ZDI-26-118: GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability

• Advisory Details GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability ZDI-26-118ZDI-CAN-28158 This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. • User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. • The specific flaw exists within the parsing of PGM files. • The issue results from the lack of proper initialization of memory prior to accessing it. • An attacker can leverage this vulnerability to execute code in the context of the current process. • 2025-11-11 - Vulnerability reported to vendor 2026-02-19 - Coordinated public release of advisory 2026-02-19 - Advisory Updated General Inquiries Find us on X Find us on Mastodon Media Inquiries Sensitive Email Communications Our Mission TrendAI TippingPoint IPS Process Researcher Rewards FAQS Privacy Published Advisories Upcoming Advisories RSS Feeds

Article Summaries:

• Security researchers have identified a remote code‑execution flaw in GIMP’s PGM file parser (CVE‑2026‑2044). The vulnerability arises from uninitialized memory usage, allowing attackers to run arbitrary code when a user opens a crafted PGM file or visits a malicious page. GIMP requires user interaction to trigger the exploit. The vendor has released a patch correcting the memory initialization issue. The CVSS score is 7.8, indicating high severity across confidentiality, integrity, and availability. The issue was disclosed by an anonymous source and documented in a GitLab merge request.

Sources:

• http://www.zerodayinitiative.com/advisories/ZDI-26-118/