Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H
File parsed locally by the running user account (AV:L/PR:L), mandatory victim interaction to open the crafted file (UI:R), reliable crash (A:H) with limited heap corruption impact (C:L/I:L) and no scope change.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
AnalysisAI
Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim user to actively open a specially crafted PSP (Paint Shop Pro) format file in GIMP - user interaction (UI:R) is a hard prerequisite, and exploitation cannot occur without this step. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 Medium score with AV:L/AC:L/PR:L/UI:R/S:U reflects a meaningful but constrained attack surface: exploitation requires the victim to manually open a malicious PSP file in GIMP on a local system, precluding automated or unauthenticated network exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious PSP image file containing a specially structured layer block that triggers the double-free in read_layer_block() and delivers it to a target user via email, a web download, or a shared file repository. When the victim opens the file in GIMP on their RHEL workstation, heap memory is corrupted, at minimum crashing GIMP reliably. … |
| Remediation | An upstream fix is available via GitLab commit b22e147b (https://gitlab.gnome.org/GNOME/gimp/-/commit/b22e147b); however, a tagged GIMP release incorporating this commit has not been independently confirmed from the available data, so this should be treated as an upstream fix pending a formal release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 6
View allRemote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in rea
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a v
Same weakness CWE-415 – Double Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41434
GHSA-pfjw-r4vx-pmfw