CVE-2026-55380

Python Pillow · Pillow

Pillow is vulnerable to a memory allocation issue where an attacker can trigger excessive memory consumption, leading to a denial-of-service condition.

Executive summary

A memory allocation vulnerability in the Pillow imaging library allows unauthenticated attackers to cause a denial-of-service via excessive resource consumption.

Vulnerability

This vulnerability (CWE-789) involves the improper allocation of memory when processing image data. An unauthenticated attacker can supply a specially crafted file that forces the library to perform an overly large memory allocation, resulting in a denial-of-service.

Business impact

The CVSS score of 7.5 reflects the potential for severe impact on service availability. Organizations relying on the Pillow library for image processing are at risk of service outages if they do not address this vulnerability, which can be easily triggered over a network.

Remediation

Immediate Action: Update the Pillow library to version 12.3.0 or later to patch the memory management logic.

Proactive Monitoring: Monitor server-side logs for unexpected termination of image processing workers or processes.

Compensating Controls: Ensure that image processing services are sandboxed or run with restricted resource limits (e.g., cgroups) to prevent a single process from exhausting total system memory.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability is easily exploitable and carries significant potential for service disruption. Administrators should move quickly to update to version 12.3.0 to ensure system stability and protect against potential denial-of-service attacks.