{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-25990","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-02-09T17:41:55.858Z","datePublished":"2026-02-11T20:53:52.524Z","dateUpdated":"2026-07-01T12:04:54.033Z"},"containers":{"cna":{"title":"Pillow has an out-of-bounds write when loading PSD images","problemTypes":[{"descriptions":[{"cweId":"CWE-787","lang":"en","description":"CWE-787: Out-of-bounds Write","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc","tags":["x_refsource_CONFIRM"],"url":"https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc"},{"name":"https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa","tags":["x_refsource_MISC"],"url":"https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa"}],"affected":[{"vendor":"python-pillow","product":"Pillow","versions":[{"version":">= 10.3.0, < 12.1.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-04-30T20:15:07.397Z"},"descriptions":[{"lang":"en","value":"Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1."}],"source":{"advisory":"GHSA-cfh3-3jmp-rvhc","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-11T21:21:01.646207Z","id":"CVE-2026-25990","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-11T21:30:18.982Z"}},{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/02/12/1"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-02-12T04:45:38.394Z"}},{"affected":[{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el8","cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8","cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6.16::el8","cpe:/a:redhat:satellite_capsule:6.16::el8","cpe:/a:redhat:satellite_utils:6.16::el8"],"defaultStatus":"affected","product":"Red Hat Satellite 6.16 for RHEL 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el9","cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9","cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9","cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9","cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6.16::el9","cpe:/a:redhat:satellite_capsule:6.16::el9","cpe:/a:redhat:satellite_utils:6.16::el9"],"defaultStatus":"affected","product":"Red Hat Satellite 6.16 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6.17::el9","cpe:/a:redhat:satellite_capsule:6.17::el9","cpe:/a:redhat:satellite_utils:6.17::el9"],"defaultStatus":"affected","product":"Red Hat Satellite 6.17 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6.18::el9","cpe:/a:redhat:satellite_capsule:6.18::el9","cpe:/a:redhat:satellite_maintenance:6.18::el9","cpe:/a:redhat:satellite_utils:6.18::el9"],"defaultStatus":"affected","product":"Red Hat Satellite 6.18 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3.2::el9"],"defaultStatus":"affected","product":"Red Hat AI Inference Server 3.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3.3::el9"],"defaultStatus":"affected","product":"Red Hat AI Inference Server 3.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.5::el8"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:3.3::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 3.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.10::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.12::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.12","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.15::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.15","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.16::el9"],"defaultStatus":"affected","product":"Red Hat Quay 3.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quay:3.9::el8"],"defaultStatus":"affected","product":"Red Hat Quay 3.9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"affected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el10","cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10"],"defaultStatus":"unaffected","product":"Red Hat Ansible Automation Platform 2.6 for RHEL 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"}],"datePublic":"2026-02-11T20:53:52.524Z","descriptions":[{"lang":"en","value":"A flaw was found the Pillow Python imaging library. Providing a specially crafted PSD image  may lead to an out-of-bounds write. This could potentially allow for arbitrary code execution or information disclosure."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"Out-of-bounds Write","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-25990"},{"name":"RHBZ#2439170","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439170"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25990.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6278"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14874"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6277"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14873"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28385"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:4128"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3461"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3462"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:16174"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6308"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6309"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5665"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:4942"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6568"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6497"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:6567"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5168"}],"solutions":[{"lang":"en","value":"RHSA-2026:6278: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"},{"lang":"en","value":"RHSA-2026:14874: Red Hat Satellite 6.16 for RHEL 8, Red Hat Satellite 6.16 for RHEL 9"},{"lang":"en","value":"RHSA-2026:6277: Red Hat Ansible Automation Platform 2.6 for RHEL 9"},{"lang":"en","value":"RHSA-2026:14873: Red Hat Satellite 6.17 for RHEL 9"},{"lang":"en","value":"RHSA-2026:28385: Red Hat Satellite 6.18 for RHEL 9"},{"lang":"en","value":"RHSA-2026:4128: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:3461: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:3462: Red Hat AI Inference Server 3.2"},{"lang":"en","value":"RHSA-2026:16174: Red Hat AI Inference Server 3.3"},{"lang":"en","value":"RHSA-2026:6308: Red Hat Ansible Automation Platform 2.5"},{"lang":"en","value":"RHSA-2026:6309: Red Hat Ansible Automation Platform 2.6"},{"lang":"en","value":"RHSA-2026:10184: Red Hat OpenShift AI 2.25"},{"lang":"en","value":"RHSA-2026:19712: Red Hat OpenShift AI 3.3"},{"lang":"en","value":"RHSA-2026:5665: Red Hat Quay 3.10"},{"lang":"en","value":"RHSA-2026:4942: Red Hat Quay 3.12"},{"lang":"en","value":"RHSA-2026:6568: Red Hat Quay 3.15"},{"lang":"en","value":"RHSA-2026:6497: Red Hat Quay 3.16"},{"lang":"en","value":"RHSA-2026:6567: Red Hat Quay 3.16"},{"lang":"en","value":"RHSA-2026:5168: Red Hat Quay 3.9"}],"timeline":[{"lang":"en","time":"2026-02-11T21:05:39.535Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-11T20:53:52.524Z","value":"Made public."}],"title":"pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-01T12:04:54.033Z"}}]}}