Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Pillow: FITS Image Decompression Can Crash Your System
DEBIAN-CVE-2026-40192
Summary
Old versions of the Pillow library for Python don't limit how much data they read when unpacking compressed FITS images, which can cause a system crash or slow performance if you open a specially crafted file. To avoid this, update to the latest version of Pillow or, as a temporary fix, only open certain image file types, excluding FITS.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:13 | debian | pillow | All versions |
| Debian:14 | debian | pillow | All versions |
Original title
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb att...
Original description
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
- https://security-tracker.debian.org/tracker/CVE-2026-40192 Vendor Advisory
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026