CVE-2026-27809: psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps
A security review of the psd_tools.compression module (conducted against the fix/invalid-rle-compression branch, commits 7490ffa–2a006f5) identified the following pre-existing issues. The two findings introduced and fixed by those commits (Cython buffer overflow, IndexError on lone repeat header) are excluded from this report.
References
- github.com/advisories/GHSA-24p2-j2jr-386w
- github.com/psd-tools/psd-tools
- github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1
- github.com/psd-tools/psd-tools/releases/tag/v1.12.2
- github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w
- nvd.nist.gov/vuln/detail/CVE-2026-27809
Code Behaviors & Features
Detect and mitigate CVE-2026-27809 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →