Back

Multiple Pillow Vulnerabilities Affect Ubuntu Users

Severity: Medium (Score: 57.9)

Sources: Linuxsecurity, Ubuntu

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: ubuntu, pillow, denial, service, cve-2026, security, issue

Severity indicators: issue, security issue

Summary

On June 8, 2026, Ubuntu released USN-8399-1 addressing several vulnerabilities in the Pillow library. These vulnerabilities could allow attackers to exploit large glyph advance values, nested coordinate lists, and malformed PDF and PSD files, potentially leading to denial of service attacks. The affected versions include Ubuntu 25.10 and Ubuntu 26.04 LTS. Specific CVEs include CVE-2026-42308, CVE-2026-42309, CVE-2026-42310, and CVE-2026-42311, all published on May 9, 2026. Users are advised to update their systems to mitigate these risks. The vulnerabilities could allow excessive resource usage or crashes, impacting service availability. The issues highlight the importance of timely software updates for maintaining security. Key Points: • Pillow vulnerabilities could lead to denial of service attacks on affected Ubuntu versions. • CVE-2026-42308, CVE-2026-42309, CVE-2026-42310, and CVE-2026-42311 were published on May 9, 2026. • Users of Ubuntu 25.10 and 26.04 LTS are urged to update their systems immediately.

Detailed Analysis

**Impact** Ubuntu users running versions 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS are affected, with the most critical issues impacting 25.10 and 26.04 LTS. The vulnerabilities primarily allow denial of service (DoS) conditions, potentially disrupting services relying on the Pillow imaging library. One vulnerability (CVE-2026-42311) may enable arbitrary code execution, increasing risk to affected systems. No specific sectors or geographies were detailed in the sources. **Technical Details** The vulnerabilities involve improper handling of large glyph advance values in fonts (CVE-2026-42308), nested coordinate lists in APIs (CVE-2026-42309), malformed PDF files causing resource exhaustion (CVE-2026-42310), and malformed PSD files leading to DoS or code execution (CVE-2026-42311). Attackers can exploit these by supplying crafted font or image files to cause crashes or resource exhaustion, affecting the availability of applications using Pillow. No malware, tools, or infrastructure indicators were provided. **Recommended Response** Apply the updated Pillow package versions immediately via standard system updates: python3-pil 12.1.1-2ubuntu1.2 for Ubuntu 26.04 LTS, 11.3.0-1ubuntu1.3 for 25.10, 10.2.0-1ubuntu1.2 for 24.04 LTS, and 9.0.1-1ubuntu0.4 for 22.04 LTS. Monitor for abnormal application crashes or resource usage related to image processing. No specific detection signatures or IOCs are available; focus on patch management and system stability monitoring.

Source articles (2)

  • USN-8399-1: Pillow vulnerabilities — Ubuntu · 2026-06-08
    It was discovered that Pillow incorrectly handled large glyph advance values in fonts. An attacker could possibly use this issue to cause Pillow to crash, resulting in a denial of service. ( CVE-2026-…
  • Ubuntu 26.04 LTS 8399-1 Pillow Denial of Service Risk CVE-2026 — Linuxsecurity · 2026-06-08
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Pillow. So…

Timeline

  • 2026-05-09 — CVE-2026-42308 published: A vulnerability in Pillow allows large glyph advance values to cause crashes, leading to denial of service.
  • 2026-05-09 — CVE-2026-42309 published: Pillow's handling of nested coordinate lists can lead to crashes, affecting Ubuntu 25.10 and 26.04 LTS.
  • 2026-05-09 — CVE-2026-42310 published: Malformed PDF files can cause Pillow to use excessive resources, leading to denial of service.
  • 2026-05-09 — CVE-2026-42311 published: Certain malformed PSD files can cause Pillow to crash or execute arbitrary code, affecting Ubuntu 25.10 and 26.04 LTS.
  • 2026-06-08 — Ubuntu releases USN-8399-1: Ubuntu issued a security notice addressing multiple vulnerabilities in Pillow, urging users to update their systems.

CVEs

  • CVE-2026-42308
  • CVE-2026-42309
  • CVE-2026-42310
  • CVE-2026-42311

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed