Vulnerability Description
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Pillow | >= 10.3.0, < 12.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d8Patch
- https://github.com/python-pillow/Pillow/pull/9521Issue TrackingPatch
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2jMitigationPatchVendor Advisory
- https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-deRelease Notes
FAQ
What is CVE-2026-40192?
CVE-2026-40192 is a vulnerability with a CVSS score of 7.5 (HIGH). Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attack...
How severe is CVE-2026-40192?
CVE-2026-40192 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40192?
Check the references section above for vendor advisories and patch information. Affected products include: Python Pillow.