CVE-2026-42310 | THREATINT

Description

Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M

MEDIUM: 5.1CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

>= 4.2.0, < 12.2.0

affected

References

github.com/...Pillow/security/advisories/GHSA-r73j-pqj5-w3x7

github.com/python-pillow/Pillow/pull/9519

github.com/...ommit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468

github.com/python-pillow/Pillow/releases/tag/12.2.0

cve.org (CVE-2026-42310)

nvd.nist.gov (CVE-2026-42310)

Download JSON