Out-of-Memory Failure Vulnerability in Pillow Imaging Library by Python
CVE-2026-59204

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-59204?

The Pillow imaging library experiences a vulnerability in its handling of JPEG2000 image decoding. Specifically, from version 8.2.0 to 12.2.0, the library fails to properly recalculate the component width for each tile in a JPEG2000 image. This oversight leads to the accumulation of total component width information across tiles, causing significant increases in transient memory usage. When decoding specifically crafted tiled JPEG2000 files, this behavior can result in out-of-memory failures, potentially disrupting applications that rely on this functionality. The vulnerability has been addressed in version 12.3.0, which requires users to update to safeguard against these memory-related exploits.

Affected Version(s)

Pillow >= 8.2.0, < 12.3.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.