Description
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618.
Published: 2026-06-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap-based buffer overflow in the HDR file parser of GIMP. The parser fails to validate the length of user-supplied data before copying it to a heap buffer, allowing an attacker to trigger arbitrary code execution when a user opens a crafted HDR file or visits a malicious page that prompts GIMP to load the file. This flaw gives remote attackers full control over the GIMP process in the context of the current user.

Affected Systems

This weakness exists in all versions of GIMP that include the HDR file format support. The vendor listing simply states GIMP, and no specific version range is supplied, so any GIMP installation that processes HDR files may be affected.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 7.8 and is not listed in the CISA KEV catalog. The EPSS score is < 1%, indicating a very low probability of exploitation. Because exploitation requires user interaction—the target must open a malicious file or visit a malicious page—attackers typically rely on social engineering or phishing. The lack of an immediate native workaround means that the risk hinges on how soon an updated GIMP release becomes available and how diligently users avoid opening untrusted HDR files.

Generated by OpenCVE AI on June 13, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GIMP to the latest release that includes the HDR parser patch (verify release notes from GNOME/GIMP).
  • If an upgrade cannot be applied immediately, configure GIMP or the operating system to block or quarantine HDR files from unknown sources, or disable HDR support when possible, to prevent the user from inadvertently opening malicious files.
  • Educate users to be cautious when downloading or opening HDR images, especially via email or the web, and consider running GIMP in a sandbox or least‑privilege environment to contain any potential compromise.

Generated by OpenCVE AI on June 13, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4487-1 gegl security update
Debian DSA Debian DSA DSA-6142-1 gegl security update
History

Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618.
Title GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-30T12:06:59.723Z

Reserved: 2026-02-06T01:17:36.198Z

Link: CVE-2026-2049

cve-icon Vulnrichment

Updated: 2026-06-11T13:24:58.157Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T22:16:56.833

Modified: 2026-06-11T15:34:48.027

Link: CVE-2026-2049

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T21:22:47Z

Links: CVE-2026-2049 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:00:08Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow

  • CWE-131

    Incorrect Calculation of Buffer Size