Medium severity5.5GHSA Advisory· Published May 9, 2026· Updated May 12, 2026
CVE-2026-42308
CVE-2026-42308
Description
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 12.2.0 | 12.2.0 |
Affected products
8- Range: < 12.2.0
- osv-coords6 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/superset-6.0pkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/superset-6.0pkg:bitnami/pillowpkg:pypi/pillow
< 2.16.1-r0+ 5 more
- (no CPE)range: < 2.16.1-r0
- (no CPE)range: < 6.0.0-r10
- (no CPE)range: < 2.16.1-r0
- (no CPE)range: < 6.0.0-r10
- (no CPE)range: < 12.2.0
- (no CPE)range: < 12.2.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-wjx4-4jcj-g98jghsaADVISORY
- github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98jnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42308ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2026-165.yamlghsaWEB
- github.com/python-pillow/Pillow/releases/tag/12.2.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.