Cyber Resilience

CVE-2026-27809

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-27809 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Psd-Tools Project Psd-Tools. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-27809 affects the psd-tools Python package, used for parsing Adobe Photoshop PSD files, in versions prior to 1.12.2. The vulnerability arises from unhandled malformed RLE-compressed image data in PSD files, such as a literal run extending past the expected row size. This triggers a ValueError in the decode_rle() function, which propagates uncaught through decompress(), psd.composite(), and psd-tools export functions, resulting in application crashes. The issue is rated at CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWEs including CWE-190 (Integer Overflow), CWE-409 (Improper Handling of Highly Compressed Data), and others related to decoding errors.

An unauthenticated attacker over the network with low complexity and no user interaction can exploit this by supplying a specially crafted PSD file to any application or script using vulnerable psd-tools versions. Successful exploitation causes denial of service via crashes in affected functions, with high impact on integrity and availability per the CVSS score, though no confidentiality impact is noted.

The GitHub security advisory (GHSA-24p2-j2jr-386w), release notes for v1.12.2, and commit 6c0a78f195b5942757886a1863793fd5946c1fb1 detail the fix: wrapping the decode_rle() call in a try/except block to trigger the existing decompress() fallback, which replaces failed channels with black pixels instead of propagating the ValueError. Security practitioners should upgrade to psd-tools 1.12.2 or later and validate PSD inputs where possible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which…

more

propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a parsing flaw in psd-tools that allows remote attackers to supply a crafted PSD file and trigger an unhandled exception, directly causing application crashes. This maps to T1499.004 (Application or System Exploitation) under Endpoint Denial of Service, as the CVSS impact and description explicitly highlight availability/integrity loss via exploitation without code execution or other effects.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62600Shared CWE-190, CWE-789
CVE-2025-62599Shared CWE-190, CWE-789
CVE-2026-44902Shared CWE-755
CVE-2023-37017Shared CWE-617
CVE-2026-8852Shared CWE-617
CVE-2026-23555Shared CWE-617
CVE-2026-24210Shared CWE-190
CVE-2026-20048Shared CWE-789
CVE-2026-28952Shared CWE-190
CVE-2024-11864Shared CWE-755

Affected Assets

psd-tools project
psd-tools
≤ 1.12.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 requires graceful error handling that prevents application crashes from unhandled exceptions like the ValueError triggered by malformed RLE data in psd-tools.

prevent

SI-2 mandates timely flaw remediation, such as upgrading psd-tools to version 1.12.2 or later, which fixes the uncaught ValueError propagation.

prevent

SI-10 enforces validation of PSD file inputs to reject malformed RLE-compressed data before processing, preventing exploitation crashes.

References