CVE-2026-55379
Python Pillow · Pillow
Pillow is vulnerable to a memory allocation issue where an attacker can trigger excessive memory consumption, leading to a denial-of-service condition.
Executive summary
A memory allocation vulnerability in the Pillow imaging library allows unauthenticated attackers to cause a denial-of-service via excessive resource consumption.
Vulnerability
This vulnerability (CWE-789) permits an unauthenticated attacker to trigger a memory allocation with an excessive size value during image processing. By providing a malicious image file, an attacker can exhaust system memory, leading to an application crash.
Business impact
The vulnerability carries a CVSS score of 7.5, indicating a high risk of service unavailability. A successful exploit can cause critical system instability, potentially impacting downstream business processes that rely on image-processing capabilities.
Remediation
Immediate Action: Upgrade to Pillow version 12.3.0 or later to remediate the underlying memory allocation flaw.
Proactive Monitoring: Review system performance metrics for anomalous memory spikes occurring during image upload or transformation operations.
Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect image uploads for known malformed patterns and enforce strict file size limitations.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given that this vulnerability is automatable and has a confirmed PoC, organizations should treat this as a high-priority update. Patching to version 12.3.0 is the only reliable method to eliminate this denial-of-service vector.