CVE-2026-55379

Python Pillow · Pillow

Pillow is vulnerable to a memory allocation issue where an attacker can trigger excessive memory consumption, leading to a denial-of-service condition.

Executive summary

A memory allocation vulnerability in the Pillow imaging library allows unauthenticated attackers to cause a denial-of-service via excessive resource consumption.

Vulnerability

This vulnerability (CWE-789) permits an unauthenticated attacker to trigger a memory allocation with an excessive size value during image processing. By providing a malicious image file, an attacker can exhaust system memory, leading to an application crash.

Business impact

The vulnerability carries a CVSS score of 7.5, indicating a high risk of service unavailability. A successful exploit can cause critical system instability, potentially impacting downstream business processes that rely on image-processing capabilities.

Remediation

Immediate Action: Upgrade to Pillow version 12.3.0 or later to remediate the underlying memory allocation flaw.

Proactive Monitoring: Review system performance metrics for anomalous memory spikes occurring during image upload or transformation operations.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect image uploads for known malformed patterns and enforce strict file size limitations.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given that this vulnerability is automatable and has a confirmed PoC, organizations should treat this as a high-priority update. Patching to version 12.3.0 is the only reliable method to eliminate this denial-of-service vector.