๐Ÿ” CVE Alert

CVE-2026-59204

UNKNOWN 0.0

Pillow JPEG2000 tiled decode retains a growing scratch buffer and can be used for denial of service

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Pillow is a Python imaging library. From 8.2.0 through 12.2.0, src/libImaging/Jpeg2KDecode.c accumulates total_component_width across every tile in a JPEG2000 image instead of recomputing it per tile, allowing a crafted tiled JPEG2000 file to force substantially higher transient memory usage and trigger out-of-memory failures during decoding. This issue is fixed in version 12.3.0.

CWE CWE-789
Vendor python-pillow
Product pillow
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for python-pillow pillow

Be the first to know when new unknown vulnerabilities affecting python-pillow pillow are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

python-pillow / Pillow
>= 8.2.0, < 12.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/python-pillow/Pillow/security/advisories/GHSA-vjc4-5qp5-m44j github.com: https://github.com/python-pillow/Pillow/pull/9704 github.com: https://github.com/python-pillow/Pillow/commit/13ada41172142f2fd9f0906f615a00ea623a11ca github.com: https://github.com/python-pillow/Pillow/releases/tag/12.3.0