Description
GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.
Published: 2026-02-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap-based buffer overflow exists in GIMP’s handling of ICO files, allowing an attacker to execute arbitrary code in the context of the current process. The vulnerability is triggered when untrusted ICO data is parsed without proper length validation, leading to overruns of a heap buffer. Exploitation requires user interaction—opening a crafted file or loading content from a malicious web page. The impact is full system compromise if the attacker can run code with the privileges of the user running GIMP.

Affected Systems

Affected deployments include GIMP version 3.2.0 release candidate 1 and later releases built with the same parsing codepath. The issue is specific to the GIMP graphic editor, and no other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity. While the EPSS score is below 1%, indicating a low likelihood of widespread exploitation at present, the vulnerability is not catalogued in CISA’s KEV list. Exploitation requires local user action; an attacker would need to lure the user into opening the malicious ICO or visiting a compromised site that triggers the parsing routine. Once executed, the attacker enjoys full control of the user’s environment.

Generated by OpenCVE AI on April 17, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GIMP update that includes the official patch commit 69cc6b1a6645dc9c4d7b484483dbe6a84b922b9c, which adds proper bounds checking to ICO parsing.
  • Avoid opening or importing ICO files from untrusted sources and do not visit unknown web pages that might serve malicious image data while GIMP is running.
  • Configure GIMP to refuse automatic image loading over network protocols or restrict file associations for the ICO format to a whitelist of trusted paths.

Generated by OpenCVE AI on April 17, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4500-1 gimp security updat
Debian DSA Debian DSA DSA-6156-1 gimp security update
History

Tue, 24 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:gimp:gimp:3.2.0:rc1:*:*:*:*:*:*

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.
Title GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gimp Gimp
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:13.538Z

Reserved: 2026-01-08T22:57:03.748Z

Link: CVE-2026-0797

cve-icon Vulnrichment

Updated: 2026-02-24T14:51:53.598Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T22:16:19.280

Modified: 2026-02-24T21:43:26.627

Link: CVE-2026-0797

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T22:10:04Z

Links: CVE-2026-0797 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses