Description
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
Published: 2026-05-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pillow versions from 11.2.1 through before 12.2.0 accepted nested lists as coordinates for APIs such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line. The library unpacked these nested lists recursively beyond the allocated buffer, causing a heap buffer overflow (CWE‑122) and mismatched buffer sizes (CWE‑131). The overflow could corrupt memory, potentially leading to application crashes or data corruption, but no direct mention of code execution is stated in the official description.

Affected Systems

The vulnerability affects the Python imaging library Pillow maintained by python‑pillow. Any installation using Pillow versions between 11.2.1 and the last pre‑12.2.0 release is susceptible. Systems that process untrusted image files with Pillow without additional validation are at risk.

Risk and Exploitability

The likely attack vector involves an attacker providing a malicious image file containing nested list coordinates, either during local image processing or via an upload mechanism that forwards the image to Pillow. The CVSS score of 5.1 indicates moderate severity. The EPSS score of less than 1% and the lack of listing in the KEV catalog suggest a low likelihood of widespread exploitation. Successful exploitation could cause memory corruption and application instability, depending on the target environment.

Generated by OpenCVE AI on May 13, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pillow to version 12.2.0 or later
  • Validate image input so that coordinates contain exactly two numeric values before passing them to Pillow APIs
  • If an immediate upgrade is not feasible, configure the application to reject or sanitize any image data that contains nested coordinate lists, or restrict Pillow usage to trusted image sources

Generated by OpenCVE AI on May 13, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5xmw-vc9v-4wf2 Pillow has a heap buffer overflow with nested list coordinates
History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python pillow
CPEs cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Vendors & Products Python
Python pillow
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 09 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Python-pillow
Python-pillow pillow
Vendors & Products Python-pillow
Python-pillow pillow

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
Title Pillow: Heap buffer overflow with nested list coordinates
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Python Pillow
Python-pillow Pillow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T14:48:18.204Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42309

cve-icon Vulnrichment

Updated: 2026-05-11T14:48:14.598Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T06:16:10.073

Modified: 2026-05-12T17:57:24.467

Link: CVE-2026-42309

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-09T04:08:10Z

Links: CVE-2026-42309 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T03:00:12Z

Weaknesses