CVE-2026-40192
EUVD-2026-2313015.04.2026, 23:16
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| python | pillow | 10.3.0 ≤ 𝑥 < 12.2.0 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
References