CVE-2026-59200 in Pillowinfo

Summary

by MITRE • 07/14/2026

Pillow is a Python imaging library. From 5.1.0 until 12.3.0, PdfParser.PdfStream.decode() in PIL/PdfParser.py calls zlib.decompress() with bufsize set to the PDF stream Length field without bounding the decompressed output size, allowing a crafted FlateDecode PDF stream to exhaust memory from a small file. This issue is fixed in version 12.3.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability exists within the Pillow Python imaging library, specifically in the PdfParser module where the PdfStream.decode() method processes PDF streams using zlib.decompress() function. This flaw affects versions ranging from 5.1.0 through 12.2.0, creating a significant memory exhaustion risk that can be exploited through crafted PDF files. The vulnerability stems from the improper handling of the decompression buffer size parameter, where the bufsize argument is directly derived from the PDF stream's Length field without adequate bounds checking or validation.

The technical implementation flaw occurs when the PdfParser.PdfStream.decode() method processes FlateDecode PDF streams by passing the raw stream length value as the bufsize parameter to zlib.decompress(). This approach allows an attacker to craft a malicious PDF stream with an extremely large Length field while maintaining a small actual compressed data size. The decompression process then attempts to allocate memory proportional to the inflated size specified in the Length field, potentially consuming all available system memory or causing application crashes through out-of-memory conditions.

This vulnerability represents a classic case of insufficient input validation and resource management, falling under CWE-131 (Incorrect Calculation of Buffer Size) and CWE-400 (Uncontrolled Resource Consumption). The operational impact is severe as it enables denial-of-service attacks against applications that process untrusted PDF files through Pillow, particularly affecting web applications, document processing systems, and any software integrating the library for PDF handling. Attackers can exploit this by creating specially crafted PDF files that trigger massive memory allocation requests, leading to system instability, application termination, or complete system resource exhaustion.

The fix implemented in version 12.3.0 addresses this issue by introducing proper bounds checking on the decompressed output size before passing it to zlib.decompress(). This mitigation aligns with defensive programming principles and aligns with ATT&CK technique T1499.004 (Endpoint Denial of Service) by preventing resource exhaustion attacks. Organizations should immediately upgrade to Pillow version 12.3.0 or later to remediate this vulnerability, while also implementing additional security measures such as input validation, resource monitoring, and sandboxing for PDF processing components. The vulnerability demonstrates the critical importance of proper buffer size management in decompression operations and highlights the need for robust input validation in file format parsers.

This issue exemplifies how seemingly benign library functions can become attack vectors when proper resource boundaries are not enforced. The flaw exists at the intersection of compression algorithm implementation, file format parsing, and memory management practices. Security practitioners should consider this vulnerability as part of broader PDF processing security assessments and implement monitoring for unusual memory consumption patterns during document processing operations. The mitigation approach used in the fix provides a model for similar vulnerabilities in other decompression or parsing libraries where buffer size parameters are derived from untrusted sources without proper validation checks.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!