CVE-2026-59204

Summary

Pillow is a Python imaging library. From 8.2.0 through 12.2.0, src/libImaging/Jpeg2KDecode.c accumulates total_component_width across every tile in a JPEG2000 image instead of recomputing it per tile, allowing a crafted tiled JPEG2000 file to force substantially higher transient memory usage and trigger out-of-memory failures during decoding. This issue is fixed in version 12.3.0.

Affected Software

VendorProductVersion RangeStatus
python-pillowPillow>= 8.2.0, < 12.3.0affected

Weaknesses

  • CWE-789: CWE-789: Memory Allocation with Excessive Size Value

References