CVE-2026-42310 Unknown Vendor CVE debrief

Who should care

Teams that use Pillow to open or convert PDFs, especially internet-facing services, document ingestion pipelines, preview generators, and batch jobs that process untrusted files.

Technical summary

The vulnerable code path can be driven into non-terminating behavior by a crafted PDF, resulting in a denial of service through CPU exhaustion. The supplied sources do not provide deeper root-cause details beyond the hang/infinite-loop behavior, so defensive attention should focus on versioning, input controls, and runtime limits.

Defensive priority

Medium; raise to high if untrusted PDFs are accepted from users or external sources.

Recommended defensive actions

• Upgrade Pillow to 12.2.0 or later.
• Inventory applications and containers that use Pillow for PDF handling and confirm the fixed version is deployed.
• If immediate upgrade is not possible, restrict or disable PDF ingestion from untrusted sources.
• Add execution timeouts, worker restarts, and resource limits for file-processing jobs to reduce the impact of hangs.
• Monitor for sustained CPU spikes or stuck workers in services that process PDFs.

Evidence notes

Claims are based only on the supplied NVD record and GitHub-linked project references. The advisory states the affected range is 4.2.0 to before 12.2.0 and that the fix ships in 12.2.0. The record identifies CWE-835 and describes indefinite hang/100% CPU behavior. No exploit details or additional root-cause analysis were used.

Official resources