{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/imaging-library/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59204"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pillow (8.2.0 through 12.2.0)"],"_cs_severities":["low"],"_cs_tags":["vulnerability","denial-of-service","python","imaging-library"],"_cs_type":"advisory","_cs_vendors":["Python"],"content_html":"\u003cp\u003eCVE-2026-59204 identifies a denial-of-service vulnerability in the Pillow Python imaging library, affecting versions from 8.2.0 up to, but not including, 12.3.0. The flaw resides in \u003ccode\u003esrc/libImaging/Jpeg2KDecode.c\u003c/code\u003e, where the \u003ccode\u003etotal_component_width\u003c/code\u003e variable accumulates incorrectly across every tile in a JPEG2000 image during decoding, rather than being reset per tile. This miscalculation allows an attacker to craft a malicious tiled JPEG2000 file that, when processed by a vulnerable Pillow instance, forces a substantially higher transient memory allocation. This excessive memory request leads to an out-of-memory (OOM) error, causing the Python application using Pillow to crash or become unresponsive. The vulnerability enables unauthenticated denial-of-service against applications relying on Pillow for JPEG2000 image processing. The issue has been fixed in Pillow version 12.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCrafting Malicious Input\u003c/strong\u003e: An attacker creates a specially crafted tiled JPEG2000 image file designed to exploit the memory accumulation logic within Pillow's \u003ccode\u003eJpeg2KDecode.c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The attacker delivers the malicious JPEG2000 image to a target system. This could occur through various means such as an upload to a web application, an email attachment, or embedding in other file formats, targeting any Python application that processes images using Pillow.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitiate Processing\u003c/strong\u003e: A Python application, utilizing a vulnerable version of the Pillow library (8.2.0-12.2.0), attempts to open, decode, or otherwise process the received malicious JPEG2000 image.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Decoding\u003c/strong\u003e: During the decoding of the tiled JPEG2000 image, the \u003ccode\u003esrc/libImaging/Jpeg2KDecode.c\u003c/code\u003e component executes its internal logic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIncorrect Memory Calculation\u003c/strong\u003e: The \u003ccode\u003etotal_component_width\u003c/code\u003e variable within the \u003ccode\u003eJpeg2KDecode.c\u003c/code\u003e function incorrectly accumulates its value across all tiles, rather than recomputing it for each individual tile, due to the crafted image structure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExcessive Memory Request\u003c/strong\u003e: This incorrect calculation leads Pillow to request a significantly larger amount of transient memory than necessary to handle the image data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOut-of-Memory (OOM)\u003c/strong\u003e: The system is unable to fulfill the excessive memory allocation request, resulting in an out-of-memory error being triggered.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The Python application processing the image crashes or becomes unresponsive, leading to a denial of service for the application or the service it provides.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59204 results in a denial-of-service condition for any Python application or service that utilizes the vulnerable Pillow library (versions 8.2.0 through 12.2.0) to process JPEG2000 images. When a crafted image is processed, the application will crash due to an out-of-memory error, rendering it unavailable to legitimate users. This can lead to significant operational disruptions, loss of service availability, and potential data processing backlogs, particularly for image-intensive applications or services. While no specific victim count or targeted sectors are provided, any organization using affected Pillow versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59204 immediately by upgrading the Pillow library to version 12.3.0 or newer to mitigate the out-of-memory vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for out-of-memory errors, application crashes, or sudden process terminations specifically related to image processing tasks, as these may indicate attempted or successful exploitation of CVE-2026-59204.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization for all user-supplied image files, particularly JPEG2000, to detect and reject malformed or unusually large files before they are processed by the Pillow library.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:29:44Z","date_published":"2026-07-14T20:29:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/","summary":"A denial-of-service vulnerability, CVE-2026-59204, exists in the Pillow Python imaging library versions 8.2.0 through 12.2.0, allowing a remote attacker to trigger an out-of-memory error and crash applications by processing a specially crafted tiled JPEG2000 image.","title":"Pillow Python Imaging Library Vulnerable to Out-of-Memory via Crafted JPEG2000","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59204-pillow-oom/"}],"language":"en","title":"CraftedSignal Threat Feed - Imaging-Library","version":"https://jsonfeed.org/version/1.1"}