Memory Allocation Vulnerability in Pillow Python Imaging Library
CVE-2026-54059

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-54059?

A memory allocation vulnerability in the Pillow Python imaging library allows crafted PCF font data to bypass decompression checks. This can result in excessive memory usage when glyph dimensions from the PCF METRICS section are read directly by the imaging library’s method (_load_bitmaps()). The issue has been addressed in version 12.3.0, making it critical for users to update to prevent potential denial of service caused by this flaw.

Affected Version(s)

Pillow < 12.3.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.