EXECUTIVE SUMMARY:
A high severity vulnerability CVE-2026-25990 in the Python Pillow library that triggers an out-of-bounds write when processing specially crafted PSD image files, potentially leading to memory corruption or crashes. The issue affects Pillow versions ≥ 10.3.0 and < 12.1.1, with users of these versions at risk if untrusted PSD images are opened. The flaw has been assigned CVSS severity of high 8.9, reflecting significant impact potential on confidentiality, integrity, and availability. Because the vulnerability can be exploited over a network context with low attack complexity and requires minimal privileges or interaction, it is considered a serious concern for applications that automatically handle image inputs. Developers leveraging Pillow for image parsing should be aware that this element of its PSD support is unsafe in the affected range.
RECOMMENDATION:
We strongly recommend you update Pillow to version 12.1.1.
REFERENCES:
The following reports contain further technical details: