Skip to main content

GIMP CVE-2026-58380

| EUVDEUVD-2026-41875 HIGH
Off-by-one Error (CWE-193)
2026-07-06 redhat GHSA-c7fj-r3pq-5ph5
7.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
HIGH
qualitative
NVD
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file-parsing bug needing the victim to open a crafted file (AV:L/UI:R), no attacker privileges (PR:N), and full compromise of the user session (C/I/A:H).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 10, 2026 - 17:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 17:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 17:37 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 17:37 NVD
7.3 (HIGH) 7.8 (HIGH)
Analysis Generated
Jul 06, 2026 - 14:52 vuln.today
CVE Published
Jul 06, 2026 - 13:58 cve.org
HIGH 7.3

DescriptionNVD

A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.

AnalysisAI

Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a victim opens a malicious PNM/PBM/PGM/PPM file. The flaw is an off-by-one in pnmscanner_gettoken() that writes a null terminator one byte past a stack buffer; it is local and requires the user to open the crafted file (UI:R). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious PNM file
Delivery
Deliver to victim via email or download
Exploit
Victim opens file in GIMP
Execution
pnmscanner_gettoken() writes NUL past stack buffer
Persist
Corrupt adjacent stack memory
Impact
Crash or execute code in user context

Vulnerability AssessmentAI

Exploitation Exploitation requires a user to open an attacker-supplied PNM-family file (PBM/PGM/PPM/PAM) in GIMP so the vulnerable PNM loader runs - this is the UI:R requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to genuine-but-not-urgent risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a PNM file whose header or data token is sized to exactly fill the scanner's stack buffer, then delivers it via email, a web download, or a shared image repository. When the victim opens the file in GIMP, pnmscanner_gettoken() writes a NUL one byte past the buffer, corrupting adjacent stack data; at minimum GIMP crashes (DoS), and in the worst case the overwrite is leveraged toward code execution in the user's context. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the GNOME/GIMP fix from commit https://gitlab.gnome.org/GNOME/gimp/-/commit/83699817 once packaged. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all GIMP installations across the organization, noting version numbers and file handling roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

CVE-2026-14476 HIGH
8.0 Jul 07

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re

CVE-2026-58384 HIGH
7.8 Jul 07

Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in rea

CVE-2026-12505 HIGH
7.8 Jun 18

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin

Share

CVE-2026-58380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy