← back
CVE-2026-42308

Pillow: Integer overflow when processing fonts

CVSS 5.1 MEDIUMEPSS 0.1%CWE-190
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
python-pillow · Pillow

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/python-pillow/Pillow/releases/tag/12.2.0https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j