[Pkg-gnome-extras-maintainers] Bug#1128606: gimp: CVE-2026-2048
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 21 20:16:39 GMT 2026
Source: gimp
Version: 3.2.0~RC2-3.1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for gimp.
CVE-2026-2048[0]:
| GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution
| Vulnerability. This vulnerability allows remote attackers to execute
| arbitrary code on affected installations of GIMP. User interaction
| is required to exploit this vulnerability in that the target must
| visit a malicious page or open a malicious file. The specific flaw
| exists within the parsing of XWD files. The issue results from the
| lack of proper validation of user-supplied data, which can result in
| a write past the end of an allocated buffer. An attacker can
| leverage this vulnerability to execute code in the context of the
| current process. Was ZDI-CAN-28591.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2048
https://www.cve.org/CVERecord?id=CVE-2026-2048
[1] https://gitlab.gnome.org/GNOME/gimp/-/issues/15554
[2] https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-gnome-extras-maintainers
mailing list