GHSA-pwv6-vv43-88gr

Pillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning a PSD image with carefully chosen tile dimensions could produce values that wrap around and bypass the checks, still triggering an out-of-bounds write in src/decode.c and src/encode.c. The fix avoids adding extents together before comparison.

Workarounds

Use any version but affected versions: >= 10.3.0, < 12.2.0

Resources

Fix: https://github.com/python-pillow/Pillow/pull/9520
Original issue: CVE-2026-25990 (Pillow 12.1.1)

Database specific

{
    "cwe_ids": [
        "CWE-190",
        "CWE-787"
    ],
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2026-05-04T20:20:31Z",
    "nvd_published_at": "2026-05-09T06:16:10Z"
}

References

Affected packages

PyPI / pillow

Package

Name: pillow; View open source insights on deps.dev
Purl: pkg:pypi/pillow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.3.0

Fixed

12.2.0

Affected versions

10.*

10.3.0

10.4.0

11.*

11.0.0

11.1.0

11.2.1

11.3.0

12.*

12.0.0

12.1.0

12.1.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pwv6-vv43-88gr/GHSA-pwv6-vv43-88gr.json"