Resource exhaustion in Python-pillow Pillow

CVE-2026-40192

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could…

EPSS: 0.000 (4.8th percentile) — read the EPSS interpretation.

Affected products

Python-pillow Pillow — versions >= 10.3.0, < 12.2.0

Weakness classification (CWE)

References

https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j (x_refsource_CONFIRM)
https://github.com/python-pillow/Pillow/pull/9521 (x_refsource_MISC)
https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 (x_refsource_MISC)
https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb (x_refsource_MISC)