PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55379 Python CVE debrief

CVE-2026-55379 is a high-severity vulnerability in Pillow, a Python imaging library. The issue arises from the library's handling of BDF font files, specifically in the `bdf_char()` function of `PIL/BdfFontFile.py`. Prior to version 12.3.0, this function reads the BBX width and height fields from a BDF font file and passes attacker-controlled dimensions to `Image.new()` without calling `Image._decompression_bomb_check()`. This bypasses Pillow's decompression bomb protection, potentially leading to excessive memory allocation and a denial-of-service (DoS) attack. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. Affected users should upgrade to Pillow version 12.3.0 or later and limit the use of BDF font files from untrusted sources.

Vendor
Python
Product
Pillow
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

This vulnerability affects users of Pillow, particularly those who handle BDF font files or use Pillow in applications that process untrusted font files. Developers and administrators using Pillow in their projects should be aware of this issue and take steps to mitigate it by upgrading to a secure version or implementing compensating controls.

Technical summary

The vulnerability exists in the `bdf_char()` function of `PIL/BdfFontFile.py` in Pillow versions prior to 12.3.0. This function fails to properly validate and sanitize the BBX width and height fields from BDF font files, leading to potential decompression bomb attacks. An attacker could exploit this by providing a malicious BDF font file that, when processed by Pillow, could cause excessive memory allocation. The issue can be mitigated by upgrading to Pillow version 12.3.0 or later.

Defensive priority

High

Recommended defensive actions

  • Upgrade Pillow to version 12.3.0 or later
  • Limit the use of BDF font files from untrusted sources
  • Implement additional monitoring and protection measures for applications using Pillow
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-06T19:17:08.577Z and was last modified on 2026-07-07T18:59:01.817Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected Pillow versions and upgrade or apply mitigations as needed.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T19:17:08.577Z and has not been modified since then. The NVD entry is currently Analyzed.