Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
File must be opened locally so AV:L and UI:R; no privileges needed (PR:N), and code execution as the user yields full C/I/A impact within unchanged scope.
Primary rating from Vendor (zdi).
CVSS VectorVendor: zdi
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28266.
AnalysisAI
Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-controlled length data is copied into an undersized heap buffer without bounds validation. Any user who opens a maliciously crafted HDR image (or visits a page that delivers one) can be exploited, with code running in the context of the GIMP process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open or load a specially crafted HDR (Radiance/RGBE) image file in GIMP - the malicious data must traverse the GEGL HDR parsing path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8) describes a local, file-open-driven flaw with high impact to confidentiality, integrity, and availability but requiring user interaction - consistent with a client-side document-parsing bug rather than a remotely reachable service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HDR image and delivers it via a phishing email attachment or a web page that auto-downloads it, then lures a victim into opening the file in GIMP. Parsing the file overflows a heap buffer and lets the attacker execute code as the victim's user account. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the correction has been merged in GEGL via merge request 241 (https://gitlab.gnome.org/GNOME/gegl/-/merge_requests/241), so upgrade GIMP and its bundled GEGL to a build that incorporates that merge once your distribution publishes it, and consult ZDI-26-282 (https://www.zerodayinitiative.com/advisories/ZDI-26-282/) for tracking. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and notify all GIMP users, especially those handling external images or in design/documentation roles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Buffer overflow in the readstr_upto function in plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and p
Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attack
In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_data in plug-ins/common/file-psp.c. Rated high sev
fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and applic
An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via
GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Rated medium severity (CVSS 5.5), this vulnerability is no a
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that alre
Critical remote code execution vulnerability in GIMP's ICO file parser caused by an integer overflow (CWE-190) that lack
Remote code execution in GIMP 3.0.6 allows attackers to run arbitrary code by tricking a user into opening a malicious P
Remote code execution in GIMP 3.2.0-rc1 lets attackers run arbitrary code by tricking a user into opening a malicious IC
Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cau
GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnera
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Not-Affected |
| openSUSE Leap 15.4 | Not-Affected |
| openSUSE Leap 15.5 | Not-Affected |
| openSUSE Leap 15.6 | Not-Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39130
GHSA-j4fq-jj5r-8w3h