Decompression Bomb Vulnerability in Pillow Python Imaging Library
CVE-2026-40192

8.7HIGH

Key Information:

Vendor

Python-pillow

Status
Pillow
Vendor
CVE Published:
15 April 2026

What is CVE-2026-40192?

The Pillow library for Python has a vulnerability that allows a specially crafted FITS file to consume unbounded memory during decoding. This could lead to significant degradation of performance or even crashes due to out-of-memory (OOM) scenarios. Users relying on affected versions (10.3.0 through 12.1.1) are advised to either upgrade to version 12.2.0 or later, which provides a fix, or to avoid opening FITS image files until an upgrade can be performed.

Affected Version(s)

Pillow >= 10.3.0, < 12.2.0

References

https://github.com/python-pillow/Pillow/security/advisori...
x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/pull/9521
x_refsource_MISC
https://github.com/python-pillow/Pillow/commit/3cb854e8b2...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.