TGA RLE Encoder Vulnerability in Pillow Python Imaging Library
CVE-2026-59198

6.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-59198?

The Pillow library, widely used for image processing in Python applications, experiences a buffer overflow vulnerability stemming from its TGA RLE encoder. This vulnerability allows for the reading of bytes beyond the intended buffer when saving mode 1 images with TGA RLE compression. As a result, adjacent memory space can be compromised, leading to potential risks during the file writing process. The issue has been addressed and patched in version 12.3.0, emphasizing the importance of updating to secure versions to mitigate exploitation risks.

Affected Version(s)

Pillow >= 5.2.0, < 12.3.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.