| Package | gimp |
|---|---|
| Version | 2.8.18-1+deb9u5 (stretch), 2.10.8-2+deb10u4 (buster) |
| Related CVEs | CVE-2025-6035 CVE-2025-10922 CVE-2025-48797 CVE-2025-48798 |
Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed DICOM, TGA or XCF images are opened, or when using the Despeckle plug-in on a very large image.
-
CVE-2025-6035
An integer overflow vulnerability exists in the GIMP “Despeckle” plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios.
-
CVE-2025-10922
ZDI-CAN-27863: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
-
CVE-2025-48797
Flaw when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
-
CVE-2025-48798
Flaw when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues.
For Debian 10 buster, these problems have been fixed in version 2.10.8-2+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 2.8.18-1+deb9u5.
We recommend that you upgrade your gimp packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.