CVE-2026-42308
MEDIUM5.5EPSS 0.01%Pillow: Integer overflow when processing fonts
發布日:2026/5/4修改日:2026/5/27
描述
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
受影響套件(4)
- Bitnami/pillowfrom 0, < 12.2.0
- Debian/pillowfrom 0
- PyPI/pillowfrom 0, < 12.2.0
- PyPI/pillowfrom 0, < 12.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42308
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-42308
- PATCHhttps://github.com/python-pillow/Pillow
- WEBhttps://github.com/python-pillow/Pillow/releases/tag/12.2.0
- WEBhttps://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j