Description
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
Published: 2026-05-09
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in Pillow’s handling of PSD tile extents allows an attacker to write beyond buffer bounds, causing memory corruption. Such corruption can lead to a crash or, if an attacker can control the memory state, arbitrary code execution. The flaw is identified as CWE‑190 (Integer Overflow or Wraparound) and CWE‑787 (Out‑of‑Bounds Write).

Affected Systems

The vulnerability affects the Pillow image library for Python, specifically versions from 10.3.0 up to and including 12.1.9. The patch was released in Pillow 12.2.0, which removes the unsafe handling of PSD tile extents.

Risk and Exploitability

The CVSS score of 8.6 denotes high severity. No EPSS score information is available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely local or remote file processing; any process that loads a crafted PSD file with Pillow can trigger the overflow, potentially leading to code execution or denial of service.

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pillow to version 12.2.0 or later
  • If your application does not need to process PSD files, remove or disable Pillow’s PSD support by configuring image plugins to exclude 'psd'
  • Review and restrict file inputs that are loaded by Pillow to trusted sources only; implement strict validation of file formats and enforce least privilege for services that process user‑supplied images

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pwv6-vv43-88gr Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
History

Sat, 09 May 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Python-pillow
Python-pillow pillow
Vendors & Products Python-pillow
Python-pillow pillow

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
Title Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)
Weaknesses CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Python-pillow Pillow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T04:11:58.092Z

Reserved: 2026-04-26T12:37:18.169Z

Link: CVE-2026-42311

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T06:16:10.430

Modified: 2026-05-09T06:16:10.430

Link: CVE-2026-42311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T07:00:11Z

Weaknesses