PatchSiren cyber security CVE debrief
CVE-2026-55379 Python CVE debrief
CVE-2026-55379 is a high-severity vulnerability in Pillow, a Python imaging library. The issue arises from the library's handling of BDF font files, specifically in the `bdf_char()` function of `PIL/BdfFontFile.py`. Prior to version 12.3.0, this function reads the BBX width and height fields from a BDF font file and passes attacker-controlled dimensions to `Image.new()` without calling `Image._decompression_bomb_check()`. This bypasses Pillow's decompression bomb protection, potentially leading to excessive memory allocation and a denial-of-service (DoS) attack. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. Affected users should upgrade to Pillow version 12.3.0 or later and limit the use of BDF font files from untrusted sources.
- Vendor
- Python
- Product
- Pillow
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
This vulnerability affects users of Pillow, particularly those who handle BDF font files or use Pillow in applications that process untrusted font files. Developers and administrators using Pillow in their projects should be aware of this issue and take steps to mitigate it by upgrading to a secure version or implementing compensating controls.
Technical summary
The vulnerability exists in the `bdf_char()` function of `PIL/BdfFontFile.py` in Pillow versions prior to 12.3.0. This function fails to properly validate and sanitize the BBX width and height fields from BDF font files, leading to potential decompression bomb attacks. An attacker could exploit this by providing a malicious BDF font file that, when processed by Pillow, could cause excessive memory allocation. The issue can be mitigated by upgrading to Pillow version 12.3.0 or later.
Defensive priority
High
Recommended defensive actions
- Upgrade Pillow to version 12.3.0 or later
- Limit the use of BDF font files from untrusted sources
- Implement additional monitoring and protection measures for applications using Pillow
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-06T19:17:08.577Z and was last modified on 2026-07-07T18:59:01.817Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected Pillow versions and upgrade or apply mitigations as needed.
Official resources
-
CVE-2026-55379 CVE record
CVE.org
-
CVE-2026-55379 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T19:17:08.577Z and has not been modified since then. The NVD entry is currently Analyzed.