Description
GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863.
Published: 2026-04-11
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An attacker can craft a JP2 image that contains an oversized data block. When GIMP parses the file, it does not verify the length of the block before copying it into a heap buffer, creating a heap-based buffer overflow that can overwrite memory and execute arbitrary code in the process. This flaw permits remote code execution with the privileges of the user running GIMP, leading to compromise of confidentiality, integrity, and availability of the victim’s system.

Affected Systems

The vulnerability affects GIMP, specifically the 3.0.8 release. No other vendor or product versions are known to be impacted at this time.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. An EPSS score of less than 1% suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires user interaction, such as opening a malicious JP2 file or visiting a web page that triggers a file visit. If an user consents, the attacker can run arbitrary code with the user’s privileges.

Generated by OpenCVE AI on April 14, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GIMP update that contains the JP2 parser fix.
  • If an update is not yet available, avoid opening JP2 files from untrusted sources and disable automatic opening of such files.
  • Monitor GIMP vendor announcements and security advisories for a patch release.

Generated by OpenCVE AI on April 14, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4547-1 gimp security updat
Debian DSA Debian DSA DSA-6215-1 gimp security update
History

Tue, 14 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:gimp:gimp:3.0.8:*:*:*:*:*:*:*

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863.
Title GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gimp Gimp
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-14T03:55:52.703Z

Reserved: 2026-03-13T20:32:46.564Z

Link: CVE-2026-4152

cve-icon Vulnrichment

Updated: 2026-04-13T17:24:21.660Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:16.830

Modified: 2026-04-14T19:32:46.420

Link: CVE-2026-4152

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-11T00:15:54Z

Links: CVE-2026-4152 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses