Description
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
Published: 2026-05-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pillow versions from 11.2.1 through before 12.2.0 accepted nested lists as coordinates for APIs such as ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line. The library recursively unpacked these nested lists beyond the allocated buffer, causing a heap buffer overflow (CWE‑122). This overflow could corrupt memory, and a crafted image may lead to code execution if the application runs with elevated privileges. Version 12.2.0 patches the issue by validating coordinate lists to contain exactly two numeric values, preventing the overflow.

Affected Systems

The vulnerability affects the Python imaging library Pillow, maintained by python‑pillow. Any installations using versions 11.2.1 up to 12.1.x are susceptible. Systems that load untrusted image files with Pillow without additional validation are at risk.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector involves an attacker supplying a malicious image file with nested list coordinates, either during local image processing or via an upload service that forwards the image to Pillow. The CVSS score of 5.1 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the KEV catalog, indicating a low likelihood of widespread exploitation. Successful exploitation could corrupt memory and potentially allow arbitrary code execution, depending on the target environment.

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pillow to version 12.2.0 or later.
  • Validate image input so that coordinates are limited to two numeric values before passing them to Pillow APIs.
  • If upgrading immediately is not possible, configure the application to reject or sanitize any image data that contains nested coordinate lists, or restrict Pillow usage to trusted image sources.

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5xmw-vc9v-4wf2 Pillow has a heap buffer overflow with nested list coordinates
History

Sat, 09 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Python-pillow
Python-pillow pillow
Vendors & Products Python-pillow
Python-pillow pillow

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
Title Pillow: Heap buffer overflow with nested list coordinates
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Python-pillow Pillow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T04:08:10.517Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42309

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T06:16:10.073

Modified: 2026-05-09T06:16:10.073

Link: CVE-2026-42309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T07:30:27Z

Weaknesses