Cisco Talos recently discovered a use-after-free vulnerability in Accusoft ImageGear’s PSD header processing function.
The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF and Microsoft Office.
This vulnerability, TALOS-2022-1526 (CVE-2022-29465) could allow an attacker to cause a use-after-free condition by tricking the targeted user into opening a malformed .psd file in the application. The vulnerability leads to out-of-bounds heap writes, which causes memory corruption and, possibly, code execution.
In adherence to Cisco’s vulnerability disclosure policy, Accusoft patched this issue and released an update for ImageGear.