Description
psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.
Published: 2026-02-25
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update
AI Analysis

Impact

The vulnerability resides in the compression module of the psd-tools Python package, where malformed RLE‑compressed image data can trigger an unhandled ValueError during decoding. The exception propagates to higher‑level functions like psd.composite() and export, resulting in an application crash. As the crash is not limited by authentication, a local attacker can easily cause denial of service by supplying a crafted PSD file, and a remote attacker could potentially exploit the flaw if the application processes user‑supplied PSD files without prior validation.

Affected Systems

The affected product is psd-tools, a Python package used for handling Adobe Photoshop PSD files. All versions prior to 1.12.2 are vulnerable; version 1.12.2 and later contain the necessary fix.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of <1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malformed PSD file; no network‑remote exploit vector is documented. The lack of a network boundary, however, means that if the affected application accepts PSD files from untrusted sources, it could be exposed to a remote denial of service.

Generated by OpenCVE AI on April 17, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade psd-tools to version 1.12.2 or later, which adds exception handling around the RLE decoding routine.
  • Restrict the source of PSD files to trusted inputs, or validate file integrity before processing, to prevent malformed data from reaching the decoder.
  • Wrap calls to psd.composite() and related export functions in try/except blocks as a temporary countermeasure until an official upgrade can be applied.

Generated by OpenCVE AI on April 17, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-24p2-j2jr-386w psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps
History

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Psd-tools Project
Psd-tools Project psd-tools
CPEs cpe:2.3:a:psd-tools_project:psd-tools:*:*:*:*:*:*:*:*
Vendors & Products Psd-tools Project
Psd-tools Project psd-tools
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Psd-tools
Psd-tools psd-tools
Vendors & Products Psd-tools
Psd-tools psd-tools

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.
Title psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps
Weaknesses CWE-190
CWE-409
CWE-617
CWE-704
CWE-755
CWE-789
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Psd-tools Psd-tools
Psd-tools Project Psd-tools
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:17:34.807Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27809

cve-icon Vulnrichment

Updated: 2026-02-26T15:17:22.108Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:26.233

Modified: 2026-03-02T18:55:10.073

Link: CVE-2026-27809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses