CVE-2025-53085

NameCVE-2025-53085
DescriptionA memory corruption vulnerability exists in the PSD RLE Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1112346

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sail (PTS)trixie0.9.8-1vulnerable
forky, sid0.9.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sailsource(unstable)0.9.9-11112346

Notes

[trixie] - sail <no-dsa> (Minor issue)
https://talosintelligence.com/vulnerability_reports/TALOS-2025-2219
https://github.com/HappySeaFox/sail/issues/227
Tests: https://github.com/HappySeaFox/sail/commit/463a80236406a52f59e34f9a4ff0327a3995862b
Search for package or bug name: Reporting problems