CVE-2026-40192

Publication date 17 April 2026

Last updated 23 April 2026

Ubuntu priority

Description

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
pillow	25.10 questing	Needs evaluation
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected
pillow-python2	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not affected

Notes

mdeslaur

Introduced in 10.3.0 with: https://github.com/python-pillow/Pillow/commit/142473c7b43a72b5dba534a26cb614b5b207ada5

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
pillow	Upstream: 3cb854e

CVE-2026-40192

Description

Status

Notes

mdeslaur

Patch details

References

Other references

Access our resources on patching vulnerabilities