Description
GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28874.
Published: 2026-04-11
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap‑based buffer overflow occurs when GIMP parses PSP files, because the length of user‑supplied data is not properly validated before copying it into a heap buffer. When a malicious file or a crafted file opened from a web page is processed, the overflow allows an attacker to execute arbitrary code in the context of the current user session. The vulnerability can compromise confidentiality, integrity, and availability by permitting an attacker to run any code with the privileges of the GIMP process.

Affected Systems

The flaw affects GIMP software, specifically version 3.0.8 as identified by the vendor naming. No other versions are listed in the provided data, so the recommendation focuses on that release.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate to high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and the attack vector requires user interaction through opening a malicious file, meaning it is not remotely exploitable without the user’s action. Nevertheless, the potential impact warrants attention due to the possibility of full code execution.

Generated by OpenCVE AI on April 14, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch that updates GIMP to a version where the PSP parsing buffer is properly validated (e.g., GIMP 3.0.9 or newer).
  • If patching is not immediately possible, refrain from opening unfamiliar or untrusted PSP files and avoid visiting unverified web pages that may embed such files.

Generated by OpenCVE AI on April 14, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4547-1 gimp security updat
Debian DSA Debian DSA DSA-6215-1 gimp security update
History

Tue, 14 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:gimp:gimp:3.0.8:*:*:*:*:*:*:*

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 11 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28874.
Title GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gimp Gimp
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-04-14T03:55:53.814Z

Reserved: 2026-03-13T20:32:56.108Z

Link: CVE-2026-4153

cve-icon Vulnrichment

Updated: 2026-04-13T18:24:30.339Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-11T01:16:16.963

Modified: 2026-04-14T19:33:01.767

Link: CVE-2026-4153

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-11T00:16:01Z

Links: CVE-2026-4153 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses