.0
Pillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning a PSD image with carefully chosen tile dimensions could produce values that wrap around and bypass the checks, still triggering an out-of-bounds write in src/decode.c and src/encode.c. The fix avoids adding extents together before comparison.
Workarounds
Use any version but affected versions: >= 10.3.0, < 12.2.0
Resources
- Fix: https://github.com/python-pillow/Pillow/pull/9520
- Original issue: CVE-2026-25990 (Pillow 12.1.1)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pillow"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "12.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42311"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T20:20:31Z",
"nvd_published_at": "2026-05-09T06:16:10Z",
"severity": "HIGH"
},
"details": "### Impact\nProcessing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution.\n\n### Patches\nPatched version: 12.2.0\n\nPillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning a PSD image with carefully chosen tile dimensions could produce values that wrap around and bypass the checks, still triggering an out-of-bounds write in src/decode.c and src/encode.c. The fix avoids adding extents together before comparison.\n\n### Workarounds\nUse any version but affected versions: \u003e= 10.3.0, \u003c 12.2.0\n\n### Resources\n - Fix: https://github.com/python-pillow/Pillow/pull/9520 \n - Original issue: CVE-2026-25990 (Pillow 12.1.1)",
"id": "GHSA-pwv6-vv43-88gr",
"modified": "2026-05-13T13:41:29Z",
"published": "2026-05-04T20:20:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/pull/9520"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-pillow/Pillow"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)"
}
cleanstart-2026-en66750
Vulnerability from cleanstart
Multiple security vulnerabilities affect the apache-superset package. Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0-r5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the apache-superset package. Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-EN66750",
"modified": "2026-06-09T08:06:55Z",
"published": "2026-06-10T00:46:54.779122Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-EN66750.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25990"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42308"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42309"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42310"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48522"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48524"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5xmw-vc9v-4wf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-65pc-fj4g-8rjx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cfh3-3jmp-rvhc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwv6-vv43-88gr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r73j-pqj5-w3x7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-whj4-6x5x-4v2j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wjx4-4jcj-g98j"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25990"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42308"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42309"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42310"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48522"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48524"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing",
"upstream": [
"CVE-2026-25990",
"CVE-2026-40192",
"CVE-2026-42308",
"CVE-2026-42309",
"CVE-2026-42310",
"CVE-2026-42311",
"CVE-2026-45409",
"CVE-2026-48522",
"CVE-2026-48524",
"CVE-2026-48525",
"CVE-2026-48526",
"ghsa-5xmw-vc9v-4wf2",
"ghsa-65pc-fj4g-8rjx",
"ghsa-cfh3-3jmp-rvhc",
"ghsa-pwv6-vv43-88gr",
"ghsa-r73j-pqj5-w3x7",
"ghsa-whj4-6x5x-4v2j",
"ghsa-wjx4-4jcj-g98j"
]
}
cleanstart-2026-fg72002
Vulnerability from cleanstart
Multiple security vulnerabilities affect the apache-superset package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0-r5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the apache-superset package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-FG72002",
"modified": "2026-06-09T08:06:55Z",
"published": "2026-07-13T06:29:31.585527Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-FG72002.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25990"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42308"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42309"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42310"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48522"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48524"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5xmw-vc9v-4wf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-65pc-fj4g-8rjx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cfh3-3jmp-rvhc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwv6-vv43-88gr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r73j-pqj5-w3x7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-whj4-6x5x-4v2j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wjx4-4jcj-g98j"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25990"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42308"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42309"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42310"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48522"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48524"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-25990, CVE-2026-40192, CVE-2026-42308, CVE-2026-42309, CVE-2026-42310, CVE-2026-42311, CVE-2026-45409, CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-48526, ghsa-5xmw-vc9v-4wf2, ghsa-65pc-fj4g-8rjx, ghsa-cfh3-3jmp-rvhc, ghsa-pwv6-vv43-88gr, ghsa-r73j-pqj5-w3x7, ghsa-whj4-6x5x-4v2j, ghsa-wjx4-4jcj-g98j applied in versions: 6.0.0-r5",
"upstream": [
"CVE-2026-25990",
"CVE-2026-40192",
"CVE-2026-42308",
"CVE-2026-42309",
"CVE-2026-42310",
"CVE-2026-42311",
"CVE-2026-45409",
"CVE-2026-48522",
"CVE-2026-48524",
"CVE-2026-48525",
"CVE-2026-48526",
"ghsa-5xmw-vc9v-4wf2",
"ghsa-65pc-fj4g-8rjx",
"ghsa-cfh3-3jmp-rvhc",
"ghsa-pwv6-vv43-88gr",
"ghsa-r73j-pqj5-w3x7",
"ghsa-whj4-6x5x-4v2j",
"ghsa-wjx4-4jcj-g98j"
]
}
cleanstart-2026-rf67070
Vulnerability from cleanstart
Multiple security vulnerabilities affect the apache-superset package. These issues are resolved in later releases. See references for individual vulnerability details.
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0-r5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the apache-superset package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-RF67070",
"modified": "2026-06-09T08:06:55Z",
"published": "2026-07-09T09:36:58.184272Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-RF67070.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25990"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42308"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42309"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42310"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48522"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48524"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-48526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5xmw-vc9v-4wf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-65pc-fj4g-8rjx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-cfh3-3jmp-rvhc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pwv6-vv43-88gr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r73j-pqj5-w3x7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-whj4-6x5x-4v2j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wjx4-4jcj-g98j"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25990"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40192"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42308"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42309"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42310"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42311"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45409"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48522"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48524"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2026-25990, CVE-2026-40192, CVE-2026-42308, CVE-2026-42309, CVE-2026-42310, CVE-2026-42311, CVE-2026-45409, CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-48526, ghsa-5xmw-vc9v-4wf2, ghsa-65pc-fj4g-8rjx, ghsa-cfh3-3jmp-rvhc, ghsa-pwv6-vv43-88gr, ghsa-r73j-pqj5-w3x7, ghsa-whj4-6x5x-4v2j, ghsa-wjx4-4jcj-g98j applied in versions: 6.0.0-r5",
"upstream": [
"CVE-2026-25990",
"CVE-2026-40192",
"CVE-2026-42308",
"CVE-2026-42309",
"CVE-2026-42310",
"CVE-2026-42311",
"CVE-2026-45409",
"CVE-2026-48522",
"CVE-2026-48524",
"CVE-2026-48525",
"CVE-2026-48526",
"ghsa-5xmw-vc9v-4wf2",
"ghsa-65pc-fj4g-8rjx",
"ghsa-cfh3-3jmp-rvhc",
"ghsa-pwv6-vv43-88gr",
"ghsa-r73j-pqj5-w3x7",
"ghsa-whj4-6x5x-4v2j",
"ghsa-wjx4-4jcj-g98j"
]
}
CVE-2026-42311 (GCVE-0-2026-42311)
Vulnerability from cvelistv5 – Published: 2026-05-09 04:11 – Updated: 2026-05-12 02:24| URL | Tags |
|---|---|
| https://github.com/python-pillow/Pillow/security/… | x_refsource_CONFIRM |
| https://github.com/python-pillow/Pillow/pull/9520 | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/commit/58… | x_refsource_MISC |
| https://github.com/python-pillow/Pillow/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| python-pillow | Pillow |
Affected:
>= 10.3.0, < 12.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:24:20.356743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:24:33.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pillow",
"vendor": "python-pillow",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.3.0, \u003c 12.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:11:58.092Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr"
},
{
"name": "https://github.com/python-pillow/Pillow/pull/9520",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/pull/9520"
},
{
"name": "https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea"
},
{
"name": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0"
}
],
"source": {
"advisory": "GHSA-pwv6-vv43-88gr",
"discovery": "UNKNOWN"
},
"title": "Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42311",
"datePublished": "2026-05-09T04:11:58.092Z",
"dateReserved": "2026-04-26T12:37:18.169Z",
"dateUpdated": "2026-05-12T02:24:33.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
PYSEC-2026-2252
Vulnerability from pysec - Published: 2026-05-09 06:16 - Updated: 2026-07-13 05:50Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
| Name | purl | pillow | pkg:pypi/pillow |
|---|
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "pillow",
"purl": "pkg:pypi/pillow"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "12.2.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"10.3.0",
"10.4.0",
"11.0.0",
"11.1.0",
"11.2.1",
"11.3.0",
"12.0.0",
"12.1.0",
"12.1.1"
]
}
],
"aliases": [
"CVE-2026-42311",
"GHSA-pwv6-vv43-88gr"
],
"details": "Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.",
"id": "PYSEC-2026-2252",
"modified": "2026-07-13T05:50:45.437102Z",
"published": "2026-05-09T06:16:10.430Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0"
},
{
"type": "FIX",
"url": "https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea"
},
{
"type": "FIX",
"url": "https://github.com/python-pillow/Pillow/pull/9520"
},
{
"type": "FIX",
"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.