CVE-2026-59203

NameCVE-2026-59203
DescriptionPillow is a Python imaging library. From 12.0.0 through 12.2.0, Pillow's EPS parser in PIL/EpsImagePlugin.py accepts a negative byte count in the %%BeginBinary directive, allowing a crafted EPS file to cause Image.open() to seek backwards to the same directive and parse it repeatedly in an infinite loop. This issue is fixed in version 12.3.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pillow (PTS)bullseye8.1.2+dfsg-0.3+deb11u2fixed
bullseye (security)8.1.2+dfsg-0.3+deb11u3fixed
bookworm, bookworm (security)9.4.0-1.1+deb12u1fixed
trixie11.1.0-5+deb13u4fixed
trixie (security)11.1.0-5+deb13u3fixed
forky, sid12.2.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pillowsourcebullseye(not affected)
pillowsourcebookworm(not affected)
pillowsourcetrixie(not affected)
pillowsource(unstable)(unfixed)

Notes

[trixie] - pillow <not-affected> (Vulnerable code not present)
[bookworm] - pillow <not-affected> (BeginBinary support introduced in v12.0.0)
[bullseye] - pillow <not-affected> (BeginBinary support introduced in v12.0.0)
https://github.com/python-pillow/Pillow/security/advisories/GHSA-pg7v-jwj7-p798
https://github.com/python-pillow/Pillow/pull/9708
Fixed by: https://github.com/python-pillow/Pillow/commit/03992618118b4a76b6163cd72ab5ecd684133b83 (12.3.0)
Introduced by: https://github.com/python-pillow/Pillow/commit/03992618118b4a76b6163cd72ab5ecd684133b83 (12.0.0)

Search for package or bug name: Reporting problems