CVE-2026-42308 MEDIUM

CVE-2026-42308: Pillow: Integer overflow when processing fonts

Vendor Python-Pillow
Product Pillow
Weakness CWE-190
Published May 9, 2026
Last update May 11, 2026

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

Key dates

02Disclosure timeline

May 9, 2026 CVE published
May 11, 2026 Record updated