- What: A security update is available for the pillow package in Debian.
- Impact: Missing input sanitizing in the PSD support of Pillow could lead to denial of service or arbitrary code execution if malformed images are processed.
[SECURITY] [DSA 6147-1] pillow security update To : debian-security-announce@lists.debian.org Subject : [SECURITY] [DSA 6147-1] pillow security update From : Moritz Muehlenhoff < jmm@debian.org > Date : Fri, 20 Feb 2026 19:20:17 +0000 Message-id : < [🔎] aZiz8R8BxfIx07HV@seger.debian.org > Reply-to : debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6147-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 20, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pillow CVE ID : CVE-2026-25990 Yarden Porat discovered that missing input sanitising in the PSD support of Pillow, a Python imaging library, could result in denial of service or the execution of arbitrary code if malformed images are processed. The oldstable distribution (bookworm) is not affected. For the stable distribution (trixie), this problem has been fixed in version 11.1.0-5+deb13u1. We recommend that you upgrade your pillow packages. For the detailed security status of pillow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pillow Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmmYso0ACgkQEMKTtsN8 TjacPw//TgVjozrcrjPt3MrfjAkb+dnxgIHrTx6ptSeRQgtQQJJzneFqqmNV1+BR Dnt2DTu6vtVEBF3PqWoRNn4fQU3P0VtvIwTe8iCJH+Hx5wYAka1JrbpiS99FzNlu puN2Tbw07bJoHktYjSfpWeTjFgSUzoywwEv1OKBHlZEm6o+mG3htdqYckzz9sUHw fcavERSS12zGxtlUenP4kayw7vGpl1Zb6ma+T33j9Z1pk7eyYnpPQ2G1kiqnd/Yf 16WQgwO3ihUSnzpOJ6NQ+zH/JiF7gIg3nRphFu7IXPgl2Ww/VjoCCahs3dmxQWms fFRBUGeNpJlhAgV3UuvvCJ7/CeRKlPWyi/HlKVJLeNnieCSt0C/2X/3aEHFtUGhn Q6NT0vfxDT/V9Y3l2+wXD7qdgj9VIesY3r+JzbJ4rBGDwHLooSjKH1b80EG37la7 ki7O9stIIvQ+96Ae6EP8A9kbiyOXRFMcUee1F8Fwqsvw1gdVfWCSpQnDbxQrGJhk C4ZpdpvHrUnveGAnmaQU2gsZ37NbY6mdaeR9LuZOuyV8rWQWvnIdI3HcvqYd7FJn dQTqNvfATKGRRFOZU+SkrskcenloKoYrO9/dZbcWwBPralUqmM41ilOkpVml1yYm BGvZ9zv+GmFhhnDDlc0UBm//voIsRKSeHU/bXN0Nw82m+5ZJu1M= =LgNJ -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6146-1] chromium security update Previous by thread: [SECURITY] [DSA 6146-1] chromium security update Index(es): Date Thread