CVE-2026-5201
Heap-Based Buffer Overflow in gdk-pixbuf JPEG Loader Causes DoS
Publication date: 2026-03-31
Last updated on: 2026-05-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| gnome | gdk-pixbuf | * |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux_server_aus | 8.2 |
| redhat | enterprise_linux_server_aus | 8.4 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux_server_tus | 8.8 |
| redhat | enterprise_linux | 10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5201 is a heap-based buffer overflow vulnerability found in the gdk-pixbuf library's JPEG image loader. It occurs because the library improperly validates the number of color components when processing specially crafted JPEG images. This leads to insufficient memory allocation for pixel data, causing the library to write more data than the buffer can hold.
This flaw can be triggered remotely without any user interaction, for example, during automatic thumbnail generation. When exploited, it causes memory corruption that results in application crashes and denial-of-service (DoS) conditions.
How can this vulnerability impact me? :
The primary impact of this vulnerability is denial of service. An attacker can cause applications using the vulnerable gdk-pixbuf library to crash by sending specially crafted JPEG images. This can disrupt services that rely on image processing, such as thumbnail generation, potentially leading to system instability or downtime.
Although there have been claims about possible code execution, these are not reliably proven and would require unrealistic conditions. Therefore, the confirmed impact remains limited to application crashes and denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in the gdk-pixbuf library's JPEG image loader when processing specially crafted JPEG images, leading to application crashes and denial of service. Detection involves identifying if your system uses a vulnerable version of gdk-pixbuf.
You can check the installed version of gdk-pixbuf on your system using package management commands. For example, on a Linux system using rpm-based packages, run:
- rpm -q gdk-pixbuf
On Debian-based systems, use:
- dpkg -l | grep gdk-pixbuf
Additionally, monitoring application logs for crashes related to image processing or thumbnail generation involving JPEG images may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the gdk-pixbuf library to a patched version provided by your Linux distribution vendor.
If an update is not immediately available, consider restricting or disabling processing of untrusted JPEG images, especially in automated thumbnail generation or image processing workflows.
Additionally, monitor systems for crashes related to image processing and apply any vendor advisories or workarounds.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes denial-of-service conditions through application crashes due to a heap-based buffer overflow in the gdk-pixbuf library's JPEG image loader.
There is no information provided about any impact on data confidentiality, integrity, or availability beyond denial of service, nor any direct mention of effects on compliance with standards such as GDPR or HIPAA.
Therefore, based on the available information, this vulnerability primarily affects application availability but does not explicitly indicate violations or compliance issues related to common data protection regulations.