← back
CVE-2026-42309

Pillow: Heap buffer overflow with nested list coordinates

CVSS 5.1 MEDIUMEPSS 0.1%CWE-122
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
python-pillow · Pillow

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/python-pillow/Pillow/releases/tag/12.2.0https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2