CVE-2026-42309: CWE-122: Heap-based Buffer Overflow in python-pillow Pillow
A heap-based buffer overflow vulnerability exists in the python-pillow Pillow library versions from 11. 2. 1 up to but not including 12. 2. 0. The issue occurs when nested lists are passed as coordinates to certain APIs such as ImagePath. Path, ImageDraw. ImageDraw. polygon, and ImageDraw. ImageDraw.
AI Analysis
Technical Summary
The python-pillow Pillow library versions >= 11.2.1 and < 12.2.0 contain a heap-based buffer overflow vulnerability (CWE-122) triggered by passing nested lists as coordinates to APIs that accept coordinate inputs. The recursive unpacking of these nested lists can exceed the allocated buffer size, causing memory corruption. The vulnerability affects APIs including ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line. The issue is fixed in version 12.2.0 by enforcing validation that coordinate lists contain exactly two numeric values.
Potential Impact
Exploitation of this vulnerability could lead to heap memory corruption due to buffer overflow when processing malformed coordinate inputs. This may result in application crashes or potentially arbitrary code execution depending on the context. The CVSS 4.0 base score is 5.1 (medium severity), reflecting local attack vector and low complexity without user interaction required. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade to python-pillow Pillow version 12.2.0 or later, where the vulnerability is patched by validating coordinate inputs. Until upgrade, avoid passing nested lists as coordinates to the affected APIs. Patch status is confirmed by the vendor's versioning information indicating the fix in 12.2.0.
CVE-2026-42309: CWE-122: Heap-based Buffer Overflow in python-pillow Pillow
Description
A heap-based buffer overflow vulnerability exists in the python-pillow Pillow library versions from 11. 2. 1 up to but not including 12. 2. 0. The issue occurs when nested lists are passed as coordinates to certain APIs such as ImagePath. Path, ImageDraw. ImageDraw. polygon, and ImageDraw. ImageDraw.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The python-pillow Pillow library versions >= 11.2.1 and < 12.2.0 contain a heap-based buffer overflow vulnerability (CWE-122) triggered by passing nested lists as coordinates to APIs that accept coordinate inputs. The recursive unpacking of these nested lists can exceed the allocated buffer size, causing memory corruption. The vulnerability affects APIs including ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line. The issue is fixed in version 12.2.0 by enforcing validation that coordinate lists contain exactly two numeric values.
Potential Impact
Exploitation of this vulnerability could lead to heap memory corruption due to buffer overflow when processing malformed coordinate inputs. This may result in application crashes or potentially arbitrary code execution depending on the context. The CVSS 4.0 base score is 5.1 (medium severity), reflecting local attack vector and low complexity without user interaction required. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade to python-pillow Pillow version 12.2.0 or later, where the vulnerability is patched by validating coordinate inputs. Until upgrade, avoid passing nested lists as coordinates to the affected APIs. Patch status is confirmed by the vendor's versioning information indicating the fix in 12.2.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:37:18.169Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fec4aacbff5d8610c504fc
Added to database: 5/9/2026, 5:22:50 AM
Last enriched: 5/9/2026, 5:36:37 AM
Last updated: 5/9/2026, 6:39:59 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.