CVE-2026-27809 PUBLISHED

psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps

Assigner: GitHub_M
Reserved: 24.02.2026 Published: 25.02.2026 Updated: 26.02.2026

psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
CVSS Score: 6.8

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	psd-tools
Product	psd-tools
Versions	Version < 1.12.2 is affected

References

Problem Types

CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) CWE
CWE-789: Memory Allocation with Excessive Size Value CWE
CWE-617: Reachable Assertion CWE
CWE-190: Integer Overflow or Wraparound CWE
CWE-755: Improper Handling of Exceptional Conditions CWE
CWE-704: Incorrect Type Conversion or Cast CWE