CVE-2026-42308
Integer Overflow in Pillow Image Processing Library
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pillow | to 12.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42308 is a vulnerability in the Python Pillow imaging library affecting versions prior to 12.2.0.
The issue arises when a font has an excessively large advance value for each glyph, which causes an integer overflow during the tracking of the current position in font rendering.
This integer overflow can lead to incorrect position tracking when rendering fonts.
The vulnerability has been fixed in Pillow version 12.2.0.
How can this vulnerability impact me? :
This vulnerability can cause incorrect tracking of the current position during font rendering due to an integer overflow.
Such an overflow may lead to memory corruption or crashes when processing images with fonts that have large glyph advances.
This can affect the stability and reliability of applications using vulnerable versions of Pillow for image processing.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-42308 in the Python Pillow library, you should upgrade Pillow to version 12.2.0 or later, where the issue has been patched.
This update fixes the integer overflow caused by excessively large glyph advances during font rendering, preventing incorrect position tracking and potential memory corruption or crashes.
Additionally, ensure that dependencies such as libpng and libjpeg-turbo are updated to the versions included in Pillow 12.2.0 (libpng 1.6.56 and libjpeg-turbo 3.1.4.1) to benefit from related security improvements.