CVE-2026-42309

MEDIUM5.5EPSS 0.01%

Pillow has a heap buffer overflow with nested list coordinates

發布日:2026/5/4修改日:2026/5/13

也稱為:GHSA-5xmw-vc9v-4wf2BIT-pillow-2026-42309CGA-f8pr-jmvr-24qx

描述

Passing nested lists as coordinates to APIs that accept coordinates such as `ImagePath.Path`, `ImageDraw.ImageDraw.polygon` and `ImageDraw.ImageDraw.line` could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This was introduced in Pillow 11.2.1.

受影響套件(3)

Bitnami/pillow>= 11.2.1, < 12.2.0
Debian/pillowfrom 0, < 12.2.0-1
PyPI/pillow>= 11.2.1, < 12.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42309
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-42309
PATCHhttps://github.com/python-pillow/Pillow
WEBhttps://github.com/python-pillow/Pillow/releases/tag/12.2.0
WEBhttps://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2