PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42308 Unknown Vendor CVE debrief

CVE-2026-42308 is a Medium-severity issue in Pillow, the Python imaging library, where excessively large glyph advance values can cause an integer overflow while Pillow tracks the current position. The issue is patched in Pillow 12.2.0. The available source record ties the weakness to CWE-190 and points to the 12.2.0 release and associated GitHub security advisory.

Vendor
Unknown Vendor
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Teams that use Pillow for font rendering or image-generation workflows should review this issue, especially if the application processes fonts or text from less-trusted sources. Security and platform owners responsible for Python dependency management should also confirm whether any deployed environments still run Pillow versions prior to 12.2.0.

Technical summary

According to the NVD record and GitHub advisory references, Pillow versions before 12.2.0 could encounter an integer overflow when a font advances for each glyph by an excessively large amount and Pillow updates its current position accordingly. The issue is classified as CWE-190. The fix shipped in Pillow 12.2.0, as referenced by the upstream release and security advisory.

Defensive priority

Moderate. This is a confirmed vulnerability with an available fix, but the supplied CVSS score is 5.1 (Medium) and the NVD vector indicates local attack conditions. Prioritize remediation where Pillow is exposed in text/font rendering paths or where dependency updates are routine and low-risk.

Recommended defensive actions

  • Upgrade Pillow to version 12.2.0 or later in all affected environments.
  • Inventory applications that use Pillow for font or text rendering and verify the installed version.
  • Review dependency manifests, lockfiles, and build artifacts to ensure the patched release is actually deployed.
  • If immediate upgrade is not possible, reduce exposure by limiting processing of untrusted or unexpected font inputs until remediation is complete.
  • Recheck downstream packages or containers that may bundle an older Pillow release even if application code has already been updated.

Evidence notes

The NVD record published on 2026-05-09 identifies the issue, lists CWE-190, and references the upstream Pillow 12.2.0 release and GitHub security advisory. The supplied description states that the problem affects Pillow prior to 12.2.0 and that the issue is patched in 12.2.0. No KEV entry was provided.

Official resources

Published by NVD and referenced upstream on 2026-05-09. The supplied record shows no KEV addition and no ransomware-campaign association.