{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2047", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-02-06T01:16:39.038Z", "datePublished": "2026-02-20T22:23:41.576Z", "dateUpdated": "2026-02-26T14:44:12.360Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-02-20T22:23:41.576Z"}, "title": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28530."}], "affected": [{"vendor": "GIMP", "product": "GIMP", "versions": [{"version": "3.0.6", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-120/", "name": "ZDI-26-120", "tags": ["x_research-advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2600/diffs?commit_id=dd2faac351f1ff2588529fedc606e6a5f815577c", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-02-06T01:16:39.051Z", "datePublic": "2026-02-19T14:22:34.916Z", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-21T04:56:38.963084Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:12.360Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-21T04:56:38.963084Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:21:01.952Z"}}], "cna": {"title": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "GIMP", "product": "GIMP", "versions": [{"status": "affected", "version": "3.0.6"}], "defaultStatus": "unknown"}], "datePublic": "2026-02-19T14:22:34.916Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-120/", "name": "ZDI-26-120", "tags": ["x_research-advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2600/diffs?commit_id=dd2faac351f1ff2588529fedc606e6a5f815577c", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-02-06T01:16:39.051Z", "descriptions": [{"lang": "en", "value": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28530."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-02-20T22:23:41.576Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2047", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:12.360Z", "dateReserved": "2026-02-06T01:16:39.038Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-02-20T22:23:41.576Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "F9B29A73-05E5-438E-B994-61FBB133B6AC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28530."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo por desbordamiento de b\u00fafer basado en mont\u00edculo en el an\u00e1lisis de archivos ICNS de GIMP. Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de GIMP. Para explotar esta vulnerabilidad es precisa la interacci\u00f3n del usuario quien debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso.\n\nLa falla reside en el an\u00e1lisis de archivos ICNS. El problema se debe a la falta de validaci\u00f3n adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos a un b\u00fafer basado en mont\u00edculo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Fue ZDI-CAN-28530."}], "id": "CVE-2026-2047", "lastModified": "2026-02-24T21:41:07.567", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-02-20T23:16:05.003", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2600/diffs?commit_id=dd2faac351f1ff2588529fedc606e6a5f815577c"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-120/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gimp: GIMP: Remote code execution via heap-based buffer overflow in ICNS file parsing", "id": "2441517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441517"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-2047", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "gimp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gimp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "gimp:2.8/gimp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gimp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-20T22:23:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2047\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2047\nhttps://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2600/diffs?commit_id=dd2faac351f1ff2588529fedc606e6a5f815577c\nhttps://www.zerodayinitiative.com/advisories/ZDI-26-120/"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GIMP", "source": "cna", "vendor": "GIMP"}, "product": "gimp", "vendor": "gimp"}], "analysis": {"en": {"generated_at": "2026-04-18T11:23:45.731594+00:00", "value": {"mitigation_remediation": ["Update GIMP to a patched version (e.g., 3.0.7 or later) that includes the ICNS parsing fix.", "Configure your system or user environment to prevent the automatic loading of ICNS files from untrusted sources, such as disabling the ICNS import plug\u2011in or restricting file permissions on known malicious directories.", "If an update is not immediately available, avoid opening files with the .icns extension from unknown or untrusted sources until a patch is applied."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GIMP image editor, specifically version 3.0.6 as identified by the vendor. All installations running this version, or any build derived from it, are vulnerable. Users of other GIMP releases are not currently affected according to the available CNA data.", "description_and_impact": "A flaw in the parsing of ICNS files allows an attacker to cause a heap-based buffer overflow by supplying data whose length is not properly validated. This results in the ability to execute arbitrary code in the context of the GIMP process. The weakness involves improper handling of buffer sizes and heap allocation, corresponding to CWE-122, CWE-131, and CWE-787. Because code is executed with the same privileges as the user running GIMP, the impact extends to full local compromise of the user\u2019s account and potentially the machine.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% suggests a low but non-zero probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. Attackers need a malicious file or a page that can trigger GIMP to load an ICNS file, which requires user interaction. Thus the attack vector is local via opening a crafted file or remote via a malicious web page that forces GIMP to process an ICNS file. Successful exploitation would lead to remote code execution under the current user\u2019s privileges."}}}}, "created": "2026-02-23T14:33:41.596631+00:00", "updated": "2026-04-18T11:30:44.318387+00:00", "vendors": ["gimp", "gimp$PRODUCT$gimp"]}