Skip to main content

gdk-pixbuf CVE-2026-5201

| EUVDEUVD-2026-17343 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-31 redhat
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

11
Analysis Updated
Apr 30, 2026 - 08:28 vuln.today
v7 (cvss_changed)
Analysis Updated
Apr 30, 2026 - 06:28 vuln.today
v6 (cvss_changed)
Analysis Updated
Apr 28, 2026 - 09:28 vuln.today
v5 (cvss_changed)
Analysis Updated
Apr 28, 2026 - 08:28 vuln.today
v4 (cvss_changed)
Analysis Updated
Apr 27, 2026 - 10:27 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 27, 2026 - 03:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 03:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 08:45 euvd
EUVD-2026-17343
Analysis Generated
Mar 31, 2026 - 08:45 vuln.today
CVE Published
Mar 31, 2026 - 08:32 nvd
HIGH 7.5

DescriptionCVE.org

A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.

AnalysisAI

Heap-based buffer overflow in gdk-pixbuf's JPEG image loader enables remote denial of service through malformed JPEG images without user interaction. The vulnerability triggers during automated image processing operations like thumbnail generation across Red Hat Enterprise Linux 6 through 10, allowing unauthenticated network attackers to crash applications that process JPEG images. EPSS score of 0.09% (25th percentile) suggests low observed exploitation activity, consistent with SSVC assessment showing no active exploitation despite the vulnerability being fully automatable.

Technical ContextAI

gdk-pixbuf is the GNOME image loading library used throughout Linux desktop environments for rendering image formats including JPEG, PNG, and GIF. This CWE-122 heap-based buffer overflow occurs in the JPEG decoder's color component validation logic. When parsing JPEG image headers, the library fails to properly bounds-check the number of color components declared in a malicious JPEG file before allocating heap memory. This allows crafted JPEG images to specify component counts that exceed allocated buffer sizes, triggering heap corruption during the image decoding process. The vulnerability affects all Red Hat Enterprise Linux versions from RHEL 6 through RHEL 10, indicating widespread deployment across enterprise Linux environments where gdk-pixbuf serves as a critical dependency for desktop applications, file managers, email clients, web browsers, and any software rendering image thumbnails or previews.

RemediationAI

Apply vendor-released security updates immediately for affected Red Hat Enterprise Linux systems. Red Hat has published multiple security advisories with patches: RHSA-2026:10707, RHSA-2026:10708, RHSA-2026:10741, RHSA-2026:11325, RHSA-2026:11326, RHSA-2026:11327, RHSA-2026:11328, RHSA-2026:11806, and RHSA-2026:12060 covering RHEL 6 through 10 (access.redhat.com/errata). Debian LTS users should follow guidance at lists.debian.org/debian-lts-announce/2026/04/msg00010.html. For systems where immediate patching is not feasible, implement compensating controls by restricting JPEG image processing to trusted sources only. Disable automatic thumbnail generation for untrusted content in file managers and email clients by modifying GNOME settings or application configurations-note this degrades user experience by removing image previews. For web-facing services accepting image uploads, deploy content validation proxies that sanitize JPEG files before processing, though this adds processing overhead and may not catch all malformed inputs. Network segmentation can limit blast radius by isolating image processing services from critical infrastructure, reducing denial-of-service impact scope.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

CVE-2026-5201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy