CVE-2026-42308
Description
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42308
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-42308.html
Vendor advisory: security-advisories@github.com — https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
Vendor advisory: security-advisories@github.com — https://github.com/python-pillow/Pillow/releases/tag/12.2.0
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 12.2.0-1 |
| debian | sid | fixed | 12.2.0-1 |
| debian | trixie | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| python | pillow | {"endExcluding":"12.2.0"} | 12.2.0 |
References
- https://github.com/python-pillow/Pillow/releases/tag/12.2.0
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
- https://nvd.nist.gov/vuln/detail/CVE-2026-42308
- https://github.com/python-pillow/Pillow
- https://www.suse.com/security/cve/CVE-2026-42308.html
- https://security-tracker.debian.org/tracker/CVE-2026-42308
- https://github.com/advisories/GHSA-wjx4-4jcj-g98j
CWEs
CWE-190
Verify integrity in audit chain (admin only). AS-IS.