Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Opening a malicious file needs no prior privileges (PR:N) but requires the user to open it (UI:R) via a local file (AV:L); memory corruption enables full C/I/A impact in the user context.
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
A flaw was found in GIMP's PSD parser. An integer overflow in read_RLE_channel() can cause an undersized heap allocation for the RLE row-length table, after which subsequent per-row writes corrupt heap memory. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
AnalysisAI
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in read_RLE_channel(), producing an undersized heap allocation for the RLE row-length table that is then overwritten row-by-row, potentially yielding denial of service or arbitrary code execution. The flaw affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9 and is triggered when a victim opens or imports a crafted PSD file. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim to actively open or import an attacker-crafted PSD (Photoshop) file in GIMP - the CVSS UI:R and AV:L metrics confirm local access and user interaction are mandatory; this is not remotely triggerable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, base 7.3) correctly captures this as a local, user-interaction-dependent client-side flaw rather than a remotely reachable service bug - the 'local' vector reflects that a victim must open an attacker-supplied file. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious PSD file with RLE-compressed channel data whose row count is chosen to overflow the row-length-table size calculation, then delivers it via email, a download, or a shared drive under a plausible pretext. When the victim opens or imports the file in GIMP, the undersized heap buffer is overrun during row-length parsing, crashing the application or, with careful heap grooming, steering execution toward arbitrary code in the user's context. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the upstream correction is in GNOME GitLab commit da29e217 (https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all GIMP installations on RHEL 6, 7, 8, and 9, and document which systems process untrusted PSD files. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 6
View allRemote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi
Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Re
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a v
Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusin
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42020
GHSA-pp89-6qxc-wh8f