Uncontrolled Memory Allocation in Pillow - CVE-2026-55379
Published: July 3, 2026
Pillow
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value in the PIL/BdfFontFile.py bdf_char() font loading path when parsing a crafted BDF font file with oversized BBX dimensions and an empty BITMAP section. A remote attacker can supply a specially crafted BDF font file to cause a denial of service.
Loaded glyph images persist in memory for the lifetime of the font object.