PyPI: pillow
CVE-2026-42309
Safety vulnerability ID: SFTY-20260504-48378
Safety legacy ID: pyup.io-95893
Affected versions of the pillow package are vulnerable to a heap-based buffer overflow due to insufficient validation of coordinate input passed to drawing APIs. Passing nested lists as coordinates to ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line causes nested lists to be recursively unpacked beyond the allocated buffer, since coordinate lists were not validated to contain exactly two numeric values. An attacker who can control the coordinate input supplied to these APIs can trigger an out-of-bounds heap write, resulting in memory corruption and potentially impacting the availability of the affected process.
Overview
Pillow has a heap buffer overflow with nested list coordinates
Advisory
Affected versions of the pillow package are vulnerable to a heap-based buffer overflow due to insufficient validation of coordinate input passed to drawing APIs. Passing nested lists as coordinates to ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line causes nested lists to be recursively unpacked beyond the allocated buffer, since coordinate lists were not validated to contain exactly two numeric values. An attacker who can control the coordinate input supplied to these APIs can trigger an out-of-bounds heap write, resulting in memory corruption and potentially impacting the availability of the affected process.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260504-48378/CVE-2026-42309
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42309
- https://data.safetycli.com/changelogs/pillow/
- https://github.com/advisories/GHSA-5xmw-vc9v-4wf2
- https://pypi.org/project/pillow
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2
- https://nvd.nist.gov/vuln/detail/CVE-2026-42309
- https://github.com/python-pillow/Pillow/releases/tag/12.2.0
- https://github.com/advisories/GHSA-5xmw-vc9v-4wf2
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more