CVE-2026-40192
Received Received - Intake
Decompression Bomb Vulnerability in Pillow FITS Image Decoder Causes DoS

Publication date: 2026-04-15

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40192
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python pillow From 10.3.0 (inc) to 12.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability immediately, users should upgrade Pillow to a version later than 12.1.1 where the issue is fixed.

If upgrading is not possible right away, a recommended workaround is to avoid opening FITS image files, and only open specific image formats that do not include FITS.

Executive Summary

This vulnerability exists in the Pillow Python imaging library versions 10.3.0 through 12.1.1. It occurs because these versions do not limit the amount of GZIP-compressed data read when decoding a FITS image. This flaw allows an attacker to craft a malicious FITS file that triggers a decompression bomb attack.

When such a specially crafted FITS file is opened, it can cause unbounded memory consumption, potentially leading to a denial of service through an out-of-memory (OOM) crash or severe performance degradation.

As a temporary mitigation, users who cannot immediately upgrade should avoid opening FITS image formats.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition. By opening a maliciously crafted FITS image, your system could consume excessive memory, leading to crashes or significant slowdowns.

This can disrupt normal operations, cause application instability, and potentially affect availability of services relying on the Pillow library for image processing.

Compliance Impact

The vulnerability in Pillow versions 10.3.0 through 12.1.1 allows for decompression bomb attacks via specially crafted FITS files, leading to unbounded memory consumption and potential denial of service. While this can cause service disruptions, there is no direct information provided about its impact on compliance with standards such as GDPR or HIPAA.

However, denial of service incidents could indirectly affect compliance by impacting availability requirements under these regulations, but no explicit details are given in the provided context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart