CVE-2026-27809

Name of the Vulnerable Software and Affected Versions psd-tools versions prior to 1.12.2

Description psd-tools, a Python package for working with Adobe Photoshop PSD files, contains multiple issues. A lack of a length cap on zlib.decompress can lead to denial-of-service or out-of-memory crashes when processing crafted PSD files containing ZIP-compressed channels. There is no upper-bound validation on image dimensions before memory allocation, which could lead to crashes when processing malformed or adversarially crafted PSB files. An assert statement is used as a runtime integrity check, which can be disabled, potentially leading to silent errors. There is a type mismatch between cdef int indices and Py ssize t size in the Cython decoder. Silent data degradation occurs when malformed channel data is replaced with zero-padded pixels, and this is only indicated by a log message. Finally, there is an inconsistency in the return type of the encode() function in the Cython code.

Recommendations Versions prior to 1.12.2 should be updated to version 1.12.2 or later.