Fluid Attacks Database

Description

Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=10.3.0 <12.2.0	12.2.0
debian 13	pillow	=11.1.0-5 \|\| =11.1.0-5+deb13u1 \|\| =11.1.0-5+deb13u2 \|\| =11.2.1-1 \|\| =11.3.0-1 \|\| =12.0.0-1 \|\| =12.1.0-1 \|\| =12.1.1-1 \|\| =12.1.1-2 \|\| =12.2.0-1	-
debian 14	pillow	=11.1.0-5 \|\| =11.2.1-1 \|\| =11.3.0-1 \|\| =12.0.0-1 \|\| =12.1.0-1 \|\| =12.1.1-1 \|\| =12.1.1-2 \|\| >=0 <12.2.0-1	12.2.0-1

Aliases

1. CVE-2026-423112. NVD-2026-423113. OSV-2026-423114. OSV-DEBIAN-2026-423115. GHSA-cfh3-3jmp-rvhc6. GHSA-pwv6-vv43-88gr7. GCVE-2026-423118. SECURITY-TRACKER-CVE-2026-42311

References

1. https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc2. https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr3. https://github.com/python-pillow/Pillow/pull/95204. https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea5. https://github.com/python-pillow/Pillow/releases/tag/12.2.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.