CVE-2026-40192 | THREATINT

Description

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

PUBLISHED Reserved 2026-04-09 | Published 2026-04-15 | Updated 2026-04-16 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-400: Uncontrolled Resource Consumption

Product status

>= 10.3.0, < 12.2.0

affected

References

github.com/...Pillow/security/advisories/GHSA-whj4-6x5x-4v2j

github.com/python-pillow/Pillow/pull/9521

github.com/...ommit/3cb854e8b2bab43f40e342e665f9340d861aa628

pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

cve.org (CVE-2026-40192)

nvd.nist.gov (CVE-2026-40192)

Download JSON