CVE-2025-59820

low-risk

Published 2025-11-26

In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.7/10 Medium

LOCAL / HIGH complexity

References (4)

https://invent.kde.org/graphics/krita/

https://invent.kde.org/graphics/krita/-/commit/6d3651ac4df88efb68e013d21061de984...

https://kde.org/info/security/advisory-20250929-1.txt

https://lists.debian.org/debian-lts-announce/2025/12/msg00006.html

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal