CVE-2026-40192Uncontrolled Resource Consumption in Pillow

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-409Improper Handling of Highly Compressed Data (Data Amplification)8 documents6 sources
Severity
8.7HIGHNVD
EPSS
0.0%
top 87.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python PillowPython-pillow Pillow
Timeline
PublishedApr 15
Latest updateApr 16

Description

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

PyPIpython/pillow10.3.012.2.0
CVEListV5python-pillow/pillow>= 10.3.0, < 12.2.0

🔴Vulnerability Details

3
VulDB
Pillow up to 12.1.x FITS Image allocation of resources (GHSA-whj4-6x5x-4v2j)2026-04-16
CVEList
Pillow is vulnerable to a FITS GZIP decompression bomb2026-04-15
GHSA
FITS GZIP decompression bomb in Pillow2026-04-13

📋Vendor Advisories

1
Red Hat
Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing2026-04-15

💬Community

3
Bugzilla
CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [fedora-all]2026-04-16
Bugzilla
CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [epel-all]2026-04-16
Bugzilla
CVE-2026-40192 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing2026-04-16
CVE-2026-40192 — Uncontrolled Resource Consumption | cvebase