CVE-2026-27809
Published: 26 February 2026
Summary
CVE-2026-27809 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Psd-Tools Project Psd-Tools. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-11 requires graceful error handling that prevents application crashes from unhandled exceptions like the ValueError triggered by malformed RLE data in psd-tools.
SI-2 mandates timely flaw remediation, such as upgrading psd-tools to version 1.12.2 or later, which fixes the uncaught ValueError propagation.
SI-10 enforces validation of PSD file inputs to reject malformed RLE-compressed data before processing, preventing exploitation crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a parsing flaw in psd-tools that allows remote attackers to supply a crafted PSD file and trigger an unhandled exception, directly causing application crashes. This maps to T1499.004 (Application or System Exploitation) under Endpoint Denial of Service, as the CVSS impact and description explicitly highlight availability/integrity loss via exploitation without code execution or other effects.
NVD Description
psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which…
more
propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.
Deeper analysisAI
CVE-2026-27809 affects the psd-tools Python package, used for parsing Adobe Photoshop PSD files, in versions prior to 1.12.2. The vulnerability arises from unhandled malformed RLE-compressed image data in PSD files, such as a literal run extending past the expected row size. This triggers a ValueError in the decode_rle() function, which propagates uncaught through decompress(), psd.composite(), and psd-tools export functions, resulting in application crashes. The issue is rated at CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWEs including CWE-190 (Integer Overflow), CWE-409 (Improper Handling of Highly Compressed Data), and others related to decoding errors.
An unauthenticated attacker over the network with low complexity and no user interaction can exploit this by supplying a specially crafted PSD file to any application or script using vulnerable psd-tools versions. Successful exploitation causes denial of service via crashes in affected functions, with high impact on integrity and availability per the CVSS score, though no confidentiality impact is noted.
The GitHub security advisory (GHSA-24p2-j2jr-386w), release notes for v1.12.2, and commit 6c0a78f195b5942757886a1863793fd5946c1fb1 detail the fix: wrapping the decode_rle() call in a try/except block to trigger the existing decompress() fallback, which replaces failed channels with black pixels instead of propagating the ValueError. Security practitioners should upgrade to psd-tools 1.12.2 or later and validate PSD inputs where possible.
Details
- CWE(s)