CVE-2026-40192
FITS GZIP decompression bomb in Pillow
7.5
HIGH
CVSS 3.1
EPSS 0.02%
Description
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
How to fix CVE-2026-40192
To remediate CVE-2026-40192, upgrade the affected package to a fixed version below.
- —upgrade to 12.2.0 or later
- —upgrade to 11.1.0-5+deb13u2 or later
- —upgrade to 12.2.0 or later
Is CVE-2026-40192 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 10.3.0, < 12.2.0
- from 0, < 11.1.0-5+deb13u2
- >= 10.3.0, < 12.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |