CVE-2026-59204
Pillow JPEG2000 tiled decode retains a growing scratch buffer and can be used for denial of service
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Pillow is a Python imaging library. From 8.2.0 through 12.2.0, src/libImaging/Jpeg2KDecode.c accumulates total_component_width across every tile in a JPEG2000 image instead of recomputing it per tile, allowing a crafted tiled JPEG2000 file to force substantially higher transient memory usage and trigger out-of-memory failures during decoding. This issue is fixed in version 12.3.0.
| CWE | CWE-789 |
| Vendor | python-pillow |
| Product | pillow |
| Published | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for python-pillow pillow
Be the first to know when new unknown vulnerabilities affecting python-pillow pillow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
python-pillow / Pillow
>= 8.2.0, < 12.3.0
References
github.com: https://github.com/python-pillow/Pillow/security/advisories/GHSA-vjc4-5qp5-m44j github.com: https://github.com/python-pillow/Pillow/pull/9704 github.com: https://github.com/python-pillow/Pillow/commit/13ada41172142f2fd9f0906f615a00ea623a11ca github.com: https://github.com/python-pillow/Pillow/releases/tag/12.3.0