Skip to main content

GIMP CVE-2026-0797

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-02-20 zdi-disclosures@trendmicro.com
8.8
CVSS 3.1 · Vendor: trendmicro
Share

Severity by source

Vendor (trendmicro) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

File delivered over network but requires the user to open it (UI:R) with no privileges (PR:N); memory-corruption RCE in-process yields high C/I/A with no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (trendmicro).

CVSS VectorVendor: trendmicro

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 05:35 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:35 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:34 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
7.8 (HIGH) 8.8 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:04 vuln.today
Patch released
Feb 24, 2026 - 21:43 nvd
Patch available
CVE Published
Feb 20, 2026 - 22:16 nvd
HIGH 7.8

DescriptionCVE.org

GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.

AnalysisAI

Remote code execution in GIMP 3.2.0-rc1 lets attackers run arbitrary code by tricking a user into opening a malicious ICO image file or visiting a page that delivers one. The flaw is a heap-based buffer overflow in the ICO file parser caused by missing length validation before a copy operation, and it executes code in the context of the GIMP process. No public exploit has been identified at time of analysis, and EPSS estimates exploitation probability at just 0.06% (19th percentile), consistent with a user-interaction-gated client-side bug rather than mass-exploited infrastructure.

Technical ContextAI

GIMP (GNU Image Manipulation Program) is a widely used open-source raster graphics editor; the affected component is its ICO (Windows icon) file import plug-in. The root cause is classified as CWE-122 (Heap-based Buffer Overflow): the parser copies user-supplied data into a heap allocation without first validating that the declared length fits the destination buffer, allowing adjacent heap memory to be corrupted. The CPE string cpe:2.3:a:gimp:gimp:3.2.0:rc1 identifies the 3.2.0 release candidate 1 build as affected. Because image-format plug-ins process attacker-controlled structure fields (dimensions, data lengths) directly from the file, a malformed ICO can drive the overflow during what looks like an ordinary file open. The issue was discovered through Trend Micro's Zero Day Initiative (ZDI-CAN-28599 / ZDI-26-050).

RemediationAI

Apply the upstream fix from GNOME GitLab commit 69cc6b1a6645dc9c4d7b484483dbe6a84b922b9c by upgrading to a GIMP build that incorporates it; because the affected version is the 3.2.0-rc1 pre-release, move to the patched 3.2.0 stable/RC build or your distribution's updated package. Patch available per vendor advisory - on Red Hat systems install the updates from the relevant RHSA errata (e.g. RHSA-2026:4173 and the 5388-5437 series at https://access.redhat.com/security/cve/CVE-2026-0797), and on SUSE apply SUSE-SU-2026:0442 (https://www.suse.com/support/update/SUSE-SU-2026:0442/). Until patched, the practical compensating control is to avoid opening untrusted ICO files in GIMP and to treat ICO attachments and downloads from unknown sources as hostile; you can also restrict GIMP's handling of the .ico MIME type or remove/disable the ICO import plug-in if your workflow does not need it, accepting the trade-off that legitimate icon editing will break. Standard ZDI/vendor advisory references: https://www.zerodayinitiative.com/advisories/ZDI-26-050/ and https://vuldb.com/?id.343588.

More in Gimp

View all
CVE-2012-2763 HIGH POC
7.5 Jul 12

Buffer overflow in the readstr_upto function in plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and p

CVE-2012-5576 HIGH POC
7.5 Dec 18

Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attack

CVE-2017-17789 HIGH POC
7.8 Dec 20

In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_data in plug-ins/common/file-psp.c. Rated high sev

CVE-2012-3236 MEDIUM POC
4.3 Jul 12

fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and applic

CVE-2022-32990 MEDIUM POC
5.5 Jun 24

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via

CVE-2022-30067 MEDIUM POC
5.5 May 17

GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Rated medium severity (CVSS 5.5), this vulnerability is no a

CVE-2018-12713 CRITICAL
9.1 Jun 24

GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that alre

CVE-2025-5473 HIGH
8.8 Jun 06

Critical remote code execution vulnerability in GIMP's ICO file parser caused by an integer overflow (CWE-190) that lack

CVE-2026-2044 HIGH
8.8 Feb 20

Remote code execution in GIMP 3.0.6 allows attackers to run arbitrary code by tricking a user into opening a malicious P

CVE-2016-4994 HIGH
7.8 Jul 12

Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cau

CVE-2026-2050 HIGH
7.8 Jun 24

Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-contro

CVE-2025-2760 HIGH
7.8 Apr 23

GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnera

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Leap 15.6 Fixed

Share

CVE-2026-0797 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy