CVE-2026-27809 in psd-tools
Summary
by MITRE • 02/26/2026
psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified as CVE-2026-27809 affects the psd-tools Python package, which serves as a library for processing Adobe Photoshop PSD files. This package is widely used in digital asset management systems, graphic design workflows, and content creation platforms where PSD file manipulation is required. The flaw stems from inadequate error handling within the RLE (Run-Length Encoding) decompression functionality, specifically in the decode_rle() function that processes compressed image data within PSD files. The issue manifests when malformed RLE-compressed data exists within PSD files, particularly when literal runs extend beyond expected row boundaries, causing the function to raise a ValueError exception.
The technical implementation of this vulnerability involves the failure to properly handle exceptions during the decompression process of PSD image data. When the decode_rle() function encounters malformed data that violates expected compression boundaries, it raises a ValueError that propagates up through the call stack without being caught. This exception interrupts the normal execution flow and causes the psd.composite() and psd-tools export functions to crash entirely, rendering the entire package unusable for processing affected files. The existing error handling mechanism within decompress() already contained a fallback system designed to replace failed channels with black pixels when results are None, but this mechanism was never triggered due to the uncaught ValueError exception that occurred before the None check could be performed.
The operational impact of this vulnerability extends beyond simple application crashes, potentially affecting critical workflows in creative industries and digital content production environments. Organizations relying on psd-tools for automated processing of PSD files may experience complete service disruption when encountering malformed files, leading to production delays and potential data loss. The vulnerability represents a classic case of insufficient exception handling that can be exploited through maliciously crafted PSD files, making it particularly concerning for systems that process untrusted input. This type of vulnerability aligns with CWE-703 (Improper Check or Handling of Exceptional Conditions) and demonstrates the importance of defensive programming practices in security-critical code paths.
The fix implemented in version 1.12.2 addresses this vulnerability by wrapping the decode_rle() function call within a try/except block, allowing the existing fallback mechanism to properly handle the error condition. This approach follows the principle of fail-safe error handling and demonstrates the importance of defensive programming patterns in preventing cascading failures. The solution ensures that when RLE decompression fails due to malformed data, the system gracefully degrades by falling back to the established black pixel replacement mechanism rather than crashing entirely. This remediation aligns with ATT&CK technique T1203 (Exploitation for Client Execution) by preventing the exploitation of input validation weaknesses, and with CWE-248 (Uncaught Exception) by ensuring proper exception handling throughout the codebase. Organizations should immediately upgrade to version 1.12.2 or later to mitigate this vulnerability and maintain the stability of their PSD processing workflows.