What is the CVSS score of CVE-2026-2049?

CVE-2026-2049 has a CVSS 3.0 base score of 7.8 (High). CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of GIMP are affected by CVE-2026-2049?

GIMP contains a heap-based buffer overflow in its HDR image parser (CVE-2026-2049) that allows arbitrary code execution when users open crafted files.

How to fix or mitigate CVE-2026-2049?

Within 24 hours: Issue security alert to all GIMP users, advise against opening HDR files from untrusted sources. Within 7 days: Subscribe to GIMP security advisories, implement file type restrictions on email/web uploads where feasible. Within 30 days: Deploy latest GIMP security release immediately upon vendor release, conduct user training on file source validation.

GIMP CVE-2026-2049

EUVD-2026-36156 HIGH

Heap-based Buffer Overflow (CWE-122)

2026-06-10 zdi

GHSA-m2vh-q87q-6r5q

RCE Heap Overflow Buffer Overflow Gimp

7.8

CVSS 3.0 · Vendor: zdi

Severity by source

Vendor (zdi) PRIMARY

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

vuln.today AI

7.8 HIGH

File must be opened locally by the user (AV:L, UI:R); no prior privileges needed (PR:N); parsing is deterministic (AC:L); arbitrary code execution yields full CIA impact in user context (C:H/I:H/A:H, S:U).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zdi).

CVSS VectorVendor: zdi

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 22:01 vuln.today

DescriptionCVE.org

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618.

AnalysisAI

Arbitrary code execution in GIMP via malicious HDR (High Dynamic Range) image files allows attackers to run code in the context of the user opening the file. The flaw is a heap-based buffer overflow (CWE-122) in the HDR parser, requiring the victim to open a crafted file or visit a malicious page that delivers one. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious HDR file

Delivery

Deliver via phishing or download

Exploit

Victim opens file in GIMP

Execution

Trigger heap overflow in GEGL HDR parser

Persist

Hijack control flow

Impact

Execute code as current user

Access

Craft malicious HDR file

Delivery

Deliver via phishing or download

Exploit

Victim opens file in GIMP

Execution

Trigger heap overflow in GEGL HDR parser

Persist

Hijack control flow

Impact

Execute code as current user

Vulnerability AssessmentAI

Exploitation	Exploitation requires the victim to open a maliciously crafted Radiance HDR (.hdr) file in GIMP or trigger the GEGL HDR loader through an application that uses it; the CVSS UI:R metric confirms required user interaction, so silent or drive-by exploitation against a stock GIMP install is not in scope. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.0 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 7.8) reflects local attack vector with required user interaction but full CIA impact at the executing user's privilege level - typical of client-side file-format bugs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious .hdr file with an oversized field that overflows the heap buffer in GEGL's HDR loader, then delivers it via phishing email, a watering-hole download site, or a shared asset repository used by designers. When the victim opens the file in GIMP - or in any other application that calls the vulnerable GEGL loader - the overflow corrupts heap metadata and is steered into arbitrary code execution in the victim's user context. …
Remediation	No vendor-released patch identified at time of analysis - the GEGL upstream tracker (https://gitlab.gnome.org/GNOME/gegl/-/issues/450) is the authoritative location to monitor for a fixed GEGL release and corresponding GIMP version, and the ZDI advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-214/ should be checked for vendor coordination updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Issue security alert to all GIMP users, advise against opening HDR files from untrusted sources. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-2049 vulnerability details – vuln.today

Back

GIMP CVE-2026-2049

Severity by source

CVSS VectorVendor: zdi

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code