Login Sign Up

CVE-2026-25990

7.5 HIGH

📋 TL;DR

Pillow versions 10.3.0 through 12.1.0 contain an out-of-bounds write vulnerability when processing specially crafted PSD image files. This could allow attackers to execute arbitrary code or crash applications. Any Python application using Pillow to process untrusted PSD files is affected.

💻 Affected Systems

Products:
  • Python Pillow (PIL Fork)
Versions: 10.3.0 to 12.1.0 inclusive
Operating Systems: All platforms where Pillow is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PSD image format processing. Other image formats are not vulnerable.

📦 What is this software?

Pillow by Python

View all CVEs affecting Pillow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerable application runs with sufficient privileges.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to potential information disclosure.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing prevent malicious PSD files from reaching vulnerable code.

🌐 Internet-Facing: HIGH if application accepts PSD uploads from untrusted sources without proper validation.
🏢 Internal Only: MEDIUM if internal users can upload PSD files, LOW if PSD processing is limited to trusted sources.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to supply a malicious PSD file to vulnerable application. No authentication bypass needed if application accepts file uploads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.1

Vendor Advisory: https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc

Restart Required: No

Instructions:

1. Update Pillow using pip: 'pip install --upgrade pillow==12.1.1' 2. Verify installation with 'pip show pillow' 3. Restart any running Python applications using Pillow

🔧 Temporary Workarounds

Disable PSD processing

all

Configure application to reject PSD files or use alternative image formats

Input validation

all

Implement strict file type validation and size limits for uploaded images

🧯 If You Can't Patch

  • Implement strict file upload validation to reject PSD files
  • Run vulnerable applications in sandboxed/containerized environments with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check Pillow version with 'pip show pillow' or 'python -c "import PIL; print(PIL.__version__)"'

Check Version:

python -c "import PIL; print(PIL.__version__)"

Verify Fix Applied:

Confirm version is 12.1.1 or higher using version check command

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing PSD files
  • Memory access violation errors in application logs

Network Indicators:

  • Unusual PSD file uploads to web applications
  • Multiple failed PSD processing attempts

SIEM Query:

source="application.log" AND ("segmentation fault" OR "memory error" OR "PSD")

📊 Metadata

CVE ID: CVE-2026-25990
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
EPSS Score: 0.01% exploit probability (1.9th percentile)
Published: February 11, 2026
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25990, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)