CVE-2026-40192
Decompression Bomb Vulnerability in Pillow FITS Image Decoder Causes DoS
Publication date: 2026-04-15
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pillow | From 10.3.0 (inc) to 12.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should upgrade Pillow to a version later than 12.1.1 where the issue is fixed.
If upgrading is not possible right away, a recommended workaround is to avoid opening FITS image files, and only open specific image formats that do not include FITS.
Can you explain this vulnerability to me?
This vulnerability exists in the Pillow Python imaging library versions 10.3.0 through 12.1.1. It occurs because these versions do not limit the amount of GZIP-compressed data read when decoding a FITS image. This flaw allows an attacker to craft a malicious FITS file that triggers a decompression bomb attack.
When such a specially crafted FITS file is opened, it can cause unbounded memory consumption, potentially leading to a denial of service through an out-of-memory (OOM) crash or severe performance degradation.
As a temporary mitigation, users who cannot immediately upgrade should avoid opening FITS image formats.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition. By opening a maliciously crafted FITS image, your system could consume excessive memory, leading to crashes or significant slowdowns.
This can disrupt normal operations, cause application instability, and potentially affect availability of services relying on the Pillow library for image processing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Pillow versions 10.3.0 through 12.1.1 allows for decompression bomb attacks via specially crafted FITS files, leading to unbounded memory consumption and potential denial of service. While this can cause service disruptions, there is no direct information provided about its impact on compliance with standards such as GDPR or HIPAA.
However, denial of service incidents could indirectly affect compliance by impacting availability requirements under these regulations, but no explicit details are given in the provided context.