GIMP update closes security vulnerability in icon processing

GIMP has a vulnerability in the processing of ICO files. Attackers can use manipulated icon files to inject malicious code.

The vulnerability has been reported by Trend Micro's Zero-Day Initiative (ZDI). It is an unspecified integer overflow in the ICO parser of GIMP, which is due to insufficient checking of user-controlled data. This overflow can occur before writing to memory – the description does not explicitly mention it, but often the size of a created buffer is then not sufficient to hold the data, allowing memory areas to be overwritten with injected content. To exploit the vulnerability, potential victims must visit a malicious website or open a carefully crafted file (CVE-2025-5473 / EUVD-2025-17358, CVSS 7.8, risk "high").

GIMP: Vulnerable versions

The EUVD security notice mentions version 3.0.2 as the affected version. No such restriction can be found either in the ZDI or in the CVE vulnerability entry. Older versions are probably also vulnerable.

The developers have at least sealed the security leak in GIMP 3.0.4, which was released in May. Most Linux distributions have now distributed updated packages. Anyone who uses GIMP under Windows and has obtained the software from the Microsoft Store has already received the update automatically. All other GIMP users should check whether they are already using the latest version and update it if necessary.

In mid-March, the developers released the long-awaited update to GIMP 3. With the 3 development branch, the developers are closing some security gaps that are still contained in the GIMP 2 branch. Migration to the new GIMP software branch is therefore also recommended.

(dmk)