CVE-2026-40192: FITS GZIP decompression bomb in Pillow
(updated )
Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).
References
- github.com/advisories/GHSA-whj4-6x5x-4v2j
- github.com/python-pillow/Pillow
- github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
- github.com/python-pillow/Pillow/pull/9521
- github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j
- nvd.nist.gov/vuln/detail/CVE-2026-40192
- pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html
Code Behaviors & Features
Detect and mitigate CVE-2026-40192 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →