Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow) — CVE-2026-42311
GitHub · GitHub · CVE-2026-42311
ID
CVE-2026-42311
CVE-2026-42311
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.6
8.6
EPSS
0.00015
0.00015
Summary
### Impact Processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. ### Patches Patched version: 12.2.0 Pillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning…
Product
pip: pillow
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.