A deterministic heap buffer overflow is triggered when the SAIL library decodes PSD images in LAB 16‑bit mode. The library calculates bytes‑per‑pixel from the header fields channels × depth, but allocates the pixel buffer according to the resolved pixel format. For LAB mode with three channels at 16 bits per channel, the calculated bpp is six, while the format reserves only five bytes per pixel. Each pixel write overruns the buffer, creating a reliable overflow that can be leveraged to overwrite adjacent heap memory and potentially execute arbitrary code within the process that loads the image.

The vulnerability exists in the HappySeaFox:sail image processing library, which is used across multiple platforms for loading and saving images, supporting animation, metadata, and ICC profiles. All versions of sail released prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979 are susceptible; later versions contain the fix.

The CVSS score of 9.8 indicates critical severity, and the absence of an available EPSS score does not diminish the risk, especially when untrusted image files can be supplied to any application that uses sail. Because the overflow occurs deterministically on every row of a malformed PSD, exploitation requires only a crafted PSD document. As the library is widely used in image‑handling components, the attack vector is likely remote via malicious image delivery, and the vulnerability has not yet been listed in CISA’s Known Exploited Vulnerabilities catalog, but its high severity warrants proactive remediation.