Description
Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.
Published: 2026-05-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves an infinite loop in the PDF trailer parsing routine of Pillow that can be triggered by a specially crafted PDF file. When parsed, the loop consumes 100 % of a CPU core, causing the application to hang indefinitely. This denial of service is limited to the process using Pillow and does not provide code execution or data disclosure. CWE‑835, Uncontrolled Resource Consumption, applies.

Affected Systems

Pillow is the Python imaging library used by numerous Python applications. Versions from 4.2.0 through 12.1.x are affected. The issue was fixed in Pillow 12.2.0. Upgrading to this or any later release eliminates the problem.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as moderate. The EPSS score is not available, but the lack of a KEV listing indicates no known widespread exploitation. The attack vector is likely local or remote via a PDF input; the vulnerability requires the application to load a malicious PDF with Pillow. An attacker can disrupt service by inducing the infinite loop, but cannot gain further privilege or access. The overall risk is moderate, with highest impact on availability of software that consumes PDFs.

Generated by OpenCVE AI on May 9, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pillow to version 12.2.0 or newer
  • Validate or sanitize PDF inputs before processing with Pillow
  • If upgrade is not possible, consider removing PDF support or using an alternative image library

Generated by OpenCVE AI on May 9, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r73j-pqj5-w3x7 Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
History

Sat, 09 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Python-pillow
Python-pillow pillow
Vendors & Products Python-pillow
Python-pillow pillow

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.
Title Pillow: PDF Parsing Trailer Infinite Loop (DoS)
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Python-pillow Pillow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T04:10:48.395Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42310

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T06:16:10.273

Modified: 2026-05-09T06:16:10.273

Link: CVE-2026-42310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:30:25Z

Weaknesses