{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4152", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-13T20:32:46.564Z", "datePublished": "2026-04-11T00:15:54.200Z", "dateUpdated": "2026-04-14T03:55:52.703Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:15:54.200Z"}, "title": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863."}], "affected": [{"vendor": "GIMP", "product": "GIMP", "versions": [{"version": "3.0.8", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-219/", "name": "ZDI-26-219", "tags": ["x_research-advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/f64c9c23ba3c37dc7b875a9fb477c23953b4666e", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-03-13T20:32:46.604Z", "datePublic": "2026-03-19T20:51:47.302Z", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-4152"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T03:55:52.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4152", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:24:03.547065Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:24:21.660Z"}}], "cna": {"title": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "GIMP", "product": "GIMP", "versions": [{"status": "affected", "version": "3.0.8"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-19T20:51:47.302Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-219/", "name": "ZDI-26-219", "tags": ["x_research-advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/f64c9c23ba3c37dc7b875a9fb477c23953b4666e", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-03-13T20:32:46.604Z", "descriptions": [{"lang": "en", "value": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:15:54.200Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4152", "state": "PUBLISHED", "dateUpdated": "2026-04-14T03:55:52.703Z", "dateReserved": "2026-03-13T20:32:46.564Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:15:54.200Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gimp:gimp:3.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "0866C0EF-59AE-4AB9-8D0F-7C75CD20F77E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863."}], "id": "CVE-2026-4152", "lastModified": "2026-04-14T19:32:46.420", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:16.830", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Patch"], "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/f64c9c23ba3c37dc7b875a9fb477c23953b4666e"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-219/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gimp: GIMP: Remote Code Execution via malicious JP2 file parsing", "id": "2457533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457533"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in GIMP. A remote attacker could exploit this by tricking a user into opening a specially crafted JP2 (JPEG 2000) file. This flaw is due to a heap-based buffer overflow during JP2 file parsing, which allows for arbitrary code execution. Successful exploitation enables the attacker to execute code in the context of the current process."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, users should avoid opening JP2 (JPEG 2000) files from untrusted sources in GIMP. If GIMP is not required, consider removing the `gimp` package to eliminate the attack surface. For systems where GIMP is necessary, running the application within a sandboxed environment can limit the potential impact of successful exploitation. Removing this package may affect other applications that depend on GIMP."}, "name": "CVE-2026-4152", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "gimp", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "gimp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "gimp:2.8/gimp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gimp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-11T00:15:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4152\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4152\nhttps://gitlab.gnome.org/GNOME/gimp/-/commit/f64c9c23ba3c37dc7b875a9fb477c23953b4666e\nhttps://www.zerodayinitiative.com/advisories/ZDI-26-219/"], "statement": "This is an Important vulnerability in GIMP that could lead to arbitrary code execution. The flaw is a heap-based buffer overflow in the JP2 file parsing component. Exploitation requires user interaction, where a victim must open a specially crafted malicious JP2 file.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.0.8"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GIMP", "source": "cna", "vendor": "GIMP"}, "product": "gimp", "vendor": "gimp"}], "analysis": {"en": {"generated_at": "2026-04-14T21:25:06.380116+00:00", "value": {"mitigation_remediation": ["Apply the latest GIMP update that contains the JP2 parser fix.", "If an update is not yet available, avoid opening JP2 files from untrusted sources and disable automatic opening of such files.", "Monitor GIMP vendor announcements and security advisories for a patch release."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects GIMP, specifically the 3.0.8 release. No other vendor or product versions are known to be impacted at this time.", "description_and_impact": "An attacker can craft a JP2 image that contains an oversized data block. When GIMP parses the file, it does not verify the length of the block before copying it into a heap buffer, creating a heap-based buffer overflow that can overwrite memory and execute arbitrary code in the process. This flaw permits remote code execution with the privileges of the user running GIMP, leading to compromise of confidentiality, integrity, and availability of the victim\u2019s system.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity. An EPSS score of less than 1% suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires user interaction, such as opening a malicious JP2 file or visiting a web page that triggers a file visit. If an user consents, the attacker can run arbitrary code with the user\u2019s privileges."}}}}, "created": "2026-04-13T12:42:14.107376+00:00", "updated": "2026-04-15T15:45:07.549175+00:00", "vendors": ["gimp", "gimp$PRODUCT$gimp"]}