Pillow: Heap buffer overflow with nested list coordinates_CVE-2026-42309

5.1 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.

Basic Information

ID CVE-2026-42309

Source GitHub_M

Published May 9, 2026 at 04:08

Affected Product

Vendor python-pillow

Product Pillow

Version >= 11.2.1, < 12.2.0

Affected Versions python-pillow Pillow >= 11.2.1, < 12.2.0

CWE Classification

CWE-122

References

{
    "lastseen": "",
    "description": "Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.",
    "published": "2026-05-09T04:08:10.517Z",
    "modified": "2026-05-09T04:08:10.517Z",
    "type": "cve",
    "title": "Pillow: Heap buffer overflow with nested list coordinates",
    "source": "GitHub_M",
    "references": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2\nhttps://github.com/python-pillow/Pillow/releases/tag/12.2.0",
    "id": "CVE-2026-42309",
    "bulletinFamily": "",
    "cwe": [
        "CWE-122"
    ],
    "cvelist": null,
    "sourceData": "python-pillow Pillow >= 11.2.1, < 12.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Pillow",
    "version": ">= 11.2.1, < 12.2.0",
    "vendor": "python-pillow",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}