CVE-2026-40192
HIGHPillow is vulnerable to a FITS GZIP decompression bomb
Title source: cnaDescription
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j
X_Refsource_Misc x_refsource_misc
https://github.com/python-pillow/Pillow/pull/9521
X_Refsource_Misc x_refsource_misc
https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
X_Refsource_Misc x_refsource_misc
https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb
Scores
CVSS v3
7.5
EPSS
0.0049
EPSS Percentile
37.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
CWE-770
Status
published
Products (3)
pypi/pillow
10.3.0 - 12.2.0PyPI
python/pillow
10.3.0 - 12.2.0
python-pillow/Pillow
>= 10.3.0, < 12.2.0
Published
Apr 15, 2026
Tracked Since
Apr 16, 2026