CVE-2026-40192

HIGH SEVERITY

Vulnerability Description

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

Vulnerability Details

Published Date

April 13, 2026

Last Modified

April 15, 2026

CWE ID

CWE-400

Source

GitHub

Vendor

pip

Product

pillow

External References

https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j
https://github.com/python-pillow/Pillow/pull/9521
https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb
https://github.com/advisories/GHSA-whj4-6x5x-4v2j

CVE-2026-40192

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment