Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread_pascal_string function when processing a specially crafted PSD (Photoshop Document) file. This occurs because the buffer allocated for a Pascal string is not properly null-terminated, leading to an out-of-bounds read when strlen() is subsequently called. Successfully exploiting this vulnerability can cause the application to crash, resulting in an application level Denial of Service.
AnalysisAI
GIMP's PSD file parser crashes when processing specially crafted Photoshop documents due to improper null-termination in the fread_pascal_string function, allowing local authenticated users to trigger a denial of service. The vulnerability affects GIMP across Red Hat Enterprise Linux 7, 8, and 9, as well as multiple Debian and Ubuntu releases tracked by their respective security teams. While the CVSS score is low (2.8), the widespread distribution across major Linux vendors and confirmed advisory issuance from Red Hat, Debian, and SUSE indicates this merits coordinated patching despite limited exploitability constraints.
Technical ContextAI
The vulnerability exists in GIMP's PSD (Photoshop Document) file format handler, specifically within the fread_pascal_string function responsible for parsing Pascal-format strings embedded in PSD file structures. Pascal strings are length-prefixed byte sequences commonly used in binary file formats; the flaw occurs when the buffer allocated to store such a string is not properly null-terminated before strlen() is invoked on it, creating a classic heap buffer over-read condition (CWE-170: Improper Null Termination). The affected products span Red Hat Enterprise Linux 7, 8, and 9 (cpe:2.3:a:red_hat:red_hat_enterprise_linux_7:*:*:*:*:*:*:*:*, cpe:2.3:a:red_hat:red_hat_enterprise_linux_8:*:*:*:*:*:*:*:*, and cpe:2.3:a:red_hat:red_hat_enterprise_linux_9:*:*:*:*:*:*:*:*), as well as Debian and Ubuntu systems where GIMP is installed. The root cause is a memory safety violation typical of C/C++ image processing codebases handling untrusted binary formats.
RemediationAI
Apply vendor-provided security updates immediately for your distribution: Red Hat users should consult https://access.redhat.com/security/cve/CVE-2026-2239 for RHEL 7, 8, and 9 patch packages; Debian users should apply DLA-4483-1 (for Debian 9 LTS) or DSA-6139-1 (for Debian 10 and later); Ubuntu users should check their distribution's security updates; SUSE users should apply SUSE-SU-2026:0604. Until patching is complete, restrict PSD file opening to trusted sources and educate users not to open PSD files from untrusted origins. No workarounds beyond file restriction are practical given the vulnerability's location in core parsing logic. If GIMP is not essential, temporary removal from systems not requiring it is a valid interim mitigation. Verify patch deployment via package manager confirmation (e.g., apt-cache policy gimp on Debian/Ubuntu or rpm -qi gimp on Red Hat systems) and confirm the version matches the vendor's published fix version once advisory details are fully released.
More in Red Hat Enterprise Linux 7
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Same weakness CWE-170 – Improper Null Termination
View allSame technique Buffer Overflow
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
Bug #1127838| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.10.22-4+deb11u6 | - |
| bullseye (security) | fixed | 2.10.22-4+deb11u7 | - |
| bookworm | fixed | 2.10.34-1+deb12u8 | - |
| bookworm (security) | fixed | 2.10.34-1+deb12u9 | - |
| trixie (security), trixie | fixed | 3.0.4-3+deb13u7 | - |
| forky | fixed | 3.2.0~RC3-1 | - |
| sid | fixed | 3.2.0-1 | - |
| trixie | fixed | 3.0.4-3+deb13u6 | - |
| (unstable) | fixed | 3.2.0~RC2-3.2 | - |
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16339
GHSA-pjv8-58qr-6mxx