Gimp: Update closes code-smuggling vulnerabilities
In the new Gimp version 3.2, developers are also closing two highly risky malicious code vulnerabilities. Users should update quickly.
(Image: Gimp Team / Bearbeitung heise medien)
Over the weekend, the Gimp project released version 3.2 of the powerful and open-source graphics program. The new version not only brings new and improved features for artists but also patches security vulnerabilities classified as highly risky.
The Zero Day Initiative (ZDI) from Trend Micro (now integrated into the company under the name “TrendAI”) has reported two vulnerabilities in parsers for certain image formats. When processing LBM files, a variant of the Amiga Interchange File Format, attackers can provoke a heap buffer overflow with manipulated image files. The code copies data from the files into a target buffer without correctly checking their length beforehand. The vulnerability allows the execution of injected code in the context of the Gimp process (CVE-2026-2046, CVSS 7.8, Risk “high”).
The second vulnerability affects the processing of High Dynamic Range (HDR) images. The handling of the RGBE format, which stores color information in 32-bit floating-point, also fails in checking user data length before copying it into a heap buffer. Here too, malicious actors can inject malicious code with carefully crafted files, which is then executed in the context of the running process (CVE-2026-2049, CVSS 7.8, Risk “high”).
Update now
Anyone who has so far waited to update to Gimp 3.2, assuming it only improves and adds features, should not hesitate any longer. Updating to Gimp 3.2 reduces the attack surface for cybercriminals.
Videos by heise
On the download page of the Gimp project, installation files for Linux are available as AppImage for x86_64 and ARM64 architectures, as well as links to Flathub and the Snap Store. macOS users will also find installation files for Intel-based systems and for Apple Silicon – the project points out that it does not offer an official package in the Apple App Store; any offers there are from third-party providers. For Windows, installation from the Microsoft Store is recommended, as it also automatically downloads and installs updates. However, there is also a direct download, which can also be used for 32-bit x86 CPUs – for the last time, as of Gimp 3.2.2, the project intends to permanently discontinue 32-bit support.
(dmk)
