CVE-2026-40192
Pillow is vulnerable to a FITS GZIP decompression bomb
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
| CWE | CWE-770 CWE-400 |
| Vendor | python-pillow |
| Product | pillow |
| Published | Apr 15, 2026 |
| Last Updated | Apr 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for python-pillow pillow
Be the first to know when new unknown vulnerabilities affecting python-pillow pillow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
python-pillow / Pillow
>= 10.3.0, < 12.2.0
References
github.com: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j github.com: https://github.com/python-pillow/Pillow/pull/9521 github.com: https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 pillow.readthedocs.io: https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb