CVE-2026-40192
published 2026-04-15CVE-2026-40192: Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.67%
47.4th percentile
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| python-pillow | pillow | — | — |
| python | pillow | >= 10.3.0 < 12.2.0 | 12.2.0 |
| python | pillow | >= 10.3.0 < 12.2.0 | 12.2.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Pillow up to 12.1.x FITS Image allocation of resources (GHSA-whj4-6x5x-4v2j)
vuldb·2026-04-16·CVSS 8.7
CVE-2026-40192 [HIGH] Pillow up to 12.1.x FITS Image allocation of resources (GHSA-whj4-6x5x-4v2j)
A vulnerability classified as problematic was found in Pillow up to 12.1.x. The impacted element is an unknown function of the component FITS Image Handler. Executing a manipulation can lead to allocation of resources.
This vulnerability is handled as CVE-2026-40192. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
FITS GZIP decompression bomb in Pillow
ghsa·2026-04-13
CVE-2026-40192 [HIGH] CWE-400 FITS GZIP decompression bomb in Pillow
FITS GZIP decompression bomb in Pillow
### Impact
Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).
### Patches
The amount of data read is now limited to the necessary amount.
Fixed in Pillow 12.2.0 (PR #9521).
### Workarounds
Avoid Pillow >= 10.3.0, < 12.2.0
Only open [specific image formats](https://pillow.readthedocs.io/en/stable/releasenotes/8.0.0.html#image-open-add-formats-parameter), excluding FITS.
Red Hat
Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
vendor_redhat·2026-04-15·CVSS 8.7
CVE-2026-40192 [HIGH] CWE-409 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service (DoS) by providing a specially crafted FITS image file. The library's failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory consumption, causing the system to crash or experience severe performance issues.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: lightspeed-core/rag-tool-rhel9 (Lightspeed Core) - Affected
Package: openshift-li
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [fedora-all]
bugzilla·2026-04-16·CVSS 8.7
CVE-2026-40192 [HIGH] CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [fedora-all]
CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [epel-all]
bugzilla·2026-04-16·CVSS 8.7
CVE-2026-40192 [HIGH] CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [epel-all]
CVE-2026-40192 python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40192 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
bugzilla·2026-04-16·CVSS 8.7
CVE-2026-40192 [HIGH] CVE-2026-40192 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
CVE-2026-40192 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628https://github.com/python-pillow/Pillow/pull/9521https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2jhttps://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bombhttps://access.redhat.com/errata/RHSA-2026:16008https://access.redhat.com/errata/RHSA-2026:16009https://access.redhat.com/errata/RHSA-2026:16030https://access.redhat.com/errata/RHSA-2026:16174https://access.redhat.com/errata/RHSA-2026:17609https://access.redhat.com/errata/RHSA-2026:17611https://access.redhat.com/errata/RHSA-2026:19375https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:21017https://access.redhat.com/errata/RHSA-2026:22465https://access.redhat.com/errata/RHSA-2026:22629https://access.redhat.com/errata/RHSA-2026:22840https://access.redhat.com/errata/RHSA-2026:23361https://access.redhat.com/errata/RHSA-2026:24761https://access.redhat.com/errata/RHSA-2026:24762https://access.redhat.com/errata/RHSA-2026:24853https://access.redhat.com/errata/RHSA-2026:24866https://access.redhat.com/errata/RHSA-2026:24977https://access.redhat.com/errata/RHSA-2026:27076https://access.redhat.com/security/cve/CVE-2026-40192https://bugzilla.redhat.com/show_bug.cgi?id=2458856https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40192.json
2026-04-15
Published