CVE-2026-2049 - Vulnerability Details

Description

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618.

Published: 2026-06-10

Score: 7.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the HDR file parser of GIMP. The parser fails to validate the length of user‑supplied data before copying it to a heap buffer, allowing an attacker to trigger arbitrary code execution when a user opens a crafted HDR file or visits a malicious page that prompts GIMP to load the file. This flaw gives remote attackers full control over the GIMP process in the context of the current user.

Affected Systems

This weakness exists in all versions of GIMP that include the HDR file format support. The vendor listing simply states GIMP, and no specific version range is supplied, so any GIMP installation that processes HDR files may be affected.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 7.8 and is not listed in the CISA KEV catalog. Because exploitation requires user interaction—the target must open a malicious file or visit a malicious page—attackers typically rely on social engineering or phishing. The lack of an immediate native workaround means that the risk hinges on how soon an updated GIMP release becomes available and how diligently users avoid opening untrusted HDR files.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GIMP

unknown

Version	Status	Constraints
`3.2.0-RC1`	affected	—

No data.

Vendor Product Confidence Versions

Gimp

100%

Version	Status	Scheme	Platform
`3.2.0-RC1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GIMP to the latest release that includes the HDR parser patch (verify release notes from GNOME/GIMP).
If an upgrade cannot be applied immediately, configure GIMP or the operating system to block or quarantine HDR files from unknown sources, or disable HDR support when possible, to prevent the user from inadvertently opening malicious files.
Educate users to be cautious when downloading or opening HDR images, especially via email or the web, and consider running GIMP in a sandbox or least‑privilege environment to contain any potential compromise.

Generated by OpenCVE AI on June 10, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4487-1	gegl security update
Debian DSA	DSA-6142-1	gegl security update

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gitlab.gnome.org/GNOME/gegl/-/issues/450
https://www.zerodayinitiative.com/advisories/ZDI-26-214/

History

Wed, 10 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gimp Gimp gimp
Vendors & Products		Gimp Gimp gimp

Wed, 10 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618.
Title		GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses		CWE-122
References		https://gitlab.gnome.org/GNOME/gegl/-/issues/450 https://www.zerodayinitiative.com/advisories/ZDI-26-214/
Metrics		cvssV3_0 `{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Gimp Gimp

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-06-10T21:22:47.059Z

Updated: 2026-06-10T21:22:47.059Z

Reserved: 2026-02-06T01:17:36.198Z

Link: CVE-2026-2049

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T22:16:56.833

Modified: 2026-06-10T22:16:56.833

Link: CVE-2026-2049

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:00:18Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object