Buffer overflow in Python Pillow
CVE-2026-59205
Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's…
Vulnerability class: Buffer Overflow
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Python Pillow
- Python-pillow Pillow — versions < 12.3.0
Weakness classification (CWE)
References
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)
- security-advisories@github.com (x_refsource_MISC, Release Notes)
- security-advisories@github.com (x_refsource_CONFIRM, Exploit, Vendor Advisory)
Frequently asked questions
- What is CVE-2026-59205?
- CVE-2026-59205 is a high-severity vulnerability in Python Pillow, classified under Out-of-bounds Write. CVSS score: 7.5/10. Published 2026-07-14.
- How severe is CVE-2026-59205?
- High severity. CVSS v3 base score is 7.5 out of 10.