{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fits/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pillow"],"_cs_severities":["high"],"_cs_tags":["decompression-bomb","denial-of-service","pillow","fits"],"_cs_type":"advisory","_cs_vendors":["Pillow"],"content_html":"\u003cp\u003ePillow, a widely used Python image processing library, is susceptible to a denial-of-service vulnerability when handling specially crafted FITS (Flexible Image Transport System) image files. This flaw, identified as CVE-2026-40192, exists in versions 10.3.0 up to (but not including) 12.2.0. The vulnerability arises from a lack of proper bounds checking during GZIP decompression of FITS image data. An attacker can exploit this by creating a malicious FITS file containing a GZIP-compressed data stream that, when decompressed, expands to an inordinately large size, exhausting available memory resources. This can lead to an out-of-memory (OOM) crash or severe performance degradation, effectively denying service to applications relying on Pillow for image processing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious FITS image file containing a GZIP-compressed data stream.\u003c/li\u003e\n\u003cli\u003eThe GZIP compressed stream is engineered to expand to an extremely large size when decompressed.\u003c/li\u003e\n\u003cli\u003eA vulnerable application using Pillow (versions 10.3.0 - 12.1.x) attempts to open and process the malicious FITS file using the \u003ccode\u003ePIL.Image.open()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003ePillow's FITS image decoder begins decompressing the GZIP stream without proper size limits.\u003c/li\u003e\n\u003cli\u003eThe decompression process consumes an excessive amount of memory as the data expands.\u003c/li\u003e\n\u003cli\u003eSystem memory is exhausted, leading to either an out-of-memory (OOM) condition or significant performance slowdown.\u003c/li\u003e\n\u003cli\u003eThe application using Pillow crashes or becomes unresponsive.\u003c/li\u003e\n\u003cli\u003eDenial of service is achieved due to resource exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-40192) results in a denial-of-service condition. Applications using vulnerable versions of Pillow become unresponsive or crash, disrupting normal operations. The impact is particularly significant for systems that automatically process FITS images, such as astronomical data analysis pipelines or medical imaging applications. The number of affected systems depends on the prevalence of vulnerable Pillow versions within these environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pillow to version 12.2.0 or later to remediate the vulnerability as detailed in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-whj4-6x5x-4v2j\"\u003ehttps://github.com/advisories/GHSA-whj4-6x5x-4v2j\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, limit the file types processed by Pillow using the \u003ccode\u003eformats\u003c/code\u003e parameter to \u003ccode\u003eImage.open()\u003c/code\u003e, excluding FITS files as described in the Pillow documentation (\u003ca href=\"https://pillow.readthedocs.io/en/stable/releasenotes/8.0.0.html#image-open-add-formats-parameter\"\u003ehttps://pillow.readthedocs.io/en/stable/releasenotes/8.0.0.html#image-open-add-formats-parameter\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement resource monitoring to detect excessive memory consumption by processes using Pillow, and alert on or terminate such processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-pillow-fits-gzip-bomb/","summary":"Pillow versions 10.3.0 through 12.1.x are vulnerable to a decompression bomb attack via maliciously crafted FITS images, leading to excessive memory consumption and denial of service, resolved in version 12.2.0.","title":"Pillow FITS Image GZIP Decompression Bomb Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-pillow-fits-gzip-bomb/"}],"language":"en","title":"CraftedSignal Threat Feed - Fits","version":"https://jsonfeed.org/version/1.1"}