CVE-2026-40192

ADVISORY - github

Summary

Impact

Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).

Patches

The amount of data read is now limited to the necessary amount. Fixed in Pillow 12.2.0 (PR #9521).

Workarounds

Avoid Pillow >= 10.3.0, < 12.2.0 Only open specific image formats, excluding FITS.

EPSS Score: 0.00671 (0.476)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Uncontrolled Resource Consumption

Allocation of Resources Without Limits or Throttling

ADVISORY - github

Uncontrolled Resource Consumption

Allocation of Resources Without Limits or Throttling

ADVISORY - redhat

Improper Handling of Highly Compressed Data (Data Amplification)


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in