CVE-2026-54059
Undergoing Analysis Undergoing Analysis - In Progress

Pillow Memory Allocation Flaw in PCF Font Handling

Vulnerability report for CVE-2026-54059, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
python pillow to 12.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-54059 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability CVE-2026-54059 affects the Python Imaging Library (Pillow), specifically the function PcfFontFile._load_bitmaps(). This function reads glyph dimensions from the PCF METRICS section and passes them directly to Image.frombytes() without performing a decompression bomb check.

Because the glyph dimensions come from unsigned 16-bit values, an attacker can craft PCF font files with extremely large pixel counts (up to 8.5 billion pixels), which bypasses memory allocation protections.

This leads to excessive memory allocation when loading these malicious PCF fonts, potentially causing denial-of-service conditions by exhausting system memory.

Impact Analysis

This vulnerability can cause excessive memory consumption when loading maliciously crafted PCF font files, leading to denial-of-service (DoS) conditions.

There are two attack scenarios: one where a large image is persistently stored in memory, and another where a small PCF file triggers a large memory allocation before an exception is raised.

Services or applications that load PCF fonts from untrusted sources are particularly at risk, as they may be forced to allocate excessive memory, potentially crashing or severely degrading system performance.

Detection Guidance

This vulnerability occurs when Pillow versions up to 12.2.0 load PCF font files without performing a decompression bomb check, leading to excessive memory allocation. Detection involves identifying if your system or applications use a vulnerable Pillow version and whether they process PCF font files from untrusted sources.

You can detect vulnerable Pillow versions by running the following Python command to check the installed Pillow version:

  • python -c "import PIL; print(PIL.__version__)"

If the version is 12.2.0 or earlier, your system is vulnerable.

To detect if PCF font files are being loaded or processed, you can search your codebase or logs for usage of PCF fonts or the PIL.PcfFontFile module.

Currently, there are no specific network commands or signatures to detect exploitation attempts, as the vulnerability is triggered by loading crafted PCF font files within applications using Pillow.

Mitigation Strategies

The primary mitigation step is to upgrade the Pillow library to version 12.3.0 or later, where this vulnerability is fixed by adding the necessary decompression bomb checks when loading PCF font files.

If upgrading immediately is not possible, avoid loading or processing PCF font files from untrusted or unauthenticated sources to prevent exploitation.

Additionally, monitor memory usage of applications using Pillow to detect abnormal spikes that could indicate attempted exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart