<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pillow (8.2.0 Through 12.2.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pillow-8.2.0-through-12.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:29:44 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pillow-8.2.0-through-12.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Pillow Python Imaging Library Vulnerable to Out-of-Memory via Crafted JPEG2000</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/</link><pubDate>Tue, 14 Jul 2026 20:29:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/</guid><description>A denial-of-service vulnerability, CVE-2026-59204, exists in the Pillow Python imaging library versions 8.2.0 through 12.2.0, allowing a remote attacker to trigger an out-of-memory error and crash applications by processing a specially crafted tiled JPEG2000 image.</description><content:encoded><![CDATA[<p>CVE-2026-59204 identifies a denial-of-service vulnerability in the Pillow Python imaging library, affecting versions from 8.2.0 up to, but not including, 12.3.0. The flaw resides in <code>src/libImaging/Jpeg2KDecode.c</code>, where the <code>total_component_width</code> variable accumulates incorrectly across every tile in a JPEG2000 image during decoding, rather than being reset per tile. This miscalculation allows an attacker to craft a malicious tiled JPEG2000 file that, when processed by a vulnerable Pillow instance, forces a substantially higher transient memory allocation. This excessive memory request leads to an out-of-memory (OOM) error, causing the Python application using Pillow to crash or become unresponsive. The vulnerability enables unauthenticated denial-of-service against applications relying on Pillow for JPEG2000 image processing. The issue has been fixed in Pillow version 12.3.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Crafting Malicious Input</strong>: An attacker creates a specially crafted tiled JPEG2000 image file designed to exploit the memory accumulation logic within Pillow's <code>Jpeg2KDecode.c</code>.</li>
<li><strong>Delivery</strong>: The attacker delivers the malicious JPEG2000 image to a target system. This could occur through various means such as an upload to a web application, an email attachment, or embedding in other file formats, targeting any Python application that processes images using Pillow.</li>
<li><strong>Initiate Processing</strong>: A Python application, utilizing a vulnerable version of the Pillow library (8.2.0-12.2.0), attempts to open, decode, or otherwise process the received malicious JPEG2000 image.</li>
<li><strong>Vulnerable Decoding</strong>: During the decoding of the tiled JPEG2000 image, the <code>src/libImaging/Jpeg2KDecode.c</code> component executes its internal logic.</li>
<li><strong>Incorrect Memory Calculation</strong>: The <code>total_component_width</code> variable within the <code>Jpeg2KDecode.c</code> function incorrectly accumulates its value across all tiles, rather than recomputing it for each individual tile, due to the crafted image structure.</li>
<li><strong>Excessive Memory Request</strong>: This incorrect calculation leads Pillow to request a significantly larger amount of transient memory than necessary to handle the image data.</li>
<li><strong>Out-of-Memory (OOM)</strong>: The system is unable to fulfill the excessive memory allocation request, resulting in an out-of-memory error being triggered.</li>
<li><strong>Denial of Service</strong>: The Python application processing the image crashes or becomes unresponsive, leading to a denial of service for the application or the service it provides.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59204 results in a denial-of-service condition for any Python application or service that utilizes the vulnerable Pillow library (versions 8.2.0 through 12.2.0) to process JPEG2000 images. When a crafted image is processed, the application will crash due to an out-of-memory error, rendering it unavailable to legitimate users. This can lead to significant operational disruptions, loss of service availability, and potential data processing backlogs, particularly for image-intensive applications or services. While no specific victim count or targeted sectors are provided, any organization using affected Pillow versions is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59204 immediately by upgrading the Pillow library to version 12.3.0 or newer to mitigate the out-of-memory vulnerability.</li>
<li>Monitor application logs for out-of-memory errors, application crashes, or sudden process terminations specifically related to image processing tasks, as these may indicate attempted or successful exploitation of CVE-2026-59204.</li>
<li>Implement robust input validation and sanitization for all user-supplied image files, particularly JPEG2000, to detect and reject malformed or unusually large files before they are processed by the Pillow library.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>vulnerability</category><category>denial-of-service</category><category>python</category><category>imaging-library</category></item></channel></rss>