Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local file-parsing bug needing the victim to open a crafted file (AV:L/UI:R), no attacker privileges (PR:N), and full compromise of the user session (C/I/A:H).
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
AnalysisAI
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a victim opens a malicious PNM/PBM/PGM/PPM file. The flaw is an off-by-one in pnmscanner_gettoken() that writes a null terminator one byte past a stack buffer; it is local and requires the user to open the crafted file (UI:R). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a user to open an attacker-supplied PNM-family file (PBM/PGM/PPM/PAM) in GIMP so the vulnerable PNM loader runs - this is the UI:R requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to genuine-but-not-urgent risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a PNM file whose header or data token is sized to exactly fill the scanner's stack buffer, then delivers it via email, a web download, or a shared image repository. When the victim opens the file in GIMP, pnmscanner_gettoken() writes a NUL one byte past the buffer, corrupting adjacent stack data; at minimum GIMP crashes (DoS), and in the worst case the overwrite is leveraged toward code execution in the user's context. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the GNOME/GIMP fix from commit https://gitlab.gnome.org/GNOME/gimp/-/commit/83699817 once packaged. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all GIMP installations across the organization, noting version numbers and file handling roles. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 6
View allRemote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in rea
Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin
Same weakness CWE-193 – Off-by-one Error
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41875
GHSA-c7fj-r3pq-5ph5