CVE-2026-42308: Pillow has an integer overflow when processing fonts

May 4, 2026

If a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This has been fixed.

References

github.com/advisories/GHSA-wjx4-4jcj-g98j
github.com/python-pillow/Pillow
github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
nvd.nist.gov/vuln/detail/CVE-2026-42308

Code Behaviors & Features

Detect and mitigate CVE-2026-42308 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →