Image editing GIMP: Version 3.0.6 closes code smuggling leaks
GIMP version 3.0.6 closes several high-risk security vulnerabilities. Attackers can smuggle malware with prepared images.
(Image: heise medien)
The recently released update to GIMP 3.0.6 not only brings usability improvements but also closes significant security vulnerabilities. The vulnerability descriptions are now available: GIMP can execute smuggled malicious code when processing some manipulated image formats.
In the release announcement, the GIMP developers write it is only briefly mentioned that they received reports from the Zero-Day Initiative (ZDI) about potential security vulnerabilities in some file import plug-ins. “While these issues are very unlikely to occur with real files,” the developers have “proactively improved the security” for these import components.
GIMP: Several file parsers are leaky
The ZDI has reported security vulnerabilities in several import routines for image formats. And unlike the GIMP developers, IT researchers see a high risk in this.
In the parser for XWD files, manipulated files can therefore provoke a heap-based buffer overflow and thus inject and execute code (CVE-2025-10934 / EUVD-2025-36722, CVSS 7.8, Risk “high”). With ILBM files, a stack-based buffer overflow with the same consequences can occur (CVE-2025-10925 / EUVD-2025-36713, CVSS 7.8, Risk “high”), FF files can trigger an integer overflow (CVE-2025-10924 / EUVD-2025-36714, CVSS 7.8, Risk “high”).
Videos by heise
Another integer overflow is located in the WBMP parser (CVE-2025-10923 / EUVD-2025-36715, CVSS 7.8, Risk “high”), while manipulated DCM files can cause a heap-based buffer overflow (CVE-2025-10922 / EUVD-2025-36716, CVSS 7.8, Risk “high”) – as can HDR files (CVE-2025-10921 / EUVD-2025-36717, CVSS 7.8, Risk “high”). Finally, prepared ICNS files can lead to write access outside the intended boundaries and consequently to the execution of smuggled code (CVE-2025-10920 / EUVD-2025-36718, CVSS 7.8, Risk “high”).
Common to all vulnerabilities is that exploiting them requires opening manipulated files, meaning user interaction is necessary. Attackers could entice potential victims through social engineering.
The IT researchers discovered the security vulnerabilities in GIMP 3.0.4; version 3.0.6 from early October closes them. GIMP users should apply the available update promptly. On Linux, the distribution's package manager should provide the update. Those who installed GIMP from the Microsoft Store on Windows should have received an automatic update. Winget also provides the update; calling “winget update gimp” should bring it to the local machine. Alternatively, the GIMP project on the download page offers installation packages for various platforms.
In June, the GIMP programmers fixed a vulnerability in the ICO parser. It also enabled the smuggling of malicious code.
(dmk)
