CVE-2026-2239

low-risk

Published 2026-03-26

A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread_pascal_string function when processing a specially crafted PSD (Photoshop Document) file. This occurs because the buffer allocated for a Pascal string is not properly null-terminated, leading to an out-of-bounds read when strlen() is subsequently called. Successfully exploiting this vulnerability can cause the application to crash, resulting in an application level Denial of Service.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.8/10 Low

LOCAL / LOW complexity

Affected Products (4)

Gimp

Enterprise Linux

Affected Vendors

Redhat Gimp

References (3)

Third Party Advisory https://access.redhat.com/security/cve/CVE-2026-2239

Exploit https://bugzilla.redhat.com/show_bug.cgi?id=2437675

Exploit https://gitlab.gnome.org/GNOME/gimp/-/issues/15812

/ 100

low-risk

Severity 11/34 · Low

Exploitability 0/34 · Minimal

Exposure 10/34 · Low