What is the severity of CVE-2026-42309?

CVE-2026-42309 has a CVSS v3 score of 5.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-42309?

No known public exploits are currently available for CVE-2026-42309.

Is there a patch available for CVE-2026-42309?

Yes, patches are available for CVE-2026-42309. Check the vendor advisories for update instructions.

CVE-2026-42309 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-42309?

Passing nested lists as coordinates to APIs that accept coordinates such as `ImagePath.Path`, `ImageDraw.ImageDraw.polygon` and `ImageDraw.ImageDraw.line` could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This was introduced in Pillow 11.2.1.

Agentic AI · Pentesting

Ready for Agentic Automated Testing?

Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.

Zero false positives

PoC for every finding

30+ tools orchestrated

Book a Demo Learn More

Setup in 5 minutesSOC 2 & ISO 27001

CVE-2026-42309 - CVE Details, Severity, and Analysis | Strobes VI

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Python	Pillow

Advisories

GitHub Advisory

NVD: Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.