SB2026071354 - SUSE update for python-Pillow
Published: July 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-54059)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in PcfFontFile._load_bitmaps() when parsing a crafted PCF font file. A remote attacker can supply a crafted PCF font with oversized glyph dimensions to cause a denial of service.
The issue occurs because glyph dimensions from the PCF METRICS section are passed to Image.frombytes() without a decompression bomb check before memory allocation.
2) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-54060)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in FontFile.compile() in PIL/FontFile.py when assembling glyph images from a crafted BDF or PCF font into a combined bitmap. A remote attacker can supply a specially crafted font file to cause a denial of service.
The issue affects the font loading code path used by BdfFontFile and PcfFontFile, where the standard decompression bomb guard is not invoked before the combined bitmap is created.
3) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-55379)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in the PIL/BdfFontFile.py bdf_char() font loading path when parsing a crafted BDF font file with oversized BBX dimensions and an empty BITMAP section. A remote attacker can supply a specially crafted BDF font file to cause a denial of service.
Loaded glyph images persist in memory for the lifetime of the font object.
4) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-55380)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in GdImageFile._open() and the subsequent image loading path when processing a crafted .gd image through PIL.GdImageFile.open(fp) and calling load(). A remote attacker can supply a specially crafted .gd file with oversized dimensions to cause a denial of service.
A 1037-byte header-only file is sufficient to trigger an attempted allocation of approximately 4.3 GB.
Remediation
Install update from vendor's website.