CVE-2026-25990
Publication date 13 February 2026
Last updated 13 February 2026
Ubuntu priority
Description
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pillow | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| pillow-python2 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
Notes
mdeslaur
Appears to have been introduced by the fix for https://github.com/python-pillow/Pillow/pull/7706 https://github.com/python-pillow/Pillow/commit/c2907dc04967109391a77eea00f7d583a0a0395f The fix was introduced in 10.3.0 which is why the CVE description says that it the first affected version although the code the commit below applies to exists in previous versions. Prior to 10.3.0, PSD layer coordinates could not be negative.