CVE-2026-27809

psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1	Patch
https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2	Product Release Notes
https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:psd-tools_project:psd-tools:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 00:16

Updated : 2026-03-02 18:55

NVD link : CVE-2026-27809

Mitre link : CVE-2026-27809

CVE.ORG link : CVE-2026-27809

JSON object : View

Products Affected

psd-tools_project

psd-tools

CWE

CWE-190

Integer Overflow or Wraparound

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

CWE-617

Reachable Assertion

CWE-704

Incorrect Type Conversion or Cast

CWE-755

Improper Handling of Exceptional Conditions

CWE-789

Memory Allocation with Excessive Size Value

{"id": "CVE-2026-27809", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T00:16:26.233", "references": [{"url": "https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/psd-tools/psd-tools/releases/tag/v1.12.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-409"}, {"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-704"}, {"lang": "en", "value": "CWE-755"}, {"lang": "en", "value": "CWE-789"}]}], "descriptions": [{"lang": "en", "value": "psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully."}, {"lang": "es", "value": "psd-tools es un paquete de Python para trabajar con archivos PSD de Adobe Photoshop. Antes de la versi\u00f3n 1.12.2, cuando un archivo PSD contiene datos de imagen comprimidos RLE malformados (por ejemplo, una secuencia literal que se extiende m\u00e1s all\u00e1 del tama\u00f1o de fila esperado), decode_rle() lanza un ValueError que se propagaba hasta el usuario, provocando el fallo de psd.composite() y psd-tools export. decompress() ya ten\u00eda una alternativa que reemplaza los canales fallidos con p\u00edxeles negros cuando el resultado es None, pero nunca se activaba porque el ValueError de decode_rle() no era capturado. La correcci\u00f3n en la versi\u00f3n 1.12.2 envuelve la llamada a decode_rle() en un bloque try/except para que la alternativa existente maneje el error de forma elegante."}], "lastModified": "2026-03-02T18:55:10.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:psd-tools_project:psd-tools:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A84A4E59-9D62-4B75-B39E-58413BDCAAC8", "versionEndExcluding": "1.12.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}