CVE-2026-25990: CWE-787: Out-of-bounds Write in python-pillow Pillow
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
AI Analysis
Technical Summary
Pillow versions >= 10.3.0 and < 12.1.1 contain a CWE-787 out-of-bounds write vulnerability triggered by processing maliciously crafted PSD images. This flaw could lead to memory corruption during image loading. The vulnerability is fixed in Pillow version 12.1.1. The CVSS 4.0 vector indicates local attack vector with low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability may allow an attacker with local access to cause memory corruption, potentially leading to application crashes or arbitrary code execution. The high CVSS score reflects significant impact on confidentiality, integrity, and availability of the affected system. However, no public exploits are currently known.
Mitigation Recommendations
Upgrade Pillow to version 12.1.1 or later, where this vulnerability is fixed. Since this is a library vulnerability, ensure that all applications using Pillow are updated accordingly. Patch status is confirmed by the vendor advisory indicating the fix in 12.1.1.
CVE-2026-25990: CWE-787: Out-of-bounds Write in python-pillow Pillow
Description
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Pillow versions >= 10.3.0 and < 12.1.1 contain a CWE-787 out-of-bounds write vulnerability triggered by processing maliciously crafted PSD images. This flaw could lead to memory corruption during image loading. The vulnerability is fixed in Pillow version 12.1.1. The CVSS 4.0 vector indicates local attack vector with low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability may allow an attacker with local access to cause memory corruption, potentially leading to application crashes or arbitrary code execution. The high CVSS score reflects significant impact on confidentiality, integrity, and availability of the affected system. However, no public exploits are currently known.
Mitigation Recommendations
Upgrade Pillow to version 12.1.1 or later, where this vulnerability is fixed. Since this is a library vulnerability, ensure that all applications using Pillow are updated accordingly. Patch status is confirmed by the vendor advisory indicating the fix in 12.1.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-09T17:41:55.858Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 698cee1b4b57a58fa1cb0648
Added to database: 2/11/2026, 9:01:15 PM
Last enriched: 5/1/2026, 1:56:22 AM
Last updated: 5/13/2026, 2:48:52 AM
Views: 1120
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.