Gimp 3.2.2 patches vulnerability that allows code injection with GIFs
Security vulnerabilities in Gimp allow code injection with manipulated files like GIFs. Gimp 3.2.2 corrects them.
(Image: Gimp Team / heise medien)
Vulnerabilities lie dormant in Gimp's processing routines for several image formats, which attackers can exploit, for example, to inject and execute malicious code. Opening manipulated image files, for instance in GIF format, is sufficient for this. Gimp 3.2.2 is the updated version to close the gaps.
The vulnerability entries appeared on Thursday night. For example, in the ReadJeffsImage function of the GIF loading component, attackers can exploit a potential buffer overflow to write beyond the boundaries of an allocated buffer. This could potentially lead to the execution of arbitrary code when processing carefully crafted GIF files (CVE-2026-6384, CVSS 7.3, Risk “high”).
Further security issues in file processing
Further security vulnerabilities affect plugins for processing specific file formats. A buffer overflow when reading “file-seattle-filmworks” files can lead to a crash (CVE-2026-40919, CVSS 6.1, Risk “medium”). A prepared PVR image file can also provoke a denial-of-service (CVE-2026-40918, CVSS 5.5, Risk “medium”). An integer overflow, on the other hand, can occur when reading FITS images, requesting a null-byte buffer, which leads to a heap-based buffer overflow when writing pixel data. This could also potentially be exploited to inject malicious code (CVE-2026-40915, CVSS 5.5, Risk “medium”).
Manipulated ICNS images could read memory areas beyond the intended boundaries due to a vulnerability in the icns_slurp() function, potentially allowing information to be read (CVE-2026-40917, CVSS 5.0, Risk “medium”). Carefully crafted TIM images can also lead to a denial-of-service, as Gimp generates an overflow during 4BPP decoding (CVE-2026-40916, CVSS 5.0, Risk “medium”).
Videos by heise
Who uses any of the affected file formats GIF, file-seattle-filmworks, FITS, ICNS, or TIM shoudl upgrade to Gimp 3.2.2 as soon as possible. Recent installer packages are available on the download site.
Gimp 3.2 was released in mid-March and also closed highly risky code injection vulnerabilities.
Gimp 3.2.2 corrects the vulnerabilities, just the CVE entries were published this night. Corrected the article accordingly.
(dmk)
