CVE-2026-42309
Pillow has a heap buffer overflow with nested list coordinates
5.5
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.
How to fix CVE-2026-42309
To remediate CVE-2026-42309, upgrade the affected package to a fixed version below.
- —upgrade to 12.2.0 or later
- —upgrade to 12.2.0-1 or later
- —upgrade to 12.2.0 or later
Is CVE-2026-42309 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 11.2.1, < 12.2.0
- from 0, < 12.2.0-1
- >= 11.2.1, < 12.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |