Unrated severityNVD Advisory· Published Jul 7, 2026
Debian pillow: Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf_char…
CVE-2026-55379
Description
Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf_char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image._decompression_bomb_check(), bypassing Pillow's documented decompression bomb protection and allowing excessive memory allocation. This issue is fixed in version 12.3.0.
Affected products
2Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.