UBUNTU-CVE-2026-27809

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-27809

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27809.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-27809

Upstream

CVE-2026-27809

Published

2026-02-26T00:16:00Z

Modified

2026-03-05T12:29:35Z

Severity

6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decoderle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decoderle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.

References

Affected packages

Ubuntu:24.04:LTS / psd-tools

Package

Name: psd-tools
Purl: pkg:deb/ubuntu/psd-tools@1.9.30+dfsg.1-1build1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.9.28+dfsg.1-1

1.9.28+dfsg.1-1build1

1.9.30+dfsg.1-1

1.9.30+dfsg.1-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-psd-tools",
            "binary_version": "1.9.30+dfsg.1-1build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27809.json"

Ubuntu:25.10 / psd-tools