Pillow Python Imaging Library Vulnerable to Out-of-Memory via Crafted JPEG2000
A denial-of-service vulnerability, CVE-2026-59204, exists in the Pillow Python imaging library versions 8.2.0 through 12.2.0, allowing a remote attacker to trigger an out-of-memory error and crash applications by processing a specially crafted tiled JPEG2000 image.
CVE-2026-59204 identifies a denial-of-service vulnerability in the Pillow Python imaging library, affecting versions from 8.2.0 up to, but not including, 12.3.0. The flaw resides in src/libImaging/Jpeg2KDecode.c, where the total_component_width variable accumulates incorrectly across every tile in a JPEG2000 image during decoding, rather than being reset per tile. This miscalculation allows an attacker to craft a malicious tiled JPEG2000 file that, when processed by a vulnerable Pillow instance, forces a substantially higher transient memory allocation. This excessive memory request leads to an out-of-memory (OOM) error, causing the Python application using Pillow to crash or become unresponsive. The vulnerability enables unauthenticated denial-of-service against applications relying on Pillow for JPEG2000 image processing. The issue has been fixed in Pillow version 12.3.0.
Attack Chain
- Crafting Malicious Input: An attacker creates a specially crafted tiled JPEG2000 image file designed to exploit the memory accumulation logic within Pillow's
Jpeg2KDecode.c. - Delivery: The attacker delivers the malicious JPEG2000 image to a target system. This could occur through various means such as an upload to a web application, an email attachment, or embedding in other file formats, targeting any Python application that processes images using Pillow.
- Initiate Processing: A Python application, utilizing a vulnerable version of the Pillow library (8.2.0-12.2.0), attempts to open, decode, or otherwise process the received malicious JPEG2000 image.
- Vulnerable Decoding: During the decoding of the tiled JPEG2000 image, the
src/libImaging/Jpeg2KDecode.ccomponent executes its internal logic. - Incorrect Memory Calculation: The
total_component_widthvariable within theJpeg2KDecode.cfunction incorrectly accumulates its value across all tiles, rather than recomputing it for each individual tile, due to the crafted image structure. - Excessive Memory Request: This incorrect calculation leads Pillow to request a significantly larger amount of transient memory than necessary to handle the image data.
- Out-of-Memory (OOM): The system is unable to fulfill the excessive memory allocation request, resulting in an out-of-memory error being triggered.
- Denial of Service: The Python application processing the image crashes or becomes unresponsive, leading to a denial of service for the application or the service it provides.
Impact
Successful exploitation of CVE-2026-59204 results in a denial-of-service condition for any Python application or service that utilizes the vulnerable Pillow library (versions 8.2.0 through 12.2.0) to process JPEG2000 images. When a crafted image is processed, the application will crash due to an out-of-memory error, rendering it unavailable to legitimate users. This can lead to significant operational disruptions, loss of service availability, and potential data processing backlogs, particularly for image-intensive applications or services. While no specific victim count or targeted sectors are provided, any organization using affected Pillow versions is at risk.
Recommendation
- Patch CVE-2026-59204 immediately by upgrading the Pillow library to version 12.3.0 or newer to mitigate the out-of-memory vulnerability.
- Monitor application logs for out-of-memory errors, application crashes, or sudden process terminations specifically related to image processing tasks, as these may indicate attempted or successful exploitation of CVE-2026-59204.
- Implement robust input validation and sanitization for all user-supplied image files, particularly JPEG2000, to detect and reject malformed or unusually large files before they are processed by the Pillow library.