{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3apythonpillow/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-59203"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pillow 12.0.0","Pillow 12.1.0","Pillow 12.2.0"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","python","pillow"],"_cs_type":"threat","_cs_vendors":["Python"],"content_html":"\u003cp\u003eCVE-2026-59203 describes a denial-of-service vulnerability affecting Pillow, a widely used Python imaging library, in versions 12.0.0 through 12.2.0. The flaw resides within the EPS parser (specifically in \u003ccode\u003ePIL/EpsImagePlugin.py\u003c/code\u003e), which improperly handles a negative byte count in the \u003ccode\u003e%%BeginBinary\u003c/code\u003e directive of an Encapsulated PostScript (EPS) file. An attacker can craft a malicious EPS file that, when processed by Pillow's \u003ccode\u003eImage.open()\u003c/code\u003e function, causes the parser to repeatedly seek backward and parse the same directive, leading to an infinite loop and resource exhaustion. This can render applications relying on Pillow unresponsive or crash them. The vulnerability was discovered by GitHub, Inc. and is addressed in Pillow version 12.3.0. No specific threat actors or active exploitation campaigns have been reported, but the broad usage of Pillow makes this a significant concern for applications processing untrusted image files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a specially crafted Encapsulated PostScript (EPS) file.\u003c/li\u003e\n\u003cli\u003eThe crafted EPS file is designed to include a negative byte count within the \u003ccode\u003e%%BeginBinary\u003c/code\u003e directive.\u003c/li\u003e\n\u003cli\u003eThe victim's application, using Pillow versions 12.0.0 through 12.2.0, attempts to open and process this malicious EPS file via \u003ccode\u003eImage.open()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePillow's EPS parser (\u003ccode\u003ePIL/EpsImagePlugin.py\u003c/code\u003e) encounters the malformed \u003ccode\u003e%%BeginBinary\u003c/code\u003e directive.\u003c/li\u003e\n\u003cli\u003eDue to the negative byte count, the parser attempts to seek backwards within the file stream to the location of the same directive.\u003c/li\u003e\n\u003cli\u003eThis incorrect seeking results in the parser entering an infinite loop, continuously parsing the same malformed directive.\u003c/li\u003e\n\u003cli\u003eThe infinite loop consumes excessive CPU and memory resources, leading to a denial of service for the application and potentially the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59203 leads to a denial of service (DoS) condition. Applications that use affected versions of Pillow (12.0.0 through 12.2.0) to process untrusted EPS files may become unresponsive, hang indefinitely, or crash entirely due to the infinite loop consuming all available CPU and memory resources. While no specific victim counts or targeted sectors are detailed, any organization processing user-supplied or external EPS images with vulnerable Pillow versions is at risk of application downtime and resource exhaustion, impacting service availability and operational continuity. This can disrupt services, degrade user experience, and require manual intervention to restore affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59203 on all systems using Pillow versions 12.0.0 through 12.2.0 by upgrading the \u003ccode\u003ePillow\u003c/code\u003e library to version 12.3.0 or later.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for EPS files processed by applications to prevent malformed data from reaching vulnerable Pillow versions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:43:50Z","date_published":"2026-07-14T20:43:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pillow-dos/","summary":"A denial-of-service vulnerability, CVE-2026-59203, exists in the Python imaging library Pillow, affecting versions 12.0.0 through 12.2.0, where a specially crafted EPS file with a negative byte count in the `%%BeginBinary` directive can cause an infinite loop and resource exhaustion when processed by the `Image.open()` function, leading to application unresponsiveness.","title":"Denial-of-Service Vulnerability in Pillow EPS Parser (CVE-2026-59203)","url":"https://feed.craftedsignal.io/briefs/2026-07-pillow-dos/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-59198"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pillow (5.2.0 - 12.2.x)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","out-of-bounds-read","python"],"_cs_type":"advisory","_cs_vendors":["Python"],"content_html":"\u003cp\u003ePillow, a popular Python imaging library, contains a high-severity out-of-bounds read vulnerability (CVE-2026-59198) affecting versions 5.2.0 up to, but not including, 12.3.0. The flaw resides in the TGA RLE encoder where, during the process of saving a mode 1 image with TGA RLE compression, the encoder reads past its packed row buffer. This action causes adjacent process heap memory contents to be inadvertently copied into the generated TGA file. This vulnerability enables an attacker to potentially disclose sensitive information stored in the application's heap memory by exploiting an application that uses a vulnerable version of Pillow to save images. The issue was identified and a fix has been implemented in Pillow version 12.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application or service that processes and saves images using a vulnerable version of the Pillow library (versions 5.2.0 to 12.2.x).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or manipulates an input that triggers the application to save a \u0026quot;mode 1\u0026quot; image utilizing TGA RLE compression.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Pillow TGA RLE encoder, when processing the image saving request, attempts to read beyond the designated packed row buffer.\u003c/li\u003e\n\u003cli\u003eDue to the out-of-bounds read, adjacent bytes from the application's process heap memory are erroneously included in the data written to the output TGA file.\u003c/li\u003e\n\u003cli\u003eThe application completes the image saving operation, producing a TGA file that contains both the image data and leaked heap memory contents.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the generated TGA file, either directly if the application provides it, or through other means if the file is stored in an accessible location.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the retrieved TGA file to extract the leaked heap memory data, which may contain sensitive information such as pointers, credentials, or other application-specific data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59198 primarily leads to information disclosure. An attacker could potentially extract sensitive data from the process heap, which might include authentication tokens, API keys, partial memory layouts, or other confidential information residing in memory. The severity of the impact depends on the nature of the data present in the adjacent heap memory at the time of exploitation. While no specific victim counts or targeted sectors are mentioned, any application using affected Pillow versions to save TGA images is at risk of leaking internal memory contents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all instances of the Pillow library to version 12.3.0 or later to patch CVE-2026-59198.\u003c/li\u003e\n\u003cli\u003eReview applications that handle image processing, especially those saving TGA format images, to ensure they are using a secure version of the Pillow library.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:42:59Z","date_published":"2026-07-14T20:42:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pillow-tga-rle-oob/","summary":"A critical out-of-bounds read vulnerability, CVE-2026-59198, exists in Pillow versions 5.2.0 through 12.2.x, specifically within its TGA RLE encoder, allowing adjacent process heap bytes to be copied into generated TGA files, which can lead to information disclosure.","title":"Pillow TGA RLE Encoder Out-of-Bounds Read (CVE-2026-59198)","url":"https://feed.craftedsignal.io/briefs/2026-07-pillow-tga-rle-oob/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59204"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pillow (8.2.0 through 12.2.0)"],"_cs_severities":["low"],"_cs_tags":["vulnerability","denial-of-service","python","imaging-library"],"_cs_type":"advisory","_cs_vendors":["Python"],"content_html":"\u003cp\u003eCVE-2026-59204 identifies a denial-of-service vulnerability in the Pillow Python imaging library, affecting versions from 8.2.0 up to, but not including, 12.3.0. The flaw resides in \u003ccode\u003esrc/libImaging/Jpeg2KDecode.c\u003c/code\u003e, where the \u003ccode\u003etotal_component_width\u003c/code\u003e variable accumulates incorrectly across every tile in a JPEG2000 image during decoding, rather than being reset per tile. This miscalculation allows an attacker to craft a malicious tiled JPEG2000 file that, when processed by a vulnerable Pillow instance, forces a substantially higher transient memory allocation. This excessive memory request leads to an out-of-memory (OOM) error, causing the Python application using Pillow to crash or become unresponsive. The vulnerability enables unauthenticated denial-of-service against applications relying on Pillow for JPEG2000 image processing. The issue has been fixed in Pillow version 12.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCrafting Malicious Input\u003c/strong\u003e: An attacker creates a specially crafted tiled JPEG2000 image file designed to exploit the memory accumulation logic within Pillow's \u003ccode\u003eJpeg2KDecode.c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The attacker delivers the malicious JPEG2000 image to a target system. This could occur through various means such as an upload to a web application, an email attachment, or embedding in other file formats, targeting any Python application that processes images using Pillow.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitiate Processing\u003c/strong\u003e: A Python application, utilizing a vulnerable version of the Pillow library (8.2.0-12.2.0), attempts to open, decode, or otherwise process the received malicious JPEG2000 image.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Decoding\u003c/strong\u003e: During the decoding of the tiled JPEG2000 image, the \u003ccode\u003esrc/libImaging/Jpeg2KDecode.c\u003c/code\u003e component executes its internal logic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIncorrect Memory Calculation\u003c/strong\u003e: The \u003ccode\u003etotal_component_width\u003c/code\u003e variable within the \u003ccode\u003eJpeg2KDecode.c\u003c/code\u003e function incorrectly accumulates its value across all tiles, rather than recomputing it for each individual tile, due to the crafted image structure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExcessive Memory Request\u003c/strong\u003e: This incorrect calculation leads Pillow to request a significantly larger amount of transient memory than necessary to handle the image data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOut-of-Memory (OOM)\u003c/strong\u003e: The system is unable to fulfill the excessive memory allocation request, resulting in an out-of-memory error being triggered.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The Python application processing the image crashes or becomes unresponsive, leading to a denial of service for the application or the service it provides.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59204 results in a denial-of-service condition for any Python application or service that utilizes the vulnerable Pillow library (versions 8.2.0 through 12.2.0) to process JPEG2000 images. When a crafted image is processed, the application will crash due to an out-of-memory error, rendering it unavailable to legitimate users. This can lead to significant operational disruptions, loss of service availability, and potential data processing backlogs, particularly for image-intensive applications or services. While no specific victim count or targeted sectors are provided, any organization using affected Pillow versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59204 immediately by upgrading the Pillow library to version 12.3.0 or newer to mitigate the out-of-memory vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for out-of-memory errors, application crashes, or sudden process terminations specifically related to image processing tasks, as these may indicate attempted or successful exploitation of CVE-2026-59204.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization for all user-supplied image files, particularly JPEG2000, to detect and reject malformed or unusually large files before they are processed by the Pillow library.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:29:44Z","date_published":"2026-07-14T20:29:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/","summary":"A denial-of-service vulnerability, CVE-2026-59204, exists in the Pillow Python imaging library versions 8.2.0 through 12.2.0, allowing a remote attacker to trigger an out-of-memory error and crash applications by processing a specially crafted tiled JPEG2000 image.","title":"Pillow Python Imaging Library Vulnerable to Out-of-Memory via Crafted JPEG2000","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}