Description
A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
Published: 2026-07-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a heap buffer overflow in GIMP’s Paint Shop Pro (PSP) file parser. When the program processes a crafted low‑bit‑depth PSP image it incorrectly calculates buffer sizes, leading to an overwrite of adjacent memory. This can give an attacker the ability to run arbitrary code or trigger a denial of service. The vulnerability is exercised through user interaction, requiring the opening of a malicious image file.

Affected Systems

The vulnerability affects the Red Hat Enterprise Linux releases 6, 7, 8, and 9 because GIMP is supplied as a package in those distributions. No further product or version details are provided in the CNA data, but the issue applies to the GIMP instances bundled with these operating systems.

Risk and Exploitability

The CVSS score of 7.3 indicates a moderate to high severity. The EPSS score of < 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not widely exploited as of now. The likely attack vector is user‑based; a remote attacker must entice an end‑user to open a malicious PSP file, a form of social engineering or remote file execution via user action. When the file is opened, the buffer overflow can lead to arbitrary code execution or a crash.

Generated by OpenCVE AI on July 5, 2026 at 00:35 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, users should avoid opening untrusted Paint Shop Pro (PSP) image files with GIMP. As a general security practice, it is recommended to only process image files from trusted sources. If GIMP is not essential, consider removing the package to eliminate the attack surface.


OpenCVE Recommended Actions

  • Avoid opening untrusted Paint Shop Pro image files with GIMP.
  • Process only image files from trusted sources.
  • If GIMP is not essential, consider uninstalling the package to eliminate the attack surface.

Generated by OpenCVE AI on July 5, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in GIMP's Paint Shop Pro (PSP) file format parser. This heap buffer overflow vulnerability allows a remote attacker to cause arbitrary code execution or a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file. The vulnerability occurs because the software incorrectly calculates buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory.
Title Gimp: gimp: heap buffer overflow in read_channel_data()
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-122
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-03T18:29:22.302Z

Reserved: 2026-06-30T16:54:04.312Z

Link: CVE-2026-58379

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:45:04Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow