Medium severity5.5GHSA Advisory· Published May 9, 2026· Updated May 12, 2026

CVE-2026-42310

Description

Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pillowPyPI	>= 4.2.0, < 12.2.0	12.2.0

Affected products

Python Pillow/PillowGHSA
Range: >= 4.2.0, < 12.2.0
Python (programming language)/Pillow
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Range: >=4.2.0,<12.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468nvdPatchWEB
github.com/python-pillow/Pillow/pull/9519nvdIssue TrackingPatchWEB
github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-r73j-pqj5-w3x7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42310ghsaADVISORY
github.com/python-pillow/Pillow/releases/tag/12.2.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000