<Vulnerability name="CVE-2026-54059">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-06T18:46:09</PublicDate>
    <Bugzilla id="2497464" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497464" xml:lang="en:us">
python-pillow: Pillow: Denial of Service via crafted PCF font data
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-409</CWE>
    <Details xml:lang="en:us" source="Mitre">
Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Pillow, a Python imaging library. A remote attacker could exploit this vulnerability by providing specially crafted PCF font data. This data, when processed, can lead to excessive memory allocation because the library does not properly check for decompression bombs. The primary consequence is a Denial of Service (DoS), which could make the affected system or application unavailable.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in the Python Pillow library. The PcfFontFile._load_bitmaps() method reads glyph dimensions from the PCF METRICS section and passes them directly to Image.frombytes() without calling Image._decompression_bomb_check(). This allows crafted PCF font data to cause excessive memory allocation, leading to a denial of service condition. An attacker could exploit this by providing a specially crafted PCF font file to an application that uses Pillow's font loading functionality.
    </Statement>
    <Mitigation xml:lang="en:us">
Do not load PCF fonts from untrusted sources. If PCF font loading is required, validate font file dimensions before passing them to Pillow, or upgrade to Pillow 12.3.0 or later which includes the fix for this vulnerability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <ReleaseDate>2026-07-14T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39127">RHSA-2026:39127</Advisory>
        <Package name="python-pillow">python-pillow-0:5.1.1-22.el8_10</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>python-pillow</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>python-pillow</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>python-pillow</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>satellite:el8/python-pillow</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-54059
https://nvd.nist.gov/vuln/detail/CVE-2026-54059
https://github.com/python-pillow/Pillow/blob/main/docs/releasenotes/12.3.0.rst
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
https://github.com/python-pillow/Pillow/security/advisories/GHSA-8v84-f9pq-wr9x
    </References>
</Vulnerability>