CVE-2026-42309 Unknown Vendor CVE debrief

Who should care

Teams that ship Python software using Pillow to draw paths, polygons, or lines, especially where coordinate inputs may come from untrusted or loosely validated sources. Package maintainers and platform teams should prioritize any service that accepts user-controlled drawing data.

Technical summary

The flaw is a heap buffer overflow (CWE-122) in Pillow's handling of nested coordinate lists. APIs including ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line could recursively unpack nested lists past the allocated buffer. The patched behavior in 12.2.0 rejects coordinate lists unless they contain exactly two numeric coordinates.

Defensive priority

Medium. NVD assigned CVSS 5.1, and the bug can corrupt heap memory in code paths that process coordinate input. Upgrade urgency is higher for applications that expose image rendering to user-supplied data.

Recommended defensive actions

• Upgrade Pillow to 12.2.0 or later.
• Review code paths using ImagePath.Path, polygon, or line with externally influenced coordinates.
• Add input validation and tests to ensure coordinates are flat pairs of numbers and reject nested lists.
• If upgrade is delayed, restrict or sanitize all user-controlled drawing inputs and monitor for crashes in rendering workflows.

Evidence notes

Based on the official CVE description and NVD record for CVE-2026-42309, plus the linked GitHub release and security advisory. The published CVE date used here is 2026-05-09T06:16:10.073Z. The source corpus states the affected range as Pillow 11.2.1 through before 12.2.0 and the fix as 12.2.0.

Official resources