GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28266.
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Gimp
Gimp gimp
Vendors & Products Gimp
Gimp gimp

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28266.
Title GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-06-24T21:43:46.856Z

Updated: 2026-06-30T12:06:59.453Z

Reserved: 2026-02-06T01:17:46.262Z

Link: CVE-2026-2050

cve-icon Vulnrichment

Updated: 2026-06-25T13:09:42.736Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T21:43:46Z

Links: CVE-2026-2050 - Bugzilla