CVE-2026-42309

Source
https://cve.org/CVERecord?id=CVE-2026-42309
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42309.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-42309
Aliases
Downstream
Related
Published
2026-05-09T04:08:10.517Z
Modified
2026-06-18T03:56:24.195442249Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Pillow: Heap buffer overflow with nested list coordinates
Details

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-122"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42309.json"
}
References

Affected packages

Git / github.com/python-pillow/pillow

Affected ranges

Type
GIT
Repo
https://github.com/python-pillow/pillow
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "11.2.1"
        },
        {
            "fixed": "12.2.0"
        },
        {
            "introduced": "11.2.1"
        },
        {
            "fixed": "12.2.0"
        }
    ],
    "cpe": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*"
}

Affected versions

11.*
11.2.1
11.3.0
12.*
12.0.0
12.1.0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42309.json"