CVE-2026-42308 | THREATINT

Description

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M

MEDIUM: 5.1CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-190: Integer Overflow or Wraparound

Product status

< 12.2.0

affected

References

github.com/...Pillow/security/advisories/GHSA-wjx4-4jcj-g98j

github.com/python-pillow/Pillow/releases/tag/12.2.0

cve.org (CVE-2026-42308)

nvd.nist.gov (CVE-2026-42308)

Download JSON