CVE-2026-58384: GIMP PSD Parser Integer Overflow Leads to RCE/DoS
An integer overflow vulnerability (CVE-2026-58384) exists in GIMP's PSD parser within the `read_RLE_channel()` function, leading to undersized heap allocations that can cause subsequent heap memory corruption, potentially resulting in denial of service or arbitrary code execution.
CVE-2026-58384 describes a critical flaw in the GIMP (GNU Image Manipulation Program) PSD (Photoshop Document) parser. Specifically, an integer overflow occurs within the read_RLE_channel() function. This vulnerability arises when processing specially crafted PSD files, causing an undersized heap allocation for the Run-Length Encoding (RLE) row-length table. Following this incorrect allocation, subsequent per-row writes attempt to use more memory than allocated, leading to heap memory corruption. This memory corruption can have severe consequences, including the application crashing (denial of service) or, in a more advanced scenario, the execution of arbitrary code on the affected system. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and affects GIMP, including its package within Red Hat Enterprise Linux 9.
Attack Chain
- An attacker crafts a malicious PSD file designed to trigger an integer overflow in GIMP's parser.
- The malicious PSD file contains specially formatted RLE channel data intended to cause an undersized buffer allocation.
- A user is enticed to open the malicious PSD file using an affected version of the GIMP application.
- GIMP's
read_RLE_channel()function begins processing the RLE channel data from the malicious file. - During the calculation for the RLE row-length table allocation, an integer overflow occurs due to the crafted input.
- This integer overflow results in an undersized heap allocation for the RLE row-length table, creating a buffer overflow condition.
- Subsequent writes by the
read_RLE_channel()function, intended for per-row data, exceed the boundary of the undersized buffer, corrupting adjacent heap memory. - This heap memory corruption ultimately leads to either a denial-of-service condition (e.g., GIMP application crash) or, under specific exploit conditions, arbitrary code execution in the context of the user running GIMP.
Impact
The impact of CVE-2026-58384 is significant, potentially leading to application instability, data loss, or complete system compromise. If exploited for denial of service, GIMP users would experience application crashes, hindering productivity. More critically, successful exploitation for arbitrary code execution could allow an attacker to run malicious code with the privileges of the compromised user, potentially leading to further compromise of the system, data exfiltration, or installation of additional malware. While no specific victim counts or sectors are mentioned, any organization or individual using affected GIMP versions is at risk.
Recommendation
- Update GIMP to a patched version immediately to remediate CVE-2026-58384, as referenced by the
https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217commit. - Apply security updates for Red Hat Enterprise Linux 9 if using the GIMP package, addressing CVE-2026-58384, as detailed in the Red Hat advisory
https://access.redhat.com/security/cve/CVE-2026-58384. - Ensure all software, particularly applications that handle untrusted file formats, are kept up-to-date with the latest security patches.