Description
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Published: 2026-02-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write occurs when Pillow processes specially crafted PSD files in versions between 10.3.0 and prior to 12.1.1. The flaw arises from improper bounds checking of the image data buffer, allowing a malicious PSD to overwrite memory beyond the intended allocation. This can result in arbitrary code execution, privilege escalation, or application crash, as defined by CWE‑787. The CVSS base score of 8.6 signals critical severity.

Affected Systems

Products affected are those that include Pillow under the python‑pillow:Pillow designation. Vulnerable releases span Pillow 10.3.0 through 12.1.0, inclusive. The vulnerability is fixed in Pillow 12.1.1 and any later versions. Systems that run Python applications that import Pillow for image handling—particularly those that render or process PSD files—are at risk.

Risk and Exploitability

Risk assessment places the weakness at high severity; however, the EPSS score of less than 1 % suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is likely remote or local, depending on whether the affected application accepts user‑supplied PSD images. An adversary could supply a malicious PSD file to a vulnerable service or library, triggering the buffer overflow and potentially executing arbitrary code or causing denial of service.

Generated by OpenCVE AI on May 1, 2026 at 05:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pillow to 12.1.1 or newer in all affected Python environments.
  • If upgrading is not feasible, modify the application to reject or remove support for PSD image types, limiting processing to known safe formats.
  • Apply runtime security controls such as stack canaries and address space randomization, and monitor for anomalous memory usage or crashes that could indicate exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 05:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6147-1 pillow security update
Github GHSA Github GHSA GHSA-cfh3-3jmp-rvhc Pillow affected by out-of-bounds write when loading PSD images
History

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1. Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

 cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python pillow
CPEs cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Vendors & Products Python
Python pillow
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Python-pillow
Python-pillow pillow
Vendors & Products Python-pillow
Python-pillow pillow

Thu, 12 Feb 2026 05:30:00 +0000

Type Values Removed Values Added
References

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Important

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Title Pillow has an out-of-bounds write when loading PSD images
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Python Pillow
Python-pillow Pillow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-30T20:15:07.397Z

Reserved: 2026-02-09T17:41:55.858Z

Link: CVE-2026-25990

cve-icon Vulnrichment

Updated: 2026-02-12T04:45:38.394Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T21:16:20.670

Modified: 2026-04-30T21:16:30.170

Link: CVE-2026-25990

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-11T20:53:52Z

Links: CVE-2026-25990 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses