EUVD-2026-16166
GHSA-wmqx-rmqw-vxp8
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Local file parsing in a desktop app (AV:L), needs user to open the file (UI:R); a single-byte heap over-read realistically leaks limited adjacent memory (C:L), no integrity impact, crash gives A:H.
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
9DescriptionNVD
A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP’s PCX file loader due to an off-by-one error. A remote attacker could exploit this by convincing a user to open a specially crafted PCX image. Successful exploitation could lead to out-of-bounds memory disclosure and a possible application crash, resulting in a Denial of Service (DoS).
AnalysisAI
Heap buffer over-read in GIMP's PCX image loader allows a remote attacker who can convince a user to open a crafted PCX file to disclose adjacent heap memory and crash the application. The flaw stems from an off-by-one error (CWE-193) and is tracked across Red Hat Enterprise Linux 6 through 9. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the victim to have a vulnerable GIMP build installed (RHEL 6/7/8/9 packages per the CPEs, plus Debian builds), (2) the attacker to deliver a specially crafted PCX-format image file, and (3) the victim to actively open that file in GIMP - UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low despite the 7.1 CVSS base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails or hosts a malicious .pcx file (or embeds one inside an archive or document workflow) and lures a designer, analyst, or helpdesk user into opening it in GIMP. When GIMP's PCX loader parses the crafted header/scanline, the off-by-one read leaks a small slice of adjacent heap memory and/or crashes the editor, costing the user any unsaved work. … |
| Remediation | Patch available per vendor advisory: apply the Red Hat errata that cover your RHEL release - RHSA-2026:16484, RHSA-2026:17533, RHSA-2026:19362, RHSA-2026:20552, RHSA-2026:20553, RHSA-2026:20554, RHSA-2026:20691, RHSA-2026:25899, RHSA-2026:25901, and RHSA-2026:25907 (all under https://access.redhat.com/errata/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and document all systems running GIMP, particularly those processing untrusted image files. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows any unprivilege
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
Local privilege escalation via symlink following in libreport's ABRT post-create event handler scripts allows a low-priv
Local privilege escalation in the abrt-dbus D-Bus service on Red Hat Enterprise Linux 6, 7, and 8 allows a low-privilege
Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The
Vendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.10.22-4+deb11u2 | - |
| bullseye (security) | vulnerable | 2.10.22-4+deb11u7 | - |
| bookworm | vulnerable | 2.10.34-1+deb12u5 | - |
| bookworm (security) | vulnerable | 2.10.34-1+deb12u9 | - |
| trixie, trixie (security) | vulnerable | 3.0.4-3+deb13u7 | - |
| forky | vulnerable | 3.2.0~RC3-1 | - |
| sid | vulnerable | 3.2.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today