DEBIAN-CVE-2026-27809
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-27809
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27809.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-27809
- Upstream
- Published
- 2026-02-26T00:16:26.233Z
- Modified
- 2026-02-28T03:41:37.780953Z
- Severity
-
- 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decoderle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decoderle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.
- References
Affected packages
Debian:12 / psd-tools
Package
- Name
- psd-tools
- Purl
- pkg:deb/debian/psd-tools?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:13 / psd-tools
Package
- Name
- psd-tools
- Purl
- pkg:deb/debian/psd-tools?arch=source
Debian:14 / psd-tools
Package
- Name
- psd-tools
- Purl
- pkg:deb/debian/psd-tools?arch=source