CVE-2026-59204

Python Pillow · Pillow

A memory allocation vulnerability in the Pillow library allows remote attackers to trigger excessive memory consumption, leading to a denial of service.

Executive summary

Pillow versions 8.2.0 through 12.2.9 are vulnerable to a memory allocation flaw that can be exploited by remote attackers to cause a denial of service.

Vulnerability

This is a memory allocation issue (CWE-789) where the library fails to properly validate the size of memory requested during image processing. The vulnerability is exploitable by an unauthenticated remote attacker who can submit a crafted image file.

Business impact

With a CVSS score of 8.7, this vulnerability poses a severe risk to service availability. Applications relying on Pillow to process images are susceptible to crash-inducing attacks, which could lead to significant service downtime, particularly in web-facing applications that process user-uploaded content.

Remediation

Immediate Action: Update the Pillow library to version 12.3.0 or later.

Proactive Monitoring: Monitor application logs and server resource metrics for sudden spikes in memory consumption or repeated service crashes associated with image processing tasks.

Compensating Controls: Implement strict input validation and size limits on all uploaded files before they reach the image processing pipeline to mitigate the impact of malformed inputs.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the ease of remote exploitation, organizations using the Pillow library in public-facing services should prioritize upgrading to version 12.3.0. Failure to patch may leave systems vulnerable to denial-of-service attacks that could disrupt critical business workflows.