fix(cve): CVE-2026-40192 - Update Pillow to 12.2.0#3415
Conversation
|
@crackcodecamp — This PR is from a fork. Recommended: Push your branch to the main repo for full CI: Then open a new PR from that branch. No push access? A maintainer will cherry-pick and test your changes. See CONTRIBUTING.md for details. |
github-actions
Bot
added
the
review-requested
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughUpdated Pillow constraint from Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 45 minutes and 26 seconds.Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3415 +/- ##
=====================================
Coverage 3.55% 3.55%
=====================================
Files 30 30
Lines 3352 3352
Branches 529 529
=====================================
Hits 119 119
Misses 3231 3231
Partials 2 2
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@dependencies/cve-constraints.txt`:
- Around line 16-18: The comment above the pillow constraint is ambiguous:
clarify whether the single constraint "pillow>=12.2.0" remediates both
CVE-2026-25990 and CVE-2026-40192 or provide per-CVE rationale; update the
comment(s) so security traceability is explicit by either (a) adding a
single-line note after the constraint stating that "pillow>=12.2.0 remediates
CVE-2026-25990 and CVE-2026-40192 (include CVE advisories/patch versions)" or
(b) splitting into two commented lines each naming the CVE and the minimum
Pillow version that fixes it, with a short justification—locate the constraint
"pillow>=12.2.0" and the surrounding comments and modify them accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 2267e258-c90e-4234-b2eb-8517eb5331aa
📒 Files selected for processing (5)
dependencies/cve-constraints.txtjupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txtjupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txtruntimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
| # RHAIENG-3210: CVE-2026-25990 Pillow: Out-of-bounds Write via Specially Crafted PSD Image | ||
| pillow>=12.1.1 No newline at end of file | ||
| # RHOAIENG-58615: CVE-2026-40192 Pillow: FITS GZIP decompression bomb | ||
| pillow>=12.2.0 No newline at end of file |
There was a problem hiding this comment.
Disambiguate Pillow CVE mapping in constraint comments
Line 16 and Line 17 list different Pillow CVEs over a single pillow>=12.2.0 constraint, which makes security traceability ambiguous during audits. Clarify whether this single floor remediates both CVE-2026-25990 and CVE-2026-40192, or split/comment explicitly per CVE rationale.
As per coding guidelines, "REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code)".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@dependencies/cve-constraints.txt` around lines 16 - 18, The comment above the
pillow constraint is ambiguous: clarify whether the single constraint
"pillow>=12.2.0" remediates both CVE-2026-25990 and CVE-2026-40192 or provide
per-CVE rationale; update the comment(s) so security traceability is explicit by
either (a) adding a single-line note after the constraint stating that
"pillow>=12.2.0 remediates CVE-2026-25990 and CVE-2026-40192 (include CVE
advisories/patch versions)" or (b) splitting into two commented lines each
naming the CVE and the minimum Pillow version that fixes it, with a short
justification—locate the constraint "pillow>=12.2.0" and the surrounding
comments and modify them accordingly.
| [[packages]] | ||
| name = "pillow" | ||
| version = "12.1.1" | ||
| version = "12.2.0" |
There was a problem hiding this comment.
Hey @crackcodecamp , how did you generate the lock files? I see the that the pylock generator fails here https://github.com/opendatahub-io/notebooks/actions/runs/24650892451/job/72073262626?pr=3415#step:4:234
Please update also that file here on the overide section with the pillow and run the below command to generate the lock files properly.
make refresh-lock-files DIR=jupyter/pytorch+llmcompressor/ubi9-python-3.12
Do the same for the runtime.
There was a problem hiding this comment.
@atheo89 Done. Added "pillow>=12.2.0" to override-dependencies in both jupyter/pytorch+llmcompressor and runtimes/pytorch+llmcompressor pyproject.toml files.
crackcodecamp
force-pushed
the
fix/cve-2026-40192-pillow-main-attempt-1
branch
from
1a563b6 to
6b1c5dc
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@jupyter/pytorch`+llmcompressor/ubi9-python-3.12/requirements.cuda.txt:
- Around line 321-322: Update the pinned mako dependency from 1.3.10 to 1.3.12
in the requirements entry that currently reads "mako==1.3.10" and regenerate the
associated --hash value(s); also apply the same bump in the duplicate file
referenced
(runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt). Ensure
the version constraint is changed to "mako==1.3.12" (or "mako>=1.3.12" if policy
allows) and replace the old SHA256 hash with the new hash(es) produced by your
dependency lock tool.
In `@jupyter/pytorch`+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml:
- Around line 185-188: The pylock refresh downgraded tracked packages (boto3 ->
1.42.84 and feast -> 0.61.0) causing test
test_pylock_tracked_packages_not_downgraded_vs_git_base to fail; regenerate the
lock from the project's source constraints (pyproject.toml) or the preserved
baseline constraints so that boto3 is >= 1.42.92 and feast is >= 0.62.0, then
update the lock (pylock.cuda.toml entry for boto3 and the corresponding feast
entry) without downgrading tracked packages so tests pass.
In `@runtimes/pytorch`+llmcompressor/ubi9-python-3.12/requirements.cuda.txt:
- Around line 68-70: The lock file still pins vulnerable packages; update the
pinned versions in the constraints/overrides that govern
runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt so
cryptography is bumped to 46.0.7 (fixes CVE-2026-39892), lxml is bumped to
>=6.1.0 (fixes CVE-2026-41066), and nbconvert is bumped to 7.17.1 (fixes
CVE-2026-39377/39378), then regenerate the runtime lock so requirements.cuda.txt
reflects those safe versions; look for the constraint/override entries that list
cryptography, lxml, and nbconvert and update them before regenerating.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 23ff158e-abc6-42ca-b25f-195dc361aed4
📒 Files selected for processing (7)
dependencies/cve-constraints.txtjupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txtjupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txtruntimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
🚧 Files skipped from review as they are similar to previous changes (1)
- dependencies/cve-constraints.txt
|
Thank for the update! Please rebase and I will merge your PR asap :) |
- Bump cve-constraints.txt: pillow>=12.1.1 → pillow>=12.2.0 - Update pytorch+llmcompressor requirements: pillow 12.1.1 → 12.2.0 - Addresses FITS GZIP decompression bomb (CVSS 8.7 High) Note: Run `make refresh-lock-files` to regenerate pylock files with the updated Pillow 12.2.0 constraint. Resolves: RHOAIENG-58615, RHOAIENG-58610, RHOAIENG-58598 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update 2 remaining pylock.cuda.toml files (llmcompressor) from 12.1.1 to 12.2.0 - Wheels verified on Red Hat mirror (cuda13.0-ubi9 path) - All 14 pylock files now consistently at Pillow 12.2.0 Resolves: CVE-2026-40192 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add pillow>=12.2.0 to override-dependencies in both jupyter/pytorch+llmcompressor and runtimes/pytorch+llmcompressor pyproject.toml files per reviewer feedback. Surgically update Pillow 12.1.1 -> 12.2.0 in pylock and requirements files to avoid unrelated package downgrades from RH index re-resolution.
crackcodecamp
force-pushed
the
fix/cve-2026-40192-pillow-main-attempt-1
branch
from
7845b2e to
162dfe8
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@jupyter/pytorch`+llmcompressor/ubi9-python-3.12/requirements.cuda.txt:
- Around line 461-462: The requirements line pins pip to an insecure version
"pip==26.0.1"; update that token to "pip==26.1" to address CVE-2026-3219 and
regenerate the corresponding --hash value for the new wheel/source, replacing
the existing sha256 hash after the line; ensure the updated requirement
preserves the same environment markers ("python_full_version >= '3.12' and
implementation_name == 'cpython' and sys_platform == 'linux'") and formatting.
In `@jupyter/pytorch`+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml:
- Line 2: The lock file currently pins cryptography==46.0.6 (vulnerable to
CVE-2026-39892); update your constraints to require cryptography>=46.0.7 and
then regenerate the pylock (pylock.cuda.toml) using the same uv pip compile
invocation (the commented command in the file) so the new cryptography version
is recorded in the lock; ensure the source constraint that previously forced
46.0.6 is removed/updated and the regenerated lock no longer contains
cryptography==46.0.6.
In `@runtimes/pytorch`+llmcompressor/ubi9-python-3.12/requirements.cuda.txt:
- Around line 316-317: The pip pin in
runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt currently
pins pip==26.0.1 which is vulnerable; update the requirement to pin pip>=26.1
(or pip==26.1+) to remediate CVE-2026-3219, then regenerate the associated lock
file(s) so hashes and any --hash entries are updated/removed accordingly; locate
the exact line containing "pip==26.0.1" and replace it with the new constraint
and refresh the lock metadata.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: ccae5542-b5b0-4677-be29-c5070481542c
📒 Files selected for processing (7)
dependencies/cve-constraints.txtjupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomljupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txtjupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.tomlruntimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txtruntimes/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml
✅ Files skipped from review due to trivial changes (2)
- jupyter/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml
- dependencies/cve-constraints.txt
🚧 Files skipped from review as they are similar to previous changes (1)
- runtimes/pytorch+llmcompressor/ubi9-python-3.12/pyproject.toml
| @@ -1,5 +1,5 @@ | |||
| # This file was autogenerated by uv via the following command: | |||
| # uv pip compile pyproject.toml --output-file uv.lock.d/pylock.cuda.toml --format pylock.toml --generate-hashes --emit-index-url --python-version=3.12 --universal --no-annotate --no-emit-package odh-notebooks-meta-db-connectors-deps --no-emit-package odh-notebooks-meta-jupyterlab-datascience-deps --no-emit-package odh-notebooks-meta-jupyterlab-deps --no-emit-package odh-notebooks-meta-llmcompressor-deps --no-emit-package odh-notebooks-meta-runtime-elyra-deps --no-emit-package odh-notebooks-meta-runtime-datascience-deps --no-emit-package odh-notebooks-meta-workbench-datascience-deps --constraints ../../../dependencies/cve-constraints.txt --exclude-newer=2026-04-29T01:34:53Z --default-index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/simple/?format=json | |||
| # uv pip compile pyproject.toml --output-file uv.lock.d/pylock.cuda.toml --format pylock.toml --generate-hashes --emit-index-url --python-version=3.12 --universal --no-annotate --no-emit-package odh-notebooks-meta-db-connectors-deps --no-emit-package odh-notebooks-meta-jupyterlab-datascience-deps --no-emit-package odh-notebooks-meta-jupyterlab-deps --no-emit-package odh-notebooks-meta-llmcompressor-deps --no-emit-package odh-notebooks-meta-runtime-elyra-deps --no-emit-package odh-notebooks-meta-runtime-datascience-deps --no-emit-package odh-notebooks-meta-workbench-datascience-deps --constraints ../../../dependencies/cve-constraints.txt --exclude-newer=2026-04-22T07:11:06Z --default-index=https://console.redhat.com/api/pypi/public-rhai/rhoai/3.5-EA1/cuda13.0-ubi9-test/simple/?format=json | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the lock file exists and examine its content for cryptography version
if [ -f "jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml" ]; then
echo "=== Lock file found, checking cryptography version ==="
grep -i "cryptography" "jupyter/pytorch+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml" | head -20
else
echo "=== Lock file not found ==="
find . -name "pylock.cuda.toml" -o -name "*uv.lock*" | head -20
fiRepository: opendatahub-io/notebooks
Length of output: 744
🌐 Web query:
CVE-2026-39892 cryptography vulnerability buffer overflow
💡 Result:
CVE-2026-39892 is a buffer overflow vulnerability in the Python cryptography library (versions 45.0.0 through 46.0.6). It occurs when non-contiguous buffers (e.g., reversed slices like buf[::-1]) are passed to APIs accepting Python buffers, such as Hash.update. This leads to out-of-bounds memory reads, especially on Python >3.11. The issue stems from improper handling of Python's buffer protocol for non-contiguous memory layouts (CWE-119). Fixed in version 46.0.7. CVSS scores vary: NVD CVSS v3.1 7.5 (High), v4.0/AV:N/AC:L/.../VA:L (9.8 Critical in some reports, but moderate severity per GitHub). No known exploits. Mitigation: Upgrade to cryptography >=46.0.7 via 'pip install --upgrade cryptography>=46.0.7'. Review code for non-contiguous buffer usage with crypto APIs.
Citations:
- 1: https://nvd.nist.gov/vuln/detail/CVE-2026-39892
- 2: https://scout.docker.com/vulnerabilities/id/CVE-2026-39892
- 3: https://www.sentinelone.com/vulnerability-database/cve-2026-39892/
- 4: https://nvd.nist.gov/vuln/detail/cve-2026-39892
- 5: GHSA-p423-j2cm-9vmq
Regenerate this lock with cryptography>=46.0.7.
The lock file contains cryptography==46.0.6, affected by CVE-2026-39892 / CWE-119, a buffer overflow in the cryptography library's Python buffer protocol handling (e.g., non-contiguous buffers passed to Hash.update()). Version 46.0.7 fixes this. Update source constraints and regenerate the lock to remove the memory corruption vector from the shipped image.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@jupyter/pytorch`+llmcompressor/ubi9-python-3.12/uv.lock.d/pylock.cuda.toml at
line 2, The lock file currently pins cryptography==46.0.6 (vulnerable to
CVE-2026-39892); update your constraints to require cryptography>=46.0.7 and
then regenerate the pylock (pylock.cuda.toml) using the same uv pip compile
invocation (the commented command in the file) so the new cryptography version
is recorded in the lock; ensure the source constraint that previously forced
46.0.6 is removed/updated and the regenerated lock no longer contains
cryptography==46.0.6.
Regenerate pylock.cuda.toml and requirements.cuda.txt using PYLOCKS_CI_CHECK=1 on top of the upstream/main baseline, so the pillow>=12.2.0 override takes effect (12.1.1 -> 12.2.0) without downgrading other packages (boto3, matplotlib stay at baseline).
crackcodecamp
force-pushed
the
fix/cve-2026-40192-pillow-main-attempt-1
branch
from
bbe26ec to
07cb4aa
Compare
|
@atheo89 Thanks, Branch rebased. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: atheo89 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
CVE Details
Summary
dependencies/cve-constraints.txt: bump floorpillow>=12.1.1→pillow>=12.2.0jupyter/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt:pillow==12.1.1→pillow==12.2.0runtimes/pytorch+llmcompressor/ubi9-python-3.12/requirements.cuda.txt:pillow==12.1.1→pillow==12.2.0pylock.cuda.tomlfiles: Pillow 12.1.1 → 12.2.0 (wheels verified on Red Hat mirrorcuda13.0-ubi9path)All 14 pylock files across the repo now consistently have Pillow 12.2.0.
Breaking Changes
None. Pillow 12.2.0 is a patch release containing only the security fix for FITS GZIP decompression.
Test Results
✅ 210 subtests passed, 8 pre-existing subfailures (unrelated to this change)
Jira Issues
Verification Steps
cve-constraints.txtfloor is>=12.2.0requirements.cuda.txtpinpillow==12.2.0Risk Assessment
Low — Minor version bump of Pillow with only a security fix. No API changes.
Summary by CodeRabbit