Description
GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28158.
Published: 2026-02-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

The flaw resides in the parsing of PGM image files and stems from the failure to properly initialize memory before accessing it, which is classified as CWE‑908. When a user opens a malicious PGM file, the uninitialized data can be coerced into executable code and run in the context of the running GIMP process, allowing an attacker to execute arbitrary instructions on the host. This vulnerability is triggered by user interaction; an attacker must supply a crafted PGM file through a malicious link or local file preview.

Affected Systems

The affected installation is GIMP version 3.0.6 as indicated by its CPE. No other versions are explicitly listed, but any GIMP build that contains the uninitialized memory bug in its PGM parser may be vulnerable, so all installations should verify the presence or absence of the fix.

Risk and Exploitability

The CVSS base score of 8.8 reflects high severity for remote code execution, though the EPSS score is below 1 %, indicating a low likelihood of exploitation in the wild at this time. The vulnerability is not currently in the CISA KEV catalog, and no public exploit has been disclosed. The likely attack vector requires a malicious PGM file presented to the user—either via a web page, a shared file, or a deceptive download—so user awareness and file source verification remain critical, while the low EPSS suggests that active exploitation is still uncommon.

Generated by OpenCVE AI on April 17, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GIMP to the latest release, which includes a fix for the uninitialized memory bug in PGM parsing
  • Avoid opening PGM files from sources that are not trusted and consider disabling automatic preview of PGM files in file managers
  • If an immediate upgrade is not possible, restrict GIMP's ability to open PGM files by configuring access controls or removing the relevant file handler from the application

Generated by OpenCVE AI on April 17, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4500-1 gimp security updat
Debian DSA Debian DSA DSA-6156-1 gimp security update
History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:*

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28158.
Title GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability
Weaknesses CWE-908
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gimp Gimp
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:12.653Z

Reserved: 2026-02-06T01:16:07.403Z

Link: CVE-2026-2044

cve-icon Vulnrichment

Updated: 2026-02-23T18:20:34.318Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:04.690

Modified: 2026-02-24T21:41:32.170

Link: CVE-2026-2044

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T22:23:23Z

Links: CVE-2026-2044 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses