Uncontrolled Memory Allocation in Pillow - CVE-2026-54060
Published: July 3, 2026
Pillow
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in FontFile.compile() in PIL/FontFile.py when assembling glyph images from a crafted BDF or PCF font into a combined bitmap. A remote attacker can supply a specially crafted font file to cause a denial of service.
The issue affects the font loading code path used by BdfFontFile and PcfFontFile, where the standard decompression bomb guard is not invoked before the combined bitmap is created.