Vulnerabilities ›

CVE-2026-42311

High

CWE-190 — Weakness Type

                    Published: May 9, 2026                      ·  Modified: May 16, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.

🤖 AI Executive Summary

Pillow Python imaging library versions 10.3.0 to 12.1.x are vulnerable to memory corruption when processing malicious PSD files, potentially enabling arbitrary code execution. The vulnerability has been patched in version 12.2.0 and requires immediate updating.

📄 Description (Arabic)

ثغرة في مكتبة Pillow الشهيرة لمعالجة الصور تؤثر على الإصدارات من 10.3.0 إلى 12.1.x وتسمح بتلف الذاكرة عند معالجة ملفات PSD المصممة بشكل ضار. يمكن للمهاجمين استغلال هذه الثغرة لتحقيق تنفيذ كود عشوائي أو التسبب في انهيار التطبيق.

🤖 ملخص تنفيذي (AI)

مكتبة Pillow لمعالجة الصور في Python تحتوي على ثغرة في الإصدارات من 10.3.0 إلى 12.1.x تسمح بتلف الذاكرة عند معالجة ملفات PSD ضارة. تم إصلاح الثغرة في الإصدار 12.2.0.

🤖 AI Intelligence Analysis Analyzed: May 15, 2026 05:00

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking government telecom

🎯 MITRE ATT&CK Techniques

T1190 T1203 T1499

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Update Pillow library to version 12.2.0 or later immediately. Implement input validation for PSD files, restrict file upload capabilities, and monitor systems for suspicious image processing activities. Disable PSD file processing if not required.

🔧 خطوات المعالجة (العربية)

قم بتحديث مكتبة Pillow إلى الإصدار 12.2.0 أو أحدث فوراً. طبق التحقق من صحة ملفات PSD، قيد قدرات تحميل الملفات، ومراقبة الأنظمة للأنشطة المريبة في معالجة الصور. عطل معالجة ملفات PSD إذا لم تكن مطلوبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.6.1 A.14.2.1

🔵 SAMA CSF

ID.RA-1 PR.IP-1

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1 A.14.2.5

🔗 References & Sources 4

🔗

https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea

security-advisories@github.com

Patch

🔗

https://github.com/python-pillow/Pillow/pull/9520

security-advisories@github.com

Issue Tracking Patch

🔗

https://github.com/python-pillow/Pillow/releases/tag/12.2.0

security-advisories@github.com

Product Release Notes

🔗

https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr

security-advisories@github.com

Patch Vendor Advisory

📦 Affected Products / CPE 1 entries

python:pillow

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-190

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-05-09

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-190

🏢 Vendor Advisories

🔗 https://github.com/python-pillow/Pillow/security/adv...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-42311

Introduce Yourself

Sign In Required