CVE-2026-42311
Published: 09 May 2026
Summary
CVE-2026-42311 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Python Pillow. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Computer Vision; in the Data-Related Vulnerabilities risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28903
Vulnerability details
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: pillow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption in image library enables RCE via malicious PSD file processing, directly mapping to client-side exploitation and malicious file execution.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.