CVE-2026-54058
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-54058, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

Pillow is a Python imaging library. Prior to 12.3.0, when Pillow loads an uncompressed McIdas AREA image from a filename through the mmap raw codec path, attacker-controlled header words can set a row stride smaller than the natural row width, causing pixel access such as Image.tobytes(), getpixel, convert, or save to read beyond the mapped region and disclose adjacent process memory or fault. This issue is fixed in version 12.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
python pillow to 12.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Pillow is a Python imaging library used for opening, manipulating, and saving image files. This vulnerability, identified as CVE-2026-54058, affects versions of Pillow prior to 12.3.0. It occurs when Pillow loads an uncompressed McIdas AREA image from a filename using the mmap raw codec path.

The issue arises because attacker-controlled header words in the image file can set a row stride (the number of bytes per row of pixels) smaller than the natural row width of the image. This misconfiguration causes pixel access operations such as Image.tobytes(), getpixel, convert, or save to read beyond the mapped memory region.

As a result, these operations may disclose adjacent process memory or cause a fault (e.g., a segmentation fault). This can lead to information disclosure or denial of service.

Impact Analysis

This vulnerability can impact you in several ways:

  • Information Disclosure: If you process untrusted McIdas AREA image files using Pillow, an attacker could craft a malicious image to read sensitive data from adjacent memory in your application's process. This could expose confidential information such as passwords, tokens, or other sensitive data.
  • Denial of Service: The vulnerability could cause your application to crash if it attempts to access invalid memory regions. This could disrupt services or applications relying on Pillow for image processing.
  • Security Risks: If your application handles user-uploaded images or processes images from untrusted sources, this vulnerability could be exploited to compromise the security of your system or data.
Compliance Impact

This vulnerability can affect compliance with common standards and regulations in the following ways:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access or disclosure of personal data, it could violate GDPR requirements for data protection and privacy. Organizations may face penalties for failing to protect personal data from such vulnerabilities.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI), this vulnerability could result in unauthorized access to sensitive health data. HIPAA requires safeguards to protect PHI, and a breach caused by this vulnerability could lead to non-compliance and potential fines.
  • Other Standards: Compliance frameworks like ISO 27001 or NIST require organizations to manage and mitigate vulnerabilities in their systems. Failure to address this vulnerability could result in non-compliance with these standards, potentially affecting certifications or audits.
Detection Guidance

Detecting this vulnerability involves checking if your system is using a vulnerable version of the Pillow library (prior to 12.3.0) and identifying whether malicious McIdas AREA image files are being processed. Below are some steps and commands to help detect the issue.

  • Check the installed version of Pillow in your Python environment. Run the following command to verify the version: pip show Pillow. If the version is earlier than 12.3.0, your system is vulnerable.
  • Scan for McIdas AREA image files in your system or network. These files may be crafted to exploit the vulnerability. Use commands like find / -name "*.area" -o -name "*.AREA" to locate such files.
  • Monitor for unusual memory access patterns or crashes when processing image files, particularly McIdas AREA files. Tools like strace or debugging utilities (e.g., gdb) can help trace memory access violations.
  • Review logs or error reports for segmentation faults or memory corruption errors that occur during image processing, especially when using Pillow's Image.tobytes(), getpixel, convert, or save functions.
Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps to reduce the risk of exploitation.

  • Upgrade Pillow to version 12.3.0 or later. This version includes the fix for the vulnerability. Use the command: pip install --upgrade Pillow==12.3.0.
  • If upgrading is not immediately possible, avoid processing McIdas AREA image files from untrusted sources. Restrict access to such files until the library is updated.
  • Implement input validation for image files, particularly those in the McIdas AREA format. Ensure that the files are from trusted sources before processing them.
  • Monitor systems for signs of exploitation, such as unexpected crashes or memory access errors during image processing. Isolate affected systems if exploitation is suspected.
  • Review and apply any additional security patches or updates provided by the Pillow maintainers to address related vulnerabilities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart