CVE-2025-53085: 
Homebrew vulnerability analysis and mitigation

A memory corruption vulnerability (CVE-2025-53085) exists in the PSD RLE Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. The vulnerability was discovered by a member of Cisco Talos and disclosed on August 25, 2025 (Talos Report, NVD).

The vulnerability occurs in the PSD RLE Decoding functionality when processing run-length encoded image data. The issue arises when calculating the number of bytes to fill during the decoding process, where the implementation does not properly accommodate for the size of the heap buffer that was calculated using the image dimensions. This results in a heap-based buffer overflow condition. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is classified as CWE-122 (Heap-based Buffer Overflow) (Talos Report).

The vulnerability can lead to remote code execution under the context of the library when processing a specially crafted PSD file. An attacker needs to convince the library to read a malicious file to trigger this vulnerability (Talos Report).

The vulnerability was patched by the vendor on July 30, 2025, following the initial disclosure to the vendor on July 29, 2025. Users should update to a version newer than SAIL Image Decoding Library v0.9.8 to address this vulnerability (Talos Report).