What is CVE-2026-42308?

CVE-2026-42308 is a medium-severity vulnerability in Python Pillow, classified under Integer Overflow or Wraparound. CVSS score: 5.5/10. Published 2026-05-09.

How severe is CVE-2026-42308?

Medium severity. CVSS v3 base score is 5.5 out of 10.

Integer overflow in Python Pillow

CVE-2026-42308

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched i…

Vulnerability class: Integer Overflow

EPSS: 0.000 (3.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Affected products

Python Pillow
Python-pillow Pillow — versions < 12.2.0

Weakness classification (CWE)

CWE-190 — Integer Overflow or Wraparound

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
security-advisories@github.com (Product, x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-42308?: CVE-2026-42308 is a medium-severity vulnerability in Python Pillow, classified under Integer Overflow or Wraparound. CVSS score: 5.5/10. Published 2026-05-09.
How severe is CVE-2026-42308?: Medium severity. CVSS v3 base score is 5.5 out of 10.