CVE-2026-59205
Publication date 14 July 2026
Last updated 16 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.apply(im, imOut) API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's declared output mode. This issue is fixed in version 12.3.0.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pillow | 26.04 LTS resolute |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| pillow-python2 | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-59205
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-9hw9-ch79-4vh6
- https://github.com/python-pillow/Pillow/pull/9715
- https://github.com/python-pillow/Pillow/commit/a9ffc42bedf4fc0a7ef8d6486e7f9e81e3397721
- https://github.com/python-pillow/Pillow/releases/tag/12.3.0