CVE-2026-2271
Heap Overflow in GIMP PSP Parser Causes Remote DoS
Publication date: 2026-03-26
Last updated on: 2026-04-21
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gimp | gimp | 3.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can be exploited by a remote attacker who provides a specially crafted PSP image file to GIMP.
Successful exploitation causes a heap overflow and out-of-bounds memory write, which leads to an application-level denial of service (crash).
This means that an attacker could cause GIMP to crash or become unavailable when processing malicious PSP files, potentially disrupting workflows or services relying on GIMP.
Can you explain this vulnerability to me?
CVE-2026-2271 is an integer overflow vulnerability in GIMP's PSP (Paint Shop Pro) image file parser, specifically in the read_creator_block() function. The vulnerability occurs because a 32-bit length value is read directly from a PSP file without proper validation and then used for memory allocation.
When the length value is set to a very large number (0xFFFFFFFF), the memory allocation function (g_malloc) receives an incorrect size due to integer overflow, resulting in a very small buffer being allocated.
Subsequently, the program attempts to read a large amount of data (approximately 4 GB) into this undersized buffer, causing a heap overflow and an out-of-bounds write. This leads to a crash of the application, resulting in a denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing GIMP's PSP file parser with specially crafted PSP image files that trigger the integer overflow in the read_creator_block() function.
A proof-of-concept (PoC) crafted PSP file named psp_overflow.psp can be used to trigger the vulnerability.
To detect memory errors caused by this vulnerability, you can compile the vulnerable code with AddressSanitizer enabled and run tests using the PoC file.
- Compile the test harness with clang and AddressSanitizer: clang -fsanitize=address -o harness_psp harness_psp.c
- Run the test harness with the crafted PSP file: ./harness_psp psp_overflow.psp
This will help detect heap overflow and out-of-bounds writes caused by the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding opening or processing untrusted or specially crafted PSP image files with vulnerable versions of GIMP.
Updating GIMP to a version where this vulnerability is fixed is recommended once a patch is available.
If updating is not immediately possible, consider disabling or restricting the PSP file parser plugin or limiting user access to GIMP to trusted users only.