
PEACH
Un framework di isolamento del tenant
CVE-2026-59205 is a controlled heap out-of-bounds write vulnerability in Pillow's ImageCms.ImageCmsTransform.apply() API, affecting all versions prior to 12.3.0. The flaw allows an attacker to trigger native heap corruption by supplying an output image whose color mode does not match the transform's declared output mode (e.g., passing an L-mode image to an RGBA→RGBA transform). It was disclosed on July 7, 2026 via a GitHub Security Advisory and assigned CVE on July 14, 2026. The vulnerability carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory).
The root cause is an out-of-bounds write (CWE-787) in Pillow's ImageCms.py and its underlying C extension _imagingcms.c. When ImageCmsTransform.apply(im, imOut) is called with a caller-supplied imOut, Pillow validates only that the output image dimensions are at least as large as the input — it does not verify that imOut.mode matches the transform's declared output mode. The C wrapper pyCMSdoTransform() then passes the mismatched output row pointer directly to LittleCMS's cmsDoTransform(), which writes data sized for the transform's declared mode (e.g., 4 bytes/pixel for RGBA) into a buffer allocated for the actual image mode (e.g., 1 byte/pixel for L). For a width-4096 image, this results in approximately 12,288 bytes written past the end of each row buffer. The vulnerability is exploitable over the network without authentication or user interaction in applications that accept untrusted image processing parameters (GitHub Advisory, Patch PR).
Successful exploitation causes controlled native heap corruption, which at minimum results in application crash and denial of service. The advisory demonstrates that attacker-controlled source pixel bytes are written out-of-bounds, with gdb analysis showing the faulting pointer value directly reflecting the pixel pattern (e.g., 0x4443424144434241 from pixels ABCDABCD), indicating potential for memory corruption primitives beyond simple DoS. Applications are at risk if untrusted users can influence the imOut argument passed to ImageCmsTransform.apply() or control ICC color transform parameters. There is no confidentiality or integrity impact assessed in the current CVSS scoring, but the controlled nature of the write leaves open the possibility of further exploitation in specific runtime environments (GitHub Advisory).
ImageCms.ImageCms.buildTransform() to create a transform matching the input image's mode (e.g., RGBA→RGBA).transform.apply(im, out) where out is the mismatched-mode image. Pillow skips mode validation and passes the undersized output buffer to LittleCMS.3 * width bytes. At width=8, heap metadata is corrupted; at width=4096, ~12,288 bytes are written past each row, causing a crash or potential further memory corruption.from PIL import Image, ImageCms
srgb = ImageCms.createProfile("sRGB")
transform = ImageCms.buildTransform(srgb, srgb, "RGBA", "RGBA")
im = Image.new("RGBA", (8, 1), (0x41, 0x42, 0x43, 0x44))
out = Image.new("L", (8, 1), 0)
transform.apply(im, out) # triggers heap corruptionImageCms.py apply() or _imagingcms with free(): invalid next size, Aborted (core dumped), or SIGSEGV signals from the Python process.core, core.<pid>) in the application working directory following crashes in Pillow-based services.Upgrade Pillow to version 12.3.0 or later, which adds explicit mode validation in ImageCmsTransform.apply() — raising a ValueError if im.mode != self.input_mode or imOut.mode != self.output_mode before any native code is invoked (Pillow Release, Patch Commit). As a short-term workaround for applications that cannot immediately upgrade, add input validation to ensure the output image's color mode matches the transform's declared output mode before calling ImageCmsTransform.apply(). Applications that do not expose ImageCms transform functionality to untrusted user input are at significantly reduced risk.
Fonte: Questo report è stato generato utilizzando l'intelligenza artificiale
Valutazione gratuita delle vulnerabilità
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."