CVE-2026-59203
Python 취약성 분석 및 완화

개요

CVE-2026-59203 is a denial-of-service vulnerability in Pillow's EPS image parser that allows an unauthenticated attacker to cause an infinite loop by supplying a crafted EPS file with a negative byte count in the %%BeginBinary directive. It affects Pillow versions 12.0.0 through 12.2.0 (inclusive), and was fixed in version 12.3.0. The vulnerability was published on July 14, 2026, with the fix merged on June 22, 2026. It carries a CVSS v3.1 base score of 7.5 (High) per NVD, or 5.3 (Medium) per the GitHub Security Advisory (GitHub Advisory).

기술적 세부 사항

The root cause is a missing non-negativity check on the byte count parsed from the %%BeginBinary: directive in PIL/EpsImagePlugin.py (CWE-835: Loop with Unreachable Exit Condition). When Pillow reads the byte count, it passes the value directly to self.fp.seek(bytecount, os.SEEK_CUR) without validating that it is non-negative. A crafted EPS file containing %%BeginBinary:-18 causes the file pointer to seek backwards to the same directive line, which is then re-parsed indefinitely. The loop is triggered during Image.open() alone — it does not require Image.load() or Ghostscript execution — making it exploitable in any code path that opens or validates EPS files. The fix (PR #9708, commit 0399261) adds a check that raises a ValueError with the message "BeginBinary bytecount cannot be negative" if the parsed value is less than zero (GitHub Advisory, Fix Commit).

영향

Successful exploitation causes the affected Python process to hang indefinitely in an infinite loop, consuming 100% CPU and rendering the application unresponsive — a complete availability denial of service. There is no impact on confidentiality or integrity. Web services, API backends, and batch image processing pipelines that accept user-supplied EPS files and pass them to Image.open() are particularly at risk, especially if image parsing runs in a main worker process without CPU time limits, timeouts, or process isolation (GitHub Advisory).

착취 단계

  1. Craft the malicious EPS file: Create a file named pillow_eps_beginbinary_dos.eps with the following content:
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 0 0 1 1
%%EndComments
% dummy comment after transition
%%BeginBinary:-18
%%EOF

The key payload is %%BeginBinary:-18, which specifies a negative byte count of -18.

  1. Identify a vulnerable target: Locate an application or service using Pillow 12.0.0–12.2.0 that accepts EPS image uploads or processes user-supplied image files (e.g., image validation endpoints, thumbnail generators, document converters).

  2. Deliver the malicious file: Submit the crafted EPS file to the target application via its file upload interface, API endpoint, or any other mechanism that causes the application to call Image.open() on the file.

  3. Trigger the infinite loop: When the application calls Image.open("pillow_eps_beginbinary_dos.eps"), the EPS parser reads %%BeginBinary:-18, seeks the file pointer backwards by 18 bytes to the same directive, and re-parses it indefinitely. The process hangs and consumes 100% CPU, causing a denial of service (GitHub Advisory).

타협의 징후

  • Process: Python worker processes consuming sustained 100% CPU without completing, particularly those handling image uploads or processing tasks; processes that never return from Image.open() calls on EPS files.
  • Logs: Application logs showing EPS image open requests that never complete or time out; absence of completion log entries for image processing jobs that accepted EPS input.
  • File System: Presence of EPS files containing the string %%BeginBinary:- followed by a negative integer in upload directories or temporary processing folders.
  • Network: Repeated or sustained HTTP requests to image upload/processing endpoints that do not receive a response, potentially indicating a hung worker.

완화 및 해결 방법

The primary remediation is to upgrade Pillow to version 12.3.0 or later, which raises a ValueError for negative %%BeginBinary byte counts (Pillow Release 12.3.0). If immediate patching is not possible, restrict or block processing of EPS files from untrusted sources, implement file type validation before passing files to Image.open(), and enforce CPU time limits or process timeouts on image parsing workers to bound the impact of exploitation (GitHub Advisory).

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 Python 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

GHSA-r3hx-x5rh-p9vvHIGH8.7
  • Python logoPython
  • django-haystack
아니요Jul 15, 2026
CVE-2026-54457HIGH7.7
  • Python logoPython
  • tensorzero
아니요Jul 15, 2026
CVE-2026-50271HIGH7.5
  • Python logoPython
  • ddtrace
아니요Jul 15, 2026
CVE-2026-54254MEDIUM6.9
  • Python logoPython
  • cyberdrop-dl-patched
아니요Jul 15, 2026
CVE-2026-53656MEDIUM6.3
  • Python logoPython
  • fiftyone
아니요Jul 15, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자