CVE-2026-42308 — Pillow has an integer overflow when processing fonts

Description

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

How to fix CVE-2026-42308

To remediate CVE-2026-42308, upgrade the affected package to a fixed version below.

—upgrade to 12.2.0 or later
—no fix listed
—upgrade to 12.2.0 or later
—upgrade to 12.2.0 or later

Is CVE-2026-42308 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 12.2.0
from 0
from 0, < 12.2.0
from 0, < 12.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42308
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-42308
PATCHgithub.com/python-pillow/Pillow
WEBgithub.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2026-165.yaml