CVE-2026-42308: CWE-190: Integer Overflow or Wraparound in python-pillow Pillow
CVE-2026-42308 is an integer overflow vulnerability in the python-pillow Pillow library prior to version 12. 2. 0. The issue occurs when a font advances by an excessively large amount per glyph, causing Pillow's position tracking to overflow an integer value. This vulnerability has been addressed in Pillow version 12. 2. 0. The CVSS 4. 0 base score is 5. 1, indicating a medium severity level.
AI Analysis
Technical Summary
The Pillow Python imaging library versions before 12.2.0 contain an integer overflow vulnerability (CWE-190) triggered when font glyph advances exceed large values, causing the internal position tracking integer to overflow. This can potentially lead to incorrect behavior or memory corruption. The issue was fixed in version 12.2.0. The CVSS 4.0 score of 5.1 reflects a medium severity with local attack vector, low attack complexity, and no privileges or user interaction needed.
Potential Impact
An attacker with local access can trigger an integer overflow in Pillow by supplying fonts with large glyph advances. This may cause unexpected behavior or memory corruption within applications using vulnerable Pillow versions. No remote or network-based exploitation is indicated. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to Pillow version 12.2.0 or later where this integer overflow vulnerability is patched. Since the vendor advisory indicates the issue is fixed in 12.2.0, applying this official fix fully mitigates the vulnerability.
CVE-2026-42308: CWE-190: Integer Overflow or Wraparound in python-pillow Pillow
Description
CVE-2026-42308 is an integer overflow vulnerability in the python-pillow Pillow library prior to version 12. 2. 0. The issue occurs when a font advances by an excessively large amount per glyph, causing Pillow's position tracking to overflow an integer value. This vulnerability has been addressed in Pillow version 12. 2. 0. The CVSS 4. 0 base score is 5. 1, indicating a medium severity level.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Pillow Python imaging library versions before 12.2.0 contain an integer overflow vulnerability (CWE-190) triggered when font glyph advances exceed large values, causing the internal position tracking integer to overflow. This can potentially lead to incorrect behavior or memory corruption. The issue was fixed in version 12.2.0. The CVSS 4.0 score of 5.1 reflects a medium severity with local attack vector, low attack complexity, and no privileges or user interaction needed.
Potential Impact
An attacker with local access can trigger an integer overflow in Pillow by supplying fonts with large glyph advances. This may cause unexpected behavior or memory corruption within applications using vulnerable Pillow versions. No remote or network-based exploitation is indicated. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to Pillow version 12.2.0 or later where this integer overflow vulnerability is patched. Since the vendor advisory indicates the issue is fixed in 12.2.0, applying this official fix fully mitigates the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:37:18.169Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fec4aacbff5d8610c504f8
Added to database: 5/9/2026, 5:22:50 AM
Last enriched: 5/9/2026, 5:36:42 AM
Last updated: 5/9/2026, 6:39:58 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.