CVE-2026-42311: Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)

Published May 4, 2026
·
Updated

### Impact Processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. ### Patches Patched version: 12.2.0 Pillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning a PSD image with carefully chosen tile dimensions could produce values that wrap around and bypass the checks, still triggering an out-of-bounds write in src/decode.c and src/encode.c. The fix avoids adding extents together before comparison. ### Workarounds Use any version but affected versions: >= 10.3.0, < 12.2.0 ### Resources - Fix: https://github.com/python-pillow/Pillow/pull/9520 - Original issue: CVE-2026-25990 (Pillow 12.1.1)

Affected Software

2 affected componentsFixes available
pip/pillow>=10.3.0<12.2.0
12.2.0
Python Pillow>=10.3.0<12.2.0

Remediation

Patch Available

https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea

Patch Available

https://github.com/python-pillow/Pillow/pull/9520

Patch Available

https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr

Event History

May 4, 2026
Advisory Published
via GitHub·08:20 PM
Data Sourced
via GitHub·08:20 PM
DescriptionWeaknessAffected Software
May 9, 2026
CVE Published
via MITRE·04:11 AM
Data Sourced
via MITRE·04:11 AM
DescriptionWeakness
Data Sourced
via NVD·06:16 AM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-42311?

CVE-2026-42311 is a critical vulnerability that can lead to memory corruption and potentially arbitrary code execution.

2

How do I fix CVE-2026-42311?

To fix CVE-2026-42311, upgrade to the patched version 12.2.0 of the Pillow library.

3

What vulnerability does CVE-2026-42311 address?

CVE-2026-42311 addresses vulnerabilities in processing malicious PSD files that could cause crashes.

4

Which versions of Pillow are affected by CVE-2026-42311?

Versions of Pillow from 10.3.0 up to but not including 12.2.0 are affected by CVE-2026-42311.

5

What types of attacks can CVE-2026-42311 facilitate?

CVE-2026-42311 can facilitate attacks leading to memory corruption and arbitrary code execution through malicious PSD files.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203