Vulnerability-Lookup

GHSA-R73J-PQJ5-W3X7

Vulnerability from github – Published: 2026-05-04 20:19 – Updated: 2026-05-13 13:41

Summary

Pillow has a PDF Parsing Trailer Infinite Loop (DoS)

Details

Impact

An attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive.

Patches

Patched version: 12.2.0.

PdfParser (introduced in Pillow 4.2.0) follows Prev pointers in PDF trailers to read cross-reference sections. If a trailer's Prev pointer references an offset that has already been processed — either pointing to itself or forming a longer cycle — the parser enters an infinite loop. Pillow now tracks previously processed trailer offsets and raises an error if a cycle is detected.

Workarounds

Use any version but the affected versions: >= 4.2.0, < 12.2.0

Resources

Fix: https://github.com/python-pillow/Pillow/pull/9519

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

5.1 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pillow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "12.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:19:30Z",
    "nvd_published_at": "2026-05-09T06:16:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive.\n\n### Patches\nPatched version: 12.2.0.\n\nPdfParser (introduced in Pillow 4.2.0) follows Prev pointers in PDF trailers to read cross-reference sections. If a\ntrailer\u0027s Prev pointer references an offset that has already been processed \u2014 either pointing to itself or forming a\nlonger cycle \u2014 the parser enters an infinite loop. Pillow now tracks previously processed trailer offsets and raises an\nerror if a cycle is detected.\n\n### Workarounds\nUse any version but the affected versions: \u003e= 4.2.0, \u003c 12.2.0\n\n### Resources\n - Fix: https://github.com/python-pillow/Pillow/pull/9519",
  "id": "GHSA-r73j-pqj5-w3x7",
  "modified": "2026-05-13T13:41:22Z",
  "published": "2026-05-04T20:19:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/pull/9519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-pillow/Pillow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pillow has a PDF Parsing Trailer Infinite Loop (DoS)"
}

CVE-2026-42310 (GCVE-0-2026-42310)

Vulnerability from cvelistv5 – Published: 2026-05-09 04:10 – Updated: 2026-05-12 18:31

Title

Pillow: PDF Parsing Trailer Infinite Loop (DoS)

Summary

Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/python-pillow/Pillow/security/…	x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/pull/9519	x_refsource_MISC
https://github.com/python-pillow/Pillow/commit/3b…	x_refsource_MISC
https://github.com/python-pillow/Pillow/releases/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
python-pillow	Pillow	Affected: >= 4.2.0, < 12.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42310",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T13:33:37.176930Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T18:31:10.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Pillow",
          "vendor": "python-pillow",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0, \u003c 12.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T04:10:48.395Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7"
        },
        {
          "name": "https://github.com/python-pillow/Pillow/pull/9519",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-pillow/Pillow/pull/9519"
        },
        {
          "name": "https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468"
        },
        {
          "name": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-pillow/Pillow/releases/tag/12.2.0"
        }
      ],
      "source": {
        "advisory": "GHSA-r73j-pqj5-w3x7",
        "discovery": "UNKNOWN"
      },
      "title": "Pillow: PDF Parsing Trailer Infinite Loop (DoS)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42310",
    "datePublished": "2026-05-09T04:10:48.395Z",
    "dateReserved": "2026-04-26T12:37:18.169Z",
    "dateUpdated": "2026-05-12T18:31:10.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted