CVE-2026-54060 in Pillowinfo

Summary

by MITRE • 07/06/2026

Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new("1", (xsize, ysize)) without calling Image._decompression_bomb_check(), allowing a font to trigger excessive allocation during conversion or saving. This issue is fixed in version 12.3.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

The vulnerability in Pillow's FontFile.compile() function represents a critical memory exhaustion flaw that could enable denial of service attacks through crafted font files. This issue affected versions prior to 12.3.0 where the library failed to implement proper decompression bomb protection mechanisms when processing font data. The core technical flaw occurs within the PIL/FontFile.py module where glyph images are assembled into a combined bitmap using Image.new("1", (xsize, ysize)) without invoking Image._decompression_bomb_check() to validate the memory allocation requirements. This oversight allows malicious actors to craft font files that appear benign but contain excessive glyph data which when processed causes the library to allocate enormous amounts of memory during the bitmap assembly process.

The operational impact of this vulnerability extends beyond simple resource exhaustion as it can be exploited to cause application crashes, system instability, or even complete service disruption in applications that rely on Pillow for image processing. When a font file triggers this condition, the lack of decompression bomb checking means that the system attempts to allocate memory proportional to the combined dimensions of all glyphs, potentially leading to out-of-memory conditions that can crash the entire application or system. This vulnerability particularly affects web applications, content management systems, and any software that accepts user-uploaded font files or processes third-party font data without proper validation.

The fix implemented in version 12.3.0 addresses this by incorporating proper decompression bomb checking mechanisms into the FontFile.compile() function, ensuring that memory allocations are validated against safe limits before proceeding with bitmap assembly operations. This remediation aligns with established cybersecurity practices and follows the principle of least privilege by preventing unbounded memory growth during image processing operations. From a threat modeling perspective, this vulnerability maps to CWE-400 which describes unrestricted resource consumption, and could be categorized under ATT&CK technique T1499.1 for resource exhaustion attacks. The mitigation strategy should include immediate upgrade to Pillow 12.3.0 or later versions, alongside implementing additional input validation measures for font files in production environments. Organizations should also consider implementing memory limits and monitoring for applications that process untrusted font data to prevent potential exploitation of similar vulnerabilities in other image processing libraries or components within their attack surface.

Responsible

GitHub M

Reservation

06/11/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!