CVE-2026-42311
Memory Corruption in Pillow via Malicious PSD File
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | pillow | From 10.3.0 (inc) to 12.2.0 (exc) |
| python | pillow | 12.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42311 is a high-severity vulnerability in the Python Pillow imaging library affecting versions 10.3.0 to before 12.2.0. It arises from an integer overflow when processing specially crafted malicious PSD (Photoshop Document) files. This overflow leads to an out-of-bounds write in the source code, causing memory corruption.
The vulnerability occurs because previous bounds checks for tile extents in PSD image decoding and encoding were flawed, allowing attackers to bypass these checks by exploiting integer overflow. This can result in crashes or arbitrary code execution.
The issue was fixed by changing how extents are handled to prevent addition before comparison, adding direct validation checks to ensure tile coordinates do not exceed image boundaries, and raising exceptions for invalid extents.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption when processing malicious PSD files, which may cause the Pillow library or applications using it to crash.
More seriously, it could allow an attacker to execute arbitrary code, potentially compromising the security of the system running the vulnerable Pillow version.
The impact includes denial of service through crashes or unauthorized code execution, which could lead to further exploitation depending on the environment where Pillow is used.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves processing malicious PSD files that trigger integer overflow and out-of-bounds writes in the Pillow library. Detection would involve identifying attempts to open or process specially crafted PSD files that could exploit this flaw.
Since the issue is triggered by malformed PSD files, one practical detection method is to monitor or scan for PSD files being processed by Pillow versions 10.3.0 to before 12.2.0.
There are no specific commands provided in the resources for direct detection of exploitation attempts. However, you can check the Pillow version installed on your system with the following Python command:
- python -c "import PIL; print(PIL.__version__)"
Additionally, monitoring application logs for crashes or exceptions related to PSD file processing could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade the Pillow library to version 12.2.0 or later, where this vulnerability has been fixed.
The fix prevents integer overflow by changing how PSD image extents are handled, avoiding the addition of extents before comparison and adding validation checks to prevent out-of-bounds writes.
If upgrading immediately is not possible, avoid processing untrusted or malicious PSD files with vulnerable Pillow versions.