CVE-2026-42310
Denial of Service in Pillow via Malicious PDF
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pillow | From 4.2.0 (inc) to 12.2.0 (exc) |
| python | pillow | From 4.2.0 (inc) to 11.9.1 (inc) |
| python | pillow | 12.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by making the application unresponsive. When a malicious PDF with a looping trailer chain is processed, the Pillow library's PDF parser hangs indefinitely, consuming 100% CPU.
As a result, the affected application or service that uses Pillow for image processing may become completely unresponsive, potentially disrupting normal operations and affecting availability.
Can you explain this vulnerability to me?
CVE-2026-42310 is a vulnerability in the Python Pillow imaging library affecting versions 4.2.0 to before 12.2.0. It occurs during PDF parsing when the parser encounters a malicious PDF file with a trailer chain that loops back on itself. This causes the parser to enter an infinite loop, hanging the process indefinitely and consuming 100% CPU.
The issue arises because the trailer pointers in the PDF reference previously processed offsets, creating a cycle that the parser does not detect. The vulnerability is classified as CWE-835, an infinite loop with an unreachable exit condition.
The vulnerability was fixed in Pillow version 12.2.0 by introducing a mechanism to track processed trailer offsets and raise an error if a loop is detected, preventing infinite recursion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when the Pillow library processes a malicious PDF file containing a trailer chain that loops back on itself, causing the process to hang indefinitely and consume 100% CPU.
Detection involves identifying if the Pillow library is hanging or consuming excessive CPU when parsing PDF files, especially those with suspicious or crafted trailer chains.
Since the issue occurs during PDF parsing, you can monitor processes using Pillow for high CPU usage or unresponsiveness.
- Use system monitoring commands like `top` or `htop` on Linux to identify Python processes consuming 100% CPU.
- Use `strace -p <pid>` on the suspected Python process to observe if it is stuck in a loop during PDF parsing.
- If you have access to the Python environment, run a test script that attempts to open suspicious PDF files with Pillow versions between 4.2.0 and before 12.2.0 and observe if the process hangs.
- Check the Pillow version installed by running `pip show Pillow` or `python -c "import PIL; print(PIL.__version__)"` to confirm if it is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade the Pillow library to version 12.2.0 or later, where this vulnerability has been patched.
The patch introduces detection of trailer loops in PDF files and raises an error instead of entering an infinite loop.
If upgrading immediately is not possible, consider restricting or sanitizing PDF inputs to the application to prevent processing of maliciously crafted PDFs.
Monitor your systems for processes consuming excessive CPU due to PDF parsing and terminate or restart affected services as a temporary measure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial-of-service (DoS) condition by making the application unresponsive and consuming 100% CPU when processing malicious PDF files. While this can impact availability, there is no direct information indicating that it leads to unauthorized data access, data breaches, or exposure of personal data.
Therefore, based on the provided information, this vulnerability primarily affects system availability but does not explicitly affect compliance with data protection regulations such as GDPR or HIPAA, which focus on confidentiality, integrity, and privacy of personal data.
However, prolonged denial-of-service could indirectly impact compliance if critical services relying on Pillow become unavailable, but this is not detailed in the provided context.