Medium severity5.5GHSA Advisory· Published May 9, 2026· Updated May 12, 2026
CVE-2026-42310
CVE-2026-42310
Description
Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 4.2.0, < 12.2.0 | 12.2.0 |
Affected products
8- Range: >= 4.2.0, < 12.2.0
- osv-coords6 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/superset-6.0pkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/superset-6.0pkg:bitnami/pillowpkg:pypi/pillow
< 2.16.1-r0+ 5 more
- (no CPE)range: < 2.16.1-r0
- (no CPE)range: < 6.0.0-r10
- (no CPE)range: < 2.16.1-r0
- (no CPE)range: < 6.0.0-r10
- (no CPE)range: >= 4.2.0, < 12.2.0
- (no CPE)range: >= 4.2.0, < 12.2.0
Patches
Vulnerability mechanics
References
6- github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468nvdPatchWEB
- github.com/python-pillow/Pillow/pull/9519nvdIssue TrackingPatchWEB
- github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-r73j-pqj5-w3x7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42310ghsaADVISORY
- github.com/python-pillow/Pillow/releases/tag/12.2.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.