DEBIAN-CVE-2026-42309

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-42309

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42309.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-42309

Upstream

CVE-2026-42309

Published

2026-05-09T06:16:10.073Z

Modified

2026-05-13T18:02:21.510055Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.

References

https://security-tracker.debian.org/tracker/CVE-2026-42309

Affected packages

Debian:14 / pillow

Package

Name: pillow
Purl: pkg:deb/debian/pillow?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.2.0-1

Affected versions

11.*

11.1.0-5

11.2.1-1

11.3.0-1

12.*

12.0.0-1

12.1.0-1

12.1.1-1

12.1.1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42309.json"