SB2026070342 - Multiple vulnerabilities in Pillow
Published: July 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-55380)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in GdImageFile._open() and the subsequent image loading path when processing a crafted .gd image through PIL.GdImageFile.open(fp) and calling load(). A remote attacker can supply a specially crafted .gd file with oversized dimensions to cause a denial of service.
A 1037-byte header-only file is sufficient to trigger an attempted allocation of approximately 4.3 GB.
2) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-54060)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in FontFile.compile() in PIL/FontFile.py when assembling glyph images from a crafted BDF or PCF font into a combined bitmap. A remote attacker can supply a specially crafted font file to cause a denial of service.
The issue affects the font loading code path used by BdfFontFile and PcfFontFile, where the standard decompression bomb guard is not invoked before the combined bitmap is created.
3) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-54059)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in PcfFontFile._load_bitmaps() when parsing a crafted PCF font file. A remote attacker can supply a crafted PCF font with oversized glyph dimensions to cause a denial of service.
The issue occurs because glyph dimensions from the PCF METRICS section are passed to Image.frombytes() without a decompression bomb check before memory allocation.
4) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-55379)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in the PIL/BdfFontFile.py bdf_char() font loading path when parsing a crafted BDF font file with oversized BBX dimensions and an empty BITMAP section. A remote attacker can supply a specially crafted BDF font file to cause a denial of service.
Loaded glyph images persist in memory for the lifetime of the font object.
5) OS Command Injection (CVE-ID: CVE-2026-55798)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to command injection in WindowsViewer.get_command() in src/PIL/ImageShow.py when processing a file path in a shell command. A remote attacker can supply a specially crafted file path containing shell metacharacters to execute arbitrary commands.
User interaction is required to open a crafted file path on a Windows system.
Remediation
Install update from vendor's website.
References
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-5x94-69rx-g8h2
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-8v84-f9pq-wr9x
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-4x4j-2g7c-83w6