Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (zdi).
CVSS VectorVendor: zdi
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28874.
AnalysisAI
Heap-based buffer overflow in GIMP's PSP (Paint Shop Pro) file parser enables remote code execution when processing malicious PSP image files. Unauthenticated attackers can execute arbitrary code with user privileges by convincing targets to open crafted PSP files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. No public exploit identified at time of analysis. Vulnerability tracked as ZDI-CAN-28874 by Zero Day Initiative.
Technical ContextAI
CWE-122 heap overflow during PSP file parsing operations. Insufficient length validation before copying user-controlled data to heap-allocated buffer. CPE cpe:2.3:a:gimp:gimp applies broadly across GIMP versions pending vendor-specific version disclosure. Attack succeeds through malformed PSP file structure manipulation targeting heap memory.
RemediationAI
Vendor-released patch: GIMP upstream commit 98cb1371fd4e22cca75017ea3252dc32fc218712 addresses the vulnerability. Users should update to GIMP versions incorporating this commit through distribution package managers or official GIMP releases. SUSE users apply SUSE-SU-2026:1193 security update via zypper/YaST. Until patching, avoid opening PSP files from untrusted sources and disable PSP file format support if not operationally required. Verify patch deployment: https://gitlab.gnome.org/GNOME/gimp/-/commit/98cb1371fd4e22cca75017ea3252dc32fc218712 and distribution-specific advisories at https://www.suse.com/support/update/SUSE-SU-2026:1193/. Full ZDI disclosure: https://www.zerodayinitiative.com/advisories/ZDI-26-220/
Buffer overflow in the readstr_upto function in plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and p
Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attack
In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_data in plug-ins/common/file-psp.c. Rated high sev
fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and applic
An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via
GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Rated medium severity (CVSS 5.5), this vulnerability is no a
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that alre
Critical remote code execution vulnerability in GIMP's ICO file parser caused by an integer overflow (CWE-190) that lack
Remote code execution in GIMP 3.0.6 allows attackers to run arbitrary code by tricking a user into opening a malicious P
Remote code execution in GIMP 3.2.0-rc1 lets attackers run arbitrary code by tricking a user into opening a malicious IC
Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cau
Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-contro
Same weakness CWE-122 – Heap-based Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21635
GHSA-rr9p-8245-3f99