GIMP
CVE-2026-0797
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
File delivered over network but requires the user to open it (UI:R) with no privileges (PR:N); memory-corruption RCE in-process yields high C/I/A with no scope change.
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (trendmicro).
CVSS VectorVendor: trendmicro
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.
AnalysisAI
Remote code execution in GIMP 3.2.0-rc1 lets attackers run arbitrary code by tricking a user into opening a malicious ICO image file or visiting a page that delivers one. The flaw is a heap-based buffer overflow in the ICO file parser caused by missing length validation before a copy operation, and it executes code in the context of the GIMP process. No public exploit has been identified at time of analysis, and EPSS estimates exploitation probability at just 0.06% (19th percentile), consistent with a user-interaction-gated client-side bug rather than mass-exploited infrastructure.
Technical ContextAI
GIMP (GNU Image Manipulation Program) is a widely used open-source raster graphics editor; the affected component is its ICO (Windows icon) file import plug-in. The root cause is classified as CWE-122 (Heap-based Buffer Overflow): the parser copies user-supplied data into a heap allocation without first validating that the declared length fits the destination buffer, allowing adjacent heap memory to be corrupted. The CPE string cpe:2.3:a:gimp:gimp:3.2.0:rc1 identifies the 3.2.0 release candidate 1 build as affected. Because image-format plug-ins process attacker-controlled structure fields (dimensions, data lengths) directly from the file, a malformed ICO can drive the overflow during what looks like an ordinary file open. The issue was discovered through Trend Micro's Zero Day Initiative (ZDI-CAN-28599 / ZDI-26-050).
RemediationAI
Apply the upstream fix from GNOME GitLab commit 69cc6b1a6645dc9c4d7b484483dbe6a84b922b9c by upgrading to a GIMP build that incorporates it; because the affected version is the 3.2.0-rc1 pre-release, move to the patched 3.2.0 stable/RC build or your distribution's updated package. Patch available per vendor advisory - on Red Hat systems install the updates from the relevant RHSA errata (e.g. RHSA-2026:4173 and the 5388-5437 series at https://access.redhat.com/security/cve/CVE-2026-0797), and on SUSE apply SUSE-SU-2026:0442 (https://www.suse.com/support/update/SUSE-SU-2026:0442/). Until patched, the practical compensating control is to avoid opening untrusted ICO files in GIMP and to treat ICO attachments and downloads from unknown sources as hostile; you can also restrict GIMP's handling of the .ico MIME type or remove/disable the ICO import plug-in if your workflow does not need it, accepting the trade-off that legitimate icon editing will break. Standard ZDI/vendor advisory references: https://www.zerodayinitiative.com/advisories/ZDI-26-050/ and https://vuldb.com/?id.343588.
Buffer overflow in the readstr_upto function in plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and p
Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attack
In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_data in plug-ins/common/file-psp.c. Rated high sev
fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and applic
An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via
GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Rated medium severity (CVSS 5.5), this vulnerability is no a
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that alre
Critical remote code execution vulnerability in GIMP's ICO file parser caused by an integer overflow (CWE-190) that lack
Remote code execution in GIMP 3.0.6 allows attackers to run arbitrary code by tricking a user into opening a malicious P
Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cau
Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-contro
GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnera
Same weakness CWE-122 – Heap-based Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today