Description
GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28807.
Published: 2026-04-11
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the parsing of PSD files in GIMP allows a remote attacker to trigger an integer overflow before allocating memory. This overflow can lead to arbitrary code execution within the context of the GIMP process. The vulnerability requires user interaction; the target must open a malicious PSD file or visit a malicious page that triggers the file handling routine. The weakness is a classic integer overflow (CWE‑190).

Affected Systems

Version 3.0.8 of GIMP distributed by the GIMP project is affected. No other product or version information is listed.

Risk and Exploitability

The flaw has a CVSS score of 7.8, indicating a high severity. The EPSS score is below 1%, signaling a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation depends on the user opening a crafted PSD file, which means that the attack vector is user‑initiated and requires the user to be connected to a malicious site or to receive a malicious file. The impact is full compromise of the target system through arbitrary code execution.

Generated by OpenCVE AI on April 14, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GIMP update that incorporates the patch referenced in commit 00afdabd
  • Avoid opening PSD files from untrusted sources until an update is applied
  • Verify properties of PSD files with caution, and consider disabling automatic file association if necessary

Generated by OpenCVE AI on April 14, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4547-1 gimp security updat
Debian DSA Debian DSA DSA-6215-1 gimp security update
History

Tue, 14 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gimp:gimp:3.0.8:*:*:*:*:*:*:*

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28807.
Title GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-190
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gimp Gimp
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-14T03:55:49.145Z

Reserved: 2026-03-13T20:32:25.019Z

Link: CVE-2026-4150

cve-icon Vulnrichment

Updated: 2026-04-13T17:25:27.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:16.560

Modified: 2026-04-14T19:32:38.900

Link: CVE-2026-4150

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-11T00:15:36Z

Links: CVE-2026-4150 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses