Description
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
Published: 2026-03-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the JPEG loader of the gdk‑pixbuf library. Improper validation of color component counts allows an attacker to craft a JPEG that overflows a heap buffer, causing the target application to crash. Because the overflow occurs during image decoding, a remote attacker can trigger it without user interaction, such as when a system generates thumbnails for unknown files.

Affected Systems

This flaw affects Red Hat Enterprise Linux versions 6, 7, 8, 9 and 10, as they ship the gdk‑pixbuf component that contains the vulnerable code. Any software on those platforms that processes JPEG images via gdk‑pixbuf is potentially impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity threat. With EPSS data missing, the exact likelihood of exploitation is unclear, but the flaw is not listed in CISA's KEV catalog, suggesting no known widespread attacks yet. The exploitation path requires an attacker to provide a specially crafted JPEG, which can be delivered through automated thumbnail generation or other image processing routines. If successful, the system experiences application crashes leading to denial of service for the affected service or user session.

Generated by OpenCVE AI on March 31, 2026 at 09:20 UTC.

Remediation

Vendor Workaround

To reduce the risk of exploitation, avoid opening or processing untrusted JPEG image files. This operational control helps prevent the automatic triggering of the vulnerability, for example, during thumbnail generation, which could otherwise lead to application instability.

OpenCVE Recommended Actions

  • Update to a patched gdk‑pixbuf release available through the Red Hat update stream. 1.1?
  • Disable or restrict automatic thumbnail generation for untrusted image files to prevent the fault from being triggered automatically. 1.2
  • Apply the vendor‑issued workaround of avoiding opening or processing untrusted JPEG files until a patch is applied. 1.3
  • Keep monitoring Red Hat security advisories for any new updates or additional mitigations. 1.4

Generated by OpenCVE AI on March 31, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4531-1 gdk-pixbuf security update
Debian DSA Debian DSA DSA-6206-1 gdk-pixbuf security update
Ubuntu USN Ubuntu USN USN-8156-1 GDK-PixBuf vulnerability
History

Mon, 27 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9::appstream
References

Tue, 14 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome gdk-pixbuf
Vendors & Products Gnome
Gnome gdk-pixbuf

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
Title Gdk-pixbuf: gdk-pixbuf: denial of service via heap-based buffer overflow when processing a specially crafted jpeg image
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-122
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gnome Gdk-pixbuf
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-27T02:08:56.873Z

Reserved: 2026-03-31T07:20:49.961Z

Link: CVE-2026-5201

cve-icon Vulnrichment

Updated: 2026-04-14T11:24:02.757Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T09:16:23.440

Modified: 2026-04-27T03:15:59.397

Link: CVE-2026-5201

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-31T00:00:00Z

Links: CVE-2026-5201 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:27Z

Weaknesses