CVE-2026-42311 Unknown Vendor CVE debrief

Who should care

Teams that use Pillow to load, transform, validate, or thumbnail untrusted image files—especially PSD content—should treat this as high priority. This includes application developers, platform teams, CI/image-processing pipelines, and security teams that ingest user-supplied media.

Technical summary

The vulnerability is a memory-corruption flaw triggered during PSD file processing in Pillow versions 10.3.0 to before 12.2.0. The supplied GitHub advisory metadata maps the issue to CWE-190 and CWE-787, and NVD rates it HIGH with a CVSS 4.0 score of 8.6. The official fix is available in Pillow 12.2.0.

Defensive priority

High. Memory corruption in an image parser can expose systems that handle untrusted files to crashes and, in the worst case, arbitrary code execution.

Recommended defensive actions

• Upgrade Pillow to version 12.2.0 or later wherever it is used.
• Inventory services, jobs, and libraries that accept or process PSD files through Pillow.
• Treat untrusted PSD uploads as high risk until patched; consider temporary input restrictions or validation controls.
• Rebuild and redeploy any containers, wheels, or lockfiles that pin a vulnerable Pillow release.
• Add regression tests that cover PSD handling paths after the upgrade.
• Monitor downstream dependencies that vendor or bundle Pillow to ensure they also receive the fix.

Evidence notes

The CVE description states that Pillow versions from 10.3.0 to before 12.2.0 can suffer memory corruption when processing a malicious PSD file, with potential crash or arbitrary code execution, and that 12.2.0 contains the patch. NVD provides a HIGH 8.6 CVSS 4.0 score and references the GitHub commit, pull request, release tag, and security advisory.

Official resources