Source: gimp Version: 3.2.0~RC2-3.1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gimp. CVE-2026-2048[0]: | GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution | Vulnerability. This vulnerability allows remote attackers to execute | arbitrary code on affected installations of GIMP. User interaction | is required to exploit this vulnerability in that the target must | visit a malicious page or open a malicious file. The specific flaw | exists within the parsing of XWD files. The issue results from the | lack of proper validation of user-supplied data, which can result in | a write past the end of an allocated buffer. An attacker can | leverage this vulnerability to execute code in the context of the | current process. Was ZDI-CAN-28591. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2048 https://www.cve.org/CVERecord?id=CVE-2026-2048 [1] https://gitlab.gnome.org/GNOME/gimp/-/issues/15554 [2] https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
