<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3apythonpillow/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:43:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3apythonpillow/feed.xml" rel="self" type="application/rss+xml"/><item><title>Denial-of-Service Vulnerability in Pillow EPS Parser (CVE-2026-59203)</title><link>https://feed.craftedsignal.io/briefs/2026-07-pillow-dos/</link><pubDate>Tue, 14 Jul 2026 20:43:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pillow-dos/</guid><description>A denial-of-service vulnerability, CVE-2026-59203, exists in the Python imaging library Pillow, affecting versions 12.0.0 through 12.2.0, where a specially crafted EPS file with a negative byte count in the `%%BeginBinary` directive can cause an infinite loop and resource exhaustion when processed by the `Image.open()` function, leading to application unresponsiveness.</description><content:encoded><![CDATA[<p>CVE-2026-59203 describes a denial-of-service vulnerability affecting Pillow, a widely used Python imaging library, in versions 12.0.0 through 12.2.0. The flaw resides within the EPS parser (specifically in <code>PIL/EpsImagePlugin.py</code>), which improperly handles a negative byte count in the <code>%%BeginBinary</code> directive of an Encapsulated PostScript (EPS) file. An attacker can craft a malicious EPS file that, when processed by Pillow's <code>Image.open()</code> function, causes the parser to repeatedly seek backward and parse the same directive, leading to an infinite loop and resource exhaustion. This can render applications relying on Pillow unresponsive or crash them. The vulnerability was discovered by GitHub, Inc. and is addressed in Pillow version 12.3.0. No specific threat actors or active exploitation campaigns have been reported, but the broad usage of Pillow makes this a significant concern for applications processing untrusted image files.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker creates a specially crafted Encapsulated PostScript (EPS) file.</li>
<li>The crafted EPS file is designed to include a negative byte count within the <code>%%BeginBinary</code> directive.</li>
<li>The victim's application, using Pillow versions 12.0.0 through 12.2.0, attempts to open and process this malicious EPS file via <code>Image.open()</code>.</li>
<li>Pillow's EPS parser (<code>PIL/EpsImagePlugin.py</code>) encounters the malformed <code>%%BeginBinary</code> directive.</li>
<li>Due to the negative byte count, the parser attempts to seek backwards within the file stream to the location of the same directive.</li>
<li>This incorrect seeking results in the parser entering an infinite loop, continuously parsing the same malformed directive.</li>
<li>The infinite loop consumes excessive CPU and memory resources, leading to a denial of service for the application and potentially the underlying system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59203 leads to a denial of service (DoS) condition. Applications that use affected versions of Pillow (12.0.0 through 12.2.0) to process untrusted EPS files may become unresponsive, hang indefinitely, or crash entirely due to the infinite loop consuming all available CPU and memory resources. While no specific victim counts or targeted sectors are detailed, any organization processing user-supplied or external EPS images with vulnerable Pillow versions is at risk of application downtime and resource exhaustion, impacting service availability and operational continuity. This can disrupt services, degrade user experience, and require manual intervention to restore affected systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59203 on all systems using Pillow versions 12.0.0 through 12.2.0 by upgrading the <code>Pillow</code> library to version 12.3.0 or later.</li>
<li>Implement robust input validation for EPS files processed by applications to prevent malformed data from reaching vulnerable Pillow versions.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>denial-of-service</category><category>vulnerability</category><category>python</category><category>pillow</category></item><item><title>Pillow TGA RLE Encoder Out-of-Bounds Read (CVE-2026-59198)</title><link>https://feed.craftedsignal.io/briefs/2026-07-pillow-tga-rle-oob/</link><pubDate>Tue, 14 Jul 2026 20:42:59 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pillow-tga-rle-oob/</guid><description>A critical out-of-bounds read vulnerability, CVE-2026-59198, exists in Pillow versions 5.2.0 through 12.2.x, specifically within its TGA RLE encoder, allowing adjacent process heap bytes to be copied into generated TGA files, which can lead to information disclosure.</description><content:encoded><![CDATA[<p>Pillow, a popular Python imaging library, contains a high-severity out-of-bounds read vulnerability (CVE-2026-59198) affecting versions 5.2.0 up to, but not including, 12.3.0. The flaw resides in the TGA RLE encoder where, during the process of saving a mode 1 image with TGA RLE compression, the encoder reads past its packed row buffer. This action causes adjacent process heap memory contents to be inadvertently copied into the generated TGA file. This vulnerability enables an attacker to potentially disclose sensitive information stored in the application's heap memory by exploiting an application that uses a vulnerable version of Pillow to save images. The issue was identified and a fix has been implemented in Pillow version 12.3.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a web application or service that processes and saves images using a vulnerable version of the Pillow library (versions 5.2.0 to 12.2.x).</li>
<li>The attacker crafts or manipulates an input that triggers the application to save a &quot;mode 1&quot; image utilizing TGA RLE compression.</li>
<li>The vulnerable Pillow TGA RLE encoder, when processing the image saving request, attempts to read beyond the designated packed row buffer.</li>
<li>Due to the out-of-bounds read, adjacent bytes from the application's process heap memory are erroneously included in the data written to the output TGA file.</li>
<li>The application completes the image saving operation, producing a TGA file that contains both the image data and leaked heap memory contents.</li>
<li>The attacker retrieves the generated TGA file, either directly if the application provides it, or through other means if the file is stored in an accessible location.</li>
<li>The attacker analyzes the retrieved TGA file to extract the leaked heap memory data, which may contain sensitive information such as pointers, credentials, or other application-specific data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59198 primarily leads to information disclosure. An attacker could potentially extract sensitive data from the process heap, which might include authentication tokens, API keys, partial memory layouts, or other confidential information residing in memory. The severity of the impact depends on the nature of the data present in the adjacent heap memory at the time of exploitation. While no specific victim counts or targeted sectors are mentioned, any application using affected Pillow versions to save TGA images is at risk of leaking internal memory contents.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade all instances of the Pillow library to version 12.3.0 or later to patch CVE-2026-59198.</li>
<li>Review applications that handle image processing, especially those saving TGA format images, to ensure they are using a secure version of the Pillow library.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>out-of-bounds-read</category><category>python</category></item><item><title>Pillow Python Imaging Library Vulnerable to Out-of-Memory via Crafted JPEG2000</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/</link><pubDate>Tue, 14 Jul 2026 20:29:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/</guid><description>A denial-of-service vulnerability, CVE-2026-59204, exists in the Pillow Python imaging library versions 8.2.0 through 12.2.0, allowing a remote attacker to trigger an out-of-memory error and crash applications by processing a specially crafted tiled JPEG2000 image.</description><content:encoded><![CDATA[<p>CVE-2026-59204 identifies a denial-of-service vulnerability in the Pillow Python imaging library, affecting versions from 8.2.0 up to, but not including, 12.3.0. The flaw resides in <code>src/libImaging/Jpeg2KDecode.c</code>, where the <code>total_component_width</code> variable accumulates incorrectly across every tile in a JPEG2000 image during decoding, rather than being reset per tile. This miscalculation allows an attacker to craft a malicious tiled JPEG2000 file that, when processed by a vulnerable Pillow instance, forces a substantially higher transient memory allocation. This excessive memory request leads to an out-of-memory (OOM) error, causing the Python application using Pillow to crash or become unresponsive. The vulnerability enables unauthenticated denial-of-service against applications relying on Pillow for JPEG2000 image processing. The issue has been fixed in Pillow version 12.3.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Crafting Malicious Input</strong>: An attacker creates a specially crafted tiled JPEG2000 image file designed to exploit the memory accumulation logic within Pillow's <code>Jpeg2KDecode.c</code>.</li>
<li><strong>Delivery</strong>: The attacker delivers the malicious JPEG2000 image to a target system. This could occur through various means such as an upload to a web application, an email attachment, or embedding in other file formats, targeting any Python application that processes images using Pillow.</li>
<li><strong>Initiate Processing</strong>: A Python application, utilizing a vulnerable version of the Pillow library (8.2.0-12.2.0), attempts to open, decode, or otherwise process the received malicious JPEG2000 image.</li>
<li><strong>Vulnerable Decoding</strong>: During the decoding of the tiled JPEG2000 image, the <code>src/libImaging/Jpeg2KDecode.c</code> component executes its internal logic.</li>
<li><strong>Incorrect Memory Calculation</strong>: The <code>total_component_width</code> variable within the <code>Jpeg2KDecode.c</code> function incorrectly accumulates its value across all tiles, rather than recomputing it for each individual tile, due to the crafted image structure.</li>
<li><strong>Excessive Memory Request</strong>: This incorrect calculation leads Pillow to request a significantly larger amount of transient memory than necessary to handle the image data.</li>
<li><strong>Out-of-Memory (OOM)</strong>: The system is unable to fulfill the excessive memory allocation request, resulting in an out-of-memory error being triggered.</li>
<li><strong>Denial of Service</strong>: The Python application processing the image crashes or becomes unresponsive, leading to a denial of service for the application or the service it provides.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59204 results in a denial-of-service condition for any Python application or service that utilizes the vulnerable Pillow library (versions 8.2.0 through 12.2.0) to process JPEG2000 images. When a crafted image is processed, the application will crash due to an out-of-memory error, rendering it unavailable to legitimate users. This can lead to significant operational disruptions, loss of service availability, and potential data processing backlogs, particularly for image-intensive applications or services. While no specific victim count or targeted sectors are provided, any organization using affected Pillow versions is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59204 immediately by upgrading the Pillow library to version 12.3.0 or newer to mitigate the out-of-memory vulnerability.</li>
<li>Monitor application logs for out-of-memory errors, application crashes, or sudden process terminations specifically related to image processing tasks, as these may indicate attempted or successful exploitation of CVE-2026-59204.</li>
<li>Implement robust input validation and sanitization for all user-supplied image files, particularly JPEG2000, to detect and reject malformed or unusually large files before they are processed by the Pillow library.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>vulnerability</category><category>denial-of-service</category><category>python</category><category>imaging-library</category></item></channel></rss>