Nixpkgs security tracker

Untriaged

Permalink CVE-2026-25990

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Pillow has an out-of-bounds write when loading PSD images

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

References

https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa x_refsource_MISC
http://www.openwall.com/lists/oss-security/2026/02/12/1

Affected products

Pillow

==>= 10.3.0, < 12.1.1

Matching in nixpkgs

pkgs.python312Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable 11.3.0
nixos-25.11 12.0.0
- nixpkgs-25.11-darwin 12.0.0

pkgs.python313Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable 11.3.0
- nixpkgs-unstable 12.1.0
- nixos-unstable-small 12.1.0
nixos-25.11 12.0.0
- nixpkgs-25.11-darwin 12.0.0

pkgs.python314Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable -
- nixpkgs-unstable 12.1.0
- nixos-unstable-small 12.1.0

pkgs.python312Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable 0.22.0
nixos-25.11 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python312Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable 1.3.2
nixos-25.11 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python312Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable 0.4
nixos-25.11 0.4
- nixpkgs-25.11-darwin 0.4

pkgs.python313Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable 0.22.0
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1
nixos-25.11 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python313Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python313Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable 0.4
- nixpkgs-unstable 0.4
- nixos-unstable-small 0.4
nixos-25.11 0.4
- nixpkgs-25.11-darwin 0.4

pkgs.python314Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable -
- nixpkgs-unstable 1.1.1
- nixos-unstable-small 1.1.1

pkgs.python314Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable -
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2

pkgs.python314Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable -
- nixpkgs-unstable 0.4
- nixos-unstable-small 0.4

pkgs.python312Packages.types-pillow

Typing stubs for Pillow

nixos-unstable 10.2.0.20240822
nixos-25.11 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822

pkgs.python313Packages.types-pillow

Typing stubs for Pillow

nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822
nixos-25.11 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822

pkgs.python314Packages.types-pillow

Typing stubs for Pillow

nixos-unstable -
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822

pkgs.python312Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable 0.3.0-unstable-2024-07-07
nixos-25.11 0.3.1
- nixpkgs-25.11-darwin 0.3.1

pkgs.python313Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable 0.3.0-unstable-2024-07-07
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1
nixos-25.11 0.3.1
- nixpkgs-25.11-darwin 0.3.1

pkgs.python314Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable -
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1

pkgs.python312Packages.pillow-avif-plugin

Pillow plugin that adds support for AVIF files

nixos-unstable 1.4.6
nixos-25.11 1.5.2
- nixpkgs-25.11-darwin 1.5.2

pkgs.python313Packages.pillow-avif-plugin

Pillow plugin that adds support for AVIF files

nixos-unstable 1.4.6
nixos-25.11 1.5.2
- nixpkgs-25.11-darwin 1.5.2

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@RatCornu Balthazar Patiachvili <ratcornu+programmation@skaven.org>
@D4ndellion Daniel Olsen <daniel@dodsorf.as>
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@arjan-s Arjan Schrijver <github@anymore.nl>
@kuflierl Kennet Flierl <kuflierl@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.pillow

pkgs.python313Packages.pillow

pkgs.python314Packages.pillow

pkgs.python312Packages.pillow-heif

pkgs.python312Packages.pillow-jpls

pkgs.python312Packages.pillowfight

pkgs.python313Packages.pillow-heif

pkgs.python313Packages.pillow-jpls

pkgs.python313Packages.pillowfight

pkgs.python314Packages.pillow-heif

pkgs.python314Packages.pillow-jpls

pkgs.python314Packages.pillowfight

pkgs.python312Packages.types-pillow

pkgs.python313Packages.types-pillow

pkgs.python314Packages.types-pillow

pkgs.python312Packages.pypillowfight

pkgs.python313Packages.pypillowfight

pkgs.python314Packages.pypillowfight

pkgs.python312Packages.pillow-avif-plugin

pkgs.python313Packages.pillow-avif-plugin

Package maintainers