Medium severity5.5GHSA Advisory· Published May 9, 2026· Updated May 12, 2026
CVE-2026-42309
CVE-2026-42309
Description
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 11.2.1, < 12.2.0 | 12.2.0 |
Affected products
8- Range: >= 11.2.1, < 12.2.0
- osv-coords6 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/superset-6.0pkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/superset-6.0pkg:bitnami/pillowpkg:pypi/pillow
< 2.16.1-r0+ 5 more
- (no CPE)range: < 2.16.1-r0
- (no CPE)range: < 6.0.0-r10
- (no CPE)range: < 2.16.1-r0
- (no CPE)range: < 6.0.0-r10
- (no CPE)range: >= 11.2.1, < 12.2.0
- (no CPE)range: >= 11.2.1, < 12.2.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5xmw-vc9v-4wf2ghsaADVISORY
- github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42309ghsaADVISORY
- github.com/python-pillow/Pillow/releases/tag/12.2.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.