Memory Corruption Vulnerability in Pillow Python Imaging Library
CVE-2026-42311

8.6HIGH

Key Information:

Vendor

Python-pillow

Status
Pillow
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42311?

The Pillow library, a widely used Python imaging tool, has been found to be susceptible to a vulnerability when processing a maliciously crafted PSD file. This defect can lead to memory corruption, which may result in unexpected application crashes or allow for arbitrary code execution. Users are strongly advised to upgrade to version 12.2.0 or later, where this issue has been effectively addressed. For detailed information on the vulnerability and patches, refer to the official advisory and release notes.

Affected Version(s)

Pillow >= 10.3.0, < 12.2.0

References

https://github.com/python-pillow/Pillow/security/advisori...
x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/pull/9520
x_refsource_MISC
https://github.com/python-pillow/Pillow/commit/58f9a1d166...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.