• Remote attackers can execute arbitrary code via GIMP ICNS file parsing. • Exploit requires user interaction: opening malicious file or visiting malicious page. • Vulnerability due to missing validation of user-supplied data length before heap copy. • Affects GIMP installations; patch released by vendor on 2025-12-04. • Advisory publicly released on 2026-02-19; updated same day. • Mitigation: update GIMP to latest version; monitor for patches.
Article Summaries:
- Summary
A heap‑based buffer overflow in GIMP’s ICNS file parser (CVE‑2026‑2047) allows remote attackers to execute arbitrary code on affected installations. The flaw arises from insufficient validation of user‑supplied data lengths before copying to a heap buffer, enabling code execution in the context of the current process. Exploitation requires user interaction, such as opening a malicious file or visiting a malicious page. GIMP has released a patch to fix the issue; details are available in the GitLab merge request. The vulnerability carries a CVSS score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Sources: