CVE-2026-59205

Source
https://cve.org/CVERecord?id=CVE-2026-59205
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59205.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59205
Aliases
Downstream
Published
2026-07-14T15:48:39.962Z
Modified
2026-07-15T20:11:15.582336837Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Pillow: Controlled heap out-of-bounds write in `ImageCmsTransform.apply()` via output mode mismatch
Details

Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's declared output mode. This issue is fixed in version 12.3.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59205.json"
}
References

Affected packages

Git / github.com/python-pillow/pillow

Affected ranges

Type
GIT
Repo
https://github.com/python-pillow/pillow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.3.0"
        }
    ]
}

Affected versions

1.*
1.0
1.2
1.7.7
1.7.8
10.*
10.0.0
10.1.0
10.2.0
10.3.0
10.4.0
11.*
11.0.0
11.1.0
11.2.1
11.3.0
12.*
12.0.0
12.1.0
12.2.0
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.3.0
2.5.0
2.7.0
2.8.0
2.8.1
2.9.0
2.9.0.dev0
2.9.0.dev1
2.9.0.dev2
3.*
3.1.0
3.1.0-rc1
3.2.0
3.3.0
3.4.0
4.*
4.0.0
4.0.0a
4.1.0
4.2.0
4.3.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0
6.*
6.0.0
6.1.0
6.2.0
7.*
7.0.0
7.1.0
7.2.0
8.*
8.0.0
8.1.0
8.2.0
8.3.0
8.4.0
9.*
9.0.0
9.1.0
9.2.0
9.3.0
9.4.0
9.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59205.json"