CVE-2026-40192
Modified
Modified - Updated After Analysis
Decompression Bomb Vulnerability in Pillow FITS Image Decoder Causes DoS
Vulnerability report for CVE-2026-40192, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-15
Last updated on: 2026-07-02
Assigner: GitHub, Inc.
Description
Description
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pillow | From 10.3.0 (inc) to 12.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |