Pillow has a heap buffer overflow with nested list coordinates

GHSA-5xmw-vc9v-4wf2 · BIT-pillow-2026-42309 · CVE-2026-42309

Published May 4, 2026 · Modified May 13, 2026

Description

Passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This was introduced in Pillow 11.2.1.

References

WEB https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42309
PACKAGE https://github.com/python-pillow/Pillow
WEB https://github.com/python-pillow/Pillow/releases/tag/12.2.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes