Uncontrolled Memory Allocation in Pillow - CVE-2026-54060

 

Uncontrolled Memory Allocation in Pillow - CVE-2026-54060

Published: July 3, 2026


Vulnerability identifier: #VU136858
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54060
CWE-ID: CWE-789
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Alex Clark and Contributors
Affected software:
Pillow

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to memory allocation with excessive size value in FontFile.compile() in PIL/FontFile.py when assembling glyph images from a crafted BDF or PCF font into a combined bitmap. A remote attacker can supply a specially crafted font file to cause a denial of service.

The issue affects the font loading code path used by BdfFontFile and PcfFontFile, where the standard decompression bomb guard is not invoked before the combined bitmap is created.


How to mitigate CVE-2026-54060

Install security update from vendor's website.

Sources