DEBIAN-CVE-2026-40192

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-40192
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40192.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-40192
Upstream
Published
2026-04-16T21:03:39.909003Z
Modified
2026-04-16T21:03:39.909003Z
Summary
[none]
Details

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

References

Affected packages

Debian:13 / pillow

Package

Name
pillow
Purl
pkg:deb/debian/pillow?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

11.*
11.1.0-5
11.1.0-5+deb13u1
11.2.1-1
11.3.0-1
12.*
12.0.0-1
12.1.0-1
12.1.1-1
12.1.1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40192.json"

Debian:14 / pillow

Package

Name
pillow
Purl
pkg:deb/debian/pillow?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

11.*
11.1.0-5
11.2.1-1
11.3.0-1
12.*
12.0.0-1
12.1.0-1
12.1.1-1
12.1.1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40192.json"