CVE-2026-54059

Python-Pillow · Pillow

The Pillow imaging library is vulnerable to memory allocation issues when processing images with excessive size values, potentially leading to denial-of-service.

Executive summary

A vulnerability in the Pillow library prior to version 12.3.0 allows for memory allocation exhaustion, which can be triggered by processing malicious image inputs.

Vulnerability

This issue stems from improper validation of specified quantity during memory allocation (CWE-789), allowing an unauthenticated attacker to trigger an application crash by submitting a specially crafted image file.

Business impact

The CVSS score of 7.5 reflects the high impact on service availability. Applications that utilize Pillow to process user-provided images are at risk of being forced into a crash or consuming excessive system resources, which can lead to significant application downtime and instability.

Remediation

Immediate Action: Update the Pillow library to version 12.3.0 or later in all application environments.

Proactive Monitoring: Monitor application error logs for crashes related to image processing tasks and track memory usage spikes during file uploads.

Compensating Controls: Implement strict file size limits and use sandboxed environments (e.g., containers with restricted memory limits) to process untrusted image uploads before they reach the main application logic.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Because Pillow is a widely used library, the risk of broad, indirect exploitation is significant. Developers must prioritize updating their project dependencies to version 12.3.0 or higher to mitigate the risk of denial-of-service attacks targeting image-processing workflows.