Heap Buffer Overflow in Pillow Python Imaging Library
CVE-2026-42309

5.1MEDIUM

Key Information:

Vendor: Python-pillow
Status: Pillow
Vendor: CVE Published:; 9 May 2026

🔔 Create Python-pillow Vulnerability Alert

What is CVE-2026-42309?

The Pillow Python imaging library, from versions 11.2.1 to before 12.2.0, is susceptible to a heap buffer overflow due to improper handling of nested lists as coordinates in APIs, including ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line. When nested lists are used, they are recursively unpacked beyond the allocated buffer, creating a potential security risk. To mitigate this vulnerability, coordinate lists are now validated to ensure they contain exactly two numeric coordinates. The issue has been addressed and patched in version 12.2.0.

Affected Version(s)

Pillow >= 11.2.1, < 12.2.0

References

https://github.com/python-pillow/Pillow/security/advisori...

x_refsource_CONFIRM

https://github.com/python-pillow/Pillow/releases/tag/12.2.0

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42309 Data

JSON