CVE-2026-42311: CWE-190: Integer Overflow or Wraparound in python-pillow Pillow
A high-severity integer overflow or wraparound vulnerability exists in the python-pillow Pillow library versions from 10. 3. 0 up to but not including 12. 2. 0. Processing a specially crafted PSD file can trigger memory corruption, which may cause a crash or enable arbitrary code execution. This vulnerability has been addressed in Pillow version 12. 2. 0.
AI Analysis
Technical Summary
CVE-2026-42311 affects the Pillow Python imaging library, specifically in versions 10.3.0 through 12.1.x. The vulnerability arises from an integer overflow or wraparound when processing malicious PSD files, leading to memory corruption. This can result in application crashes or potentially allow arbitrary code execution. The issue is tracked under CWE-190 (Integer Overflow or Wraparound) and CWE-787 (Out-of-bounds Write). The vulnerability has a CVSS 4.0 score of 8.6, indicating high severity. A fix was released in version 12.2.0 of Pillow.
Potential Impact
Exploitation of this vulnerability can cause memory corruption, which may lead to denial of service (application crash) or arbitrary code execution within the context of the affected application using Pillow. This poses a significant security risk for applications processing untrusted PSD files.
Mitigation Recommendations
Upgrade the Pillow library to version 12.2.0 or later, where this vulnerability has been patched. No other mitigation or temporary workaround is indicated. Patch status is confirmed by the vendor advisory stating the fix is included in version 12.2.0.
CVE-2026-42311: CWE-190: Integer Overflow or Wraparound in python-pillow Pillow
Description
A high-severity integer overflow or wraparound vulnerability exists in the python-pillow Pillow library versions from 10. 3. 0 up to but not including 12. 2. 0. Processing a specially crafted PSD file can trigger memory corruption, which may cause a crash or enable arbitrary code execution. This vulnerability has been addressed in Pillow version 12. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42311 affects the Pillow Python imaging library, specifically in versions 10.3.0 through 12.1.x. The vulnerability arises from an integer overflow or wraparound when processing malicious PSD files, leading to memory corruption. This can result in application crashes or potentially allow arbitrary code execution. The issue is tracked under CWE-190 (Integer Overflow or Wraparound) and CWE-787 (Out-of-bounds Write). The vulnerability has a CVSS 4.0 score of 8.6, indicating high severity. A fix was released in version 12.2.0 of Pillow.
Potential Impact
Exploitation of this vulnerability can cause memory corruption, which may lead to denial of service (application crash) or arbitrary code execution within the context of the affected application using Pillow. This poses a significant security risk for applications processing untrusted PSD files.
Mitigation Recommendations
Upgrade the Pillow library to version 12.2.0 or later, where this vulnerability has been patched. No other mitigation or temporary workaround is indicated. Patch status is confirmed by the vendor advisory stating the fix is included in version 12.2.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:37:18.169Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fec4aacbff5d8610c50506
Added to database: 5/9/2026, 5:22:50 AM
Last enriched: 5/9/2026, 5:36:27 AM
Last updated: 5/9/2026, 6:39:59 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.