CVE-2026-40192

CVE Database · CVE-2026-40192

CVE-2026-40192

· HIGHAnalyzed

CVSS v3.1

7.5

CVSS v4.0

8.7

EPSS

0.48%

Published

Apr 15, 2026

Modified

Apr 22, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-400CWE-770

Affected Products (1)

python · pillow (up to 12.2.0)vulnerable

References (4)

https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628

Patch

https://github.com/python-pillow/Pillow/pull/9521

Issue TrackingPatch

https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j

MitigationPatchVendor Advisory

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb

Release Notes

KEV Catalog EPSS Scores Vendors All CVEs