Severity by source
Sources disagree (Low–High)AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker could exploit an integer overflow vulnerability in the read_creator_block() function by providing a specially crafted PSP image file. This vulnerability occurs when a 32-bit length value from the file is used for memory allocation without proper validation, leading to a heap overflow and an out-of-bounds write. Successful exploitation could result in an application level denial of service.
AnalysisAI
GIMP's PSP file parser fails to validate 32-bit length values in the read_creator_block() function, allowing local attackers to trigger integer overflow and heap buffer overflow via specially crafted PSP image files, resulting in application-level denial of service. Red Hat Enterprise Linux versions 6-9, Ubuntu (7 releases), Debian (9 releases), and SUSE are affected. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability has been assigned ENISA EUVD ID EUVD-2026-16340 and tracked across major Linux distributions.
Technical ContextAI
GIMP's PSP (Paint Shop Pro) file format parser contains a vulnerability in the read_creator_block() function, which is responsible for parsing metadata blocks within PSP image files. The vulnerability stems from CWE-190 (Integer Overflow or Wraparound), specifically the failure to validate a 32-bit length field before using it in a memory allocation operation. When a crafted PSP file provides a maliciously large length value, the integer overflow during size calculation results in undersized heap buffer allocation. Subsequent writes to the buffer then cause a heap-based buffer overflow (CWE-122), leading to memory corruption and application crash. The affected products include GIMP on Red Hat Enterprise Linux versions 6, 7, 8, and 9 (identified via CPE: cpe:2.3:a:red_hat:red_hat_enterprise_linux_6-9), as well as distributions tracked by Ubuntu (7 releases) and Debian (9 releases with advisories DLA-4483-1 and DSA-6139-1). This is a classic file format parsing vulnerability requiring user interaction to open a malicious file.
RemediationAI
Apply security updates provided by your Linux distribution vendor. For Red Hat Enterprise Linux, consult https://access.redhat.com/security/cve/CVE-2026-2271 for version-specific patches. For Debian-based systems, review advisories DLA-4483-1 (Debian LTS) and DSA-6139-1 (stable/testing); for SUSE, apply SUSE-SU-2026:0604. Until patches can be deployed, restrict file upload and file-open capabilities for GIMP to trusted sources only, disable automatic file associations for PSP files in untrusted contexts, and consider running GIMP in a sandboxed environment (e.g., Flatpak, containers, or dedicated user accounts with minimal privileges) if processing untrusted image files is unavoidable. Monitor bugzilla.redhat.com (bug #2438429) and Debian security-tracker for updated advisories.
More in Red Hat Enterprise Linux 6
View allRemote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in rea
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a v
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
Bug #1127841| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.10.22-4+deb11u6 | - |
| bullseye (security) | fixed | 2.10.22-4+deb11u7 | - |
| bookworm | fixed | 2.10.34-1+deb12u8 | - |
| bookworm (security) | fixed | 2.10.34-1+deb12u9 | - |
| trixie, trixie (security) | fixed | 3.0.4-3+deb13u7 | - |
| forky | fixed | 3.2.0~RC3-1 | - |
| sid | fixed | 3.2.0-1 | - |
| trixie | fixed | 3.0.4-3+deb13u6 | - |
| (unstable) | fixed | 3.2.0~RC2-3.2 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16340
GHSA-688g-4qr3-6q47