CVE-2026-27809
Unhandled ValueError in psd-tools RLE Decoding Causes Crash
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psd-tools_project | psd-tools | to 1.12.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27809 is a vulnerability in the psd-tools Python package, which is used to work with Adobe Photoshop PSD files. Prior to version 1.12.2, the package's RLE (Run-Length Encoding) decompression function decode_rle() would raise an uncaught ValueError when encountering malformed RLE-compressed image data, such as runs extending beyond the expected row size. This uncaught exception caused the psd.composite() function and export features to crash."}, {'type': 'paragraph', 'content': 'The vulnerability also includes issues with unbounded decompression of ZIP-compressed channels, which could lead to memory exhaustion or denial-of-service (DoS) attacks due to lack of output size limits during zlib decompression.'}, {'type': 'paragraph', 'content': 'The fix implemented in version 1.12.2 wraps decode_rle() calls in try/except blocks to catch these errors and gracefully fallback by replacing failed image channels with black pixels instead of crashing. Additional improvements include validating image dimensions and bit depth before decompression, replacing assert statements with explicit checks, and adding warnings when decompression falls back to black pixels.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact users by causing crashes in applications using psd-tools when processing malformed or malicious PSD files. Specifically, uncaught exceptions during RLE decompression can cause the application to terminate unexpectedly.
Additionally, the vulnerability allows crafted PSD files with ZIP-compressed channels to decompress into extremely large payloads, potentially exhausting system memory and causing denial-of-service (DoS) conditions.
There is also a risk of silent data degradation where malformed image data is replaced with black pixels without clear user notification, potentially leading to unnoticed visual corruption of images.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability in psd-tools manifests as crashes or silent degradation when processing malformed RLE-compressed PSD files. Detection can be done by monitoring for the new warning class PSDDecompressionWarning, which is emitted whenever decompression falls back to black pixels due to failure.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can run psd-tools operations (such as psd.composite() or export) on PSD files and watch for exceptions or warnings related to decompression failures.'}, {'type': 'paragraph', 'content': 'Since the fix introduces a UserWarning subclass PSDDecompressionWarning, you can enable Python warnings to be shown or logged by running your Python script with the warnings module configured, for example:'}, {'type': 'list_item', 'content': 'python -W default your_script.py'}, {'type': 'list_item', 'content': "Or inside your Python code, add:\nimport warnings\nwarnings.simplefilter('default', category=PSDDecompressionWarning)"}, {'type': 'paragraph', 'content': 'There are no specific network commands to detect this vulnerability since it is a local library issue, but you can check the installed psd-tools version to confirm if it is prior to 1.12.2, which is vulnerable:'}, {'type': 'list_item', 'content': 'pip show psd-tools'}, {'type': 'paragraph', 'content': 'If you want to test for the vulnerability, you can try processing known malformed PSD files that trigger the RLE decompression error and observe if the process crashes or raises ValueError exceptions.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the psd-tools package to version 1.12.2 or later, where the vulnerability has been fixed.
This update includes multiple fixes such as wrapping decode_rle() calls in try/except blocks to prevent crashes, adding dimension bounds validation, limiting decompression output size to prevent memory exhaustion, and emitting warnings on decompression fallback.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Validate PSD files before processing to ensure they do not contain malformed or malicious RLE-compressed data.
- Configure your Python environment to catch and log PSDDecompressionWarning warnings to detect decompression issues early.
- Avoid processing untrusted or suspicious PSD files that could exploit this vulnerability.