{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/gnome/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-58384"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GIMP","Red Hat Enterprise Linux 9"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","dos","gimp","linux","heap-overflow"],"_cs_type":"advisory","_cs_vendors":["GNOME","Red Hat"],"content_html":"\u003cp\u003eCVE-2026-58384 describes a critical flaw in the GIMP (GNU Image Manipulation Program) PSD (Photoshop Document) parser. Specifically, an integer overflow occurs within the \u003ccode\u003eread_RLE_channel()\u003c/code\u003e function. This vulnerability arises when processing specially crafted PSD files, causing an undersized heap allocation for the Run-Length Encoding (RLE) row-length table. Following this incorrect allocation, subsequent per-row writes attempt to use more memory than allocated, leading to heap memory corruption. This memory corruption can have severe consequences, including the application crashing (denial of service) or, in a more advanced scenario, the execution of arbitrary code on the affected system. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and affects GIMP, including its package within Red Hat Enterprise Linux 9.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PSD file designed to trigger an integer overflow in GIMP's parser.\u003c/li\u003e\n\u003cli\u003eThe malicious PSD file contains specially formatted RLE channel data intended to cause an undersized buffer allocation.\u003c/li\u003e\n\u003cli\u003eA user is enticed to open the malicious PSD file using an affected version of the GIMP application.\u003c/li\u003e\n\u003cli\u003eGIMP's \u003ccode\u003eread_RLE_channel()\u003c/code\u003e function begins processing the RLE channel data from the malicious file.\u003c/li\u003e\n\u003cli\u003eDuring the calculation for the RLE row-length table allocation, an integer overflow occurs due to the crafted input.\u003c/li\u003e\n\u003cli\u003eThis integer overflow results in an undersized heap allocation for the RLE row-length table, creating a buffer overflow condition.\u003c/li\u003e\n\u003cli\u003eSubsequent writes by the \u003ccode\u003eread_RLE_channel()\u003c/code\u003e function, intended for per-row data, exceed the boundary of the undersized buffer, corrupting adjacent heap memory.\u003c/li\u003e\n\u003cli\u003eThis heap memory corruption ultimately leads to either a denial-of-service condition (e.g., GIMP application crash) or, under specific exploit conditions, arbitrary code execution in the context of the user running GIMP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-58384 is significant, potentially leading to application instability, data loss, or complete system compromise. If exploited for denial of service, GIMP users would experience application crashes, hindering productivity. More critically, successful exploitation for arbitrary code execution could allow an attacker to run malicious code with the privileges of the compromised user, potentially leading to further compromise of the system, data exfiltration, or installation of additional malware. While no specific victim counts or sectors are mentioned, any organization or individual using affected GIMP versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate GIMP to a patched version immediately to remediate CVE-2026-58384, as referenced by the \u003ccode\u003ehttps://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217\u003c/code\u003e commit.\u003c/li\u003e\n\u003cli\u003eApply security updates for Red Hat Enterprise Linux 9 if using the GIMP package, addressing CVE-2026-58384, as detailed in the Red Hat advisory \u003ccode\u003ehttps://access.redhat.com/security/cve/CVE-2026-58384\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure all software, particularly applications that handle untrusted file formats, are kept up-to-date with the latest security patches.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T09:18:26Z","date_published":"2026-07-07T09:18:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58384-gimp-psd-parser/","summary":"An integer overflow vulnerability (CVE-2026-58384) exists in GIMP's PSD parser within the `read_RLE_channel()` function, leading to undersized heap allocations that can cause subsequent heap memory corruption, potentially resulting in denial of service or arbitrary code execution.","title":"CVE-2026-58384: GIMP PSD Parser Integer Overflow Leads to RCE/DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58384-gimp-psd-parser/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-58380"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GIMP","Red Hat Enterprise Linux 6","Red Hat Enterprise Linux 7","Red Hat Enterprise Linux 8","Red Hat Enterprise Linux 9"],"_cs_severities":["high"],"_cs_tags":["vulnerability","memory-corruption","buffer-overflow","GIMP","linux"],"_cs_type":"threat","_cs_vendors":["GNOME","Red Hat"],"content_html":"\u003cp\u003eCVE-2026-58380 details a critical vulnerability discovered in GIMP's PNM (Portable Anymap) image file format parser. The flaw resides within the \u003ccode\u003epnmscanner_gettoken()\u003c/code\u003e function, where an off-by-one error during a loop boundary check causes a null terminator to be written one byte beyond the intended boundary of a stack-allocated buffer. This memory corruption is triggered when GIMP attempts to parse a specially crafted PNM file. While not yet observed in active exploitation, successful exploitation could lead to application instability and denial of service due to crashes, or, more severely, arbitrary code execution, granting an attacker control over the compromised system. This vulnerability affects various GIMP versions, including those shipped with Red Hat Enterprise Linux distributions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PNM image file specifically designed to exploit the off-by-one error in GIMP's \u003ccode\u003epnmscanner_gettoken()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious PNM file is delivered to a victim through common vectors such as email attachments, malicious websites, or untrusted file shares.\u003c/li\u003e\n\u003cli\u003eThe victim opens the specially crafted PNM file using the vulnerable GIMP application.\u003c/li\u003e\n\u003cli\u003eDuring the file parsing process, the \u003ccode\u003epnmscanner_gettoken()\u003c/code\u003e function attempts to process the malicious input.\u003c/li\u003e\n\u003cli\u003eThe off-by-one error causes a null byte to be written past the end of a stack buffer, corrupting adjacent memory.\u003c/li\u003e\n\u003cli\u003eThis memory corruption disrupts program execution flow, leading to either an immediate application crash (denial of service) or, under controlled conditions, enables arbitrary code execution on the victim's system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability, CVE-2026-58380, carries a CVSS v3.1 Base Score of 7.3 (High), indicating significant potential impact. If successfully exploited, systems running vulnerable versions of GIMP could suffer from denial of service, where the application crashes, leading to loss of productivity. More critically, an attacker could achieve arbitrary code execution, allowing them to install malware, exfiltrate data, or gain full control over the compromised system. While there are no reports of in-the-wild exploitation, the widespread use of GIMP, particularly on Linux distributions like Red Hat Enterprise Linux, makes this a high-risk vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches for CVE-2026-58380 immediately to all GIMP installations, particularly on Red Hat Enterprise Linux systems, by referring to the official Red Hat security advisory at \u003ccode\u003ehttps://access.redhat.com/security/cve/CVE-2026-58380\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Red Hat security channels for updates to affected products as detailed in the Red Hat advisory and apply them promptly.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training regarding the risks associated with opening untrusted image files, especially those in less common formats like PNM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T15:25:56Z","date_published":"2026-07-06T15:25:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58380-gimp-pnm-parser-vulnerability/","summary":"A high-severity off-by-one error, CVE-2026-58380, in GIMP's PNM file format parser (specifically the `pnmscanner_gettoken()` function) allows an attacker to corrupt memory by crafting a malicious PNM file, potentially leading to denial of service or arbitrary code execution when the file is opened.","title":"CVE-2026-58380: GIMP PNM Parser Off-by-One Error Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58380-gimp-pnm-parser-vulnerability/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Acronis Cyber Protect","autorandr","AWS Replication Agent","BeyondTrust products","ClamScan","Debian Package Manager","DNF","Elephant","Firefox","FortiClient","GDM","GNOME Shell","Google Chrome","Google Cloud Agent","Google Cloud Linux Service","Halcyon Agent","Hexnode Agent","Hyprland","i3-zoom","K3s","K3s Server","Kubernetes","LXD","man-db","NGT Guest Agent","Pamac","Picus Updater","Plesk Task Manager","Ptyxis Agent","QSetup","RPM Package Manager","rpm-ostree","runc","Salt","Salt Minion","SentinelOne Agent","Slack","snapd","systemd","Tableau Server","Thunar","tmux","Tychon Endpoint","Vanta Launcher","xdg-desktop-portal","yay","Zoom"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","execution","linux"],"_cs_type":"advisory","_cs_vendors":["Acronis","Amazon Web Services","BeyondTrust","Canonical","ClamAV","Debian","Elastic","Fortinet","GNOME","Google","Halcyon","Hexnode","Manjaro Development Team","Mozilla","Open Container Initiative","Palo Alto Networks","Picus Security","Plesk","QSetup","Rancher","Red Hat","Saltstack","SentinelOne","Slack","Tableau","Tychon","Vanta","VMware","Xfce","Zoom"],"content_html":"\u003cp\u003eThis threat brief outlines a technique where adversaries utilize the \u003ccode\u003esystemd-run\u003c/code\u003e binary on Linux systems for proxy execution, a method aimed at defense evasion and enabling command execution. \u003ccode\u003esystemd-run\u003c/code\u003e is a legitimate system utility designed to schedule commands for background execution through \u003ccode\u003esystemd\u003c/code\u003e. Attackers can exploit this functionality to run malicious payloads, such as shells, downloaders, or credential-harvesting scripts, as transient services or scopes. This technique allows them to detach their processes, obscure the direct parent-child relationships in the process tree, and mask their activities behind a trusted system utility, significantly reducing visibility for defenders. The technique can be used post-initial access to establish persistence, expand access, or facilitate data exfiltration without directly revealing the true malicious parent process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, often via exploitation of a vulnerable service, compromised credentials, or a successful phishing attempt.\u003c/li\u003e\n\u003cli\u003eAfter establishing a foothold, the attacker performs reconnaissance to understand the environment and identifies \u003ccode\u003esystemd-run\u003c/code\u003e as a potential tool for evading detection.\u003c/li\u003e\n\u003cli\u003eThe attacker stages a malicious payload (e.g., a reverse shell script, a downloader for additional malware, or a credential harvesting tool) onto the compromised system, possibly in a temporary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious payload using \u003ccode\u003esystemd-run\u003c/code\u003e, typically with options like \u003ccode\u003e--user\u003c/code\u003e or \u003ccode\u003e--scope\u003c/code\u003e, to launch it as a transient systemd unit or scope, detaching it from the initiating process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esystemd-run\u003c/code\u003e acts as a proxy, launching the malicious command or script in the background, making it appear as a legitimate systemd-managed process.\u003c/li\u003e\n\u003cli\u003eThe detached malicious payload executes, performing its intended actions such as establishing command and control, downloading further stages, escalating privileges, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker might configure persistence mechanisms within the transient unit definition or by other means, ensuring continued access even after the initial session ends.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, attacks employing \u003ccode\u003esystemd-run\u003c/code\u003e for proxy execution can lead to significant compromises. Adversaries can execute arbitrary commands, establish covert persistence, download additional malicious tooling, or exfiltrate sensitive data without being easily detected through conventional process monitoring. The use of detached, transient units complicates forensic analysis and incident response by obfuscating the true origin and nature of the malicious processes. This can result in full system compromise, severe data breaches, unauthorized privilege escalation, or lateral movement across the network, making remediation challenging and prolonged.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Potential Proxy Execution via Systemd-run\u0026quot; in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eWhen triggered by the Sigma rule, reconstruct the full process tree around the \u003ccode\u003esystemd-run\u003c/code\u003e event to determine which user, shell, script, service, or remote access session invoked it.\u003c/li\u003e\n\u003cli\u003eReview the exact command passed through \u003ccode\u003esystemd-run\u003c/code\u003e, including flags such as \u003ccode\u003e--user\u003c/code\u003e, \u003ccode\u003e--scope\u003c/code\u003e, scheduling options, or custom unit names, to classify the spawned payload as expected or suspicious.\u003c/li\u003e\n\u003cli\u003eIsolate any affected Linux host from the network immediately, and terminate the malicious \u003ccode\u003esystemd-run\u003c/code\u003e transient unit or scope along with any child processes it launched.\u003c/li\u003e\n\u003cli\u003eRemove attacker persistence by deleting unauthorized unit files and drop-ins from \u003ccode\u003e/etc/systemd/system/\u003c/code\u003e, \u003ccode\u003e/run/systemd/transient/\u003c/code\u003e, \u003ccode\u003e/var/lib/systemd/\u003c/code\u003e, and affected users’ \u003ccode\u003e~/.config/systemd/user/\u003c/code\u003e directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T14:39:26Z","date_published":"2026-07-06T14:39:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/","summary":"This brief details how attackers may leverage the `systemd-run` utility on Linux systems for defense evasion and execution by running commands as detached, transient services or scopes to obscure their activities and parent-child process chains.","title":"Potential Proxy Execution via Systemd-run on Linux","url":"https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-58379"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GIMP","Red Hat Enterprise Linux 9 (gimp package)"],"_cs_severities":["high"],"_cs_tags":["heap-buffer-overflow","vulnerability","image-processing","gimp"],"_cs_type":"advisory","_cs_vendors":["GNOME","Red Hat"],"content_html":"\u003cp\u003eA critical heap buffer overflow vulnerability, identified as CVE-2026-58379, has been discovered in GIMP's Paint Shop Pro (PSP) file format parser. This flaw allows a remote attacker to achieve arbitrary code execution or a denial of service (DoS) on affected systems. The vulnerability is triggered when a user is tricked into opening a specially crafted PSP image file. The core issue lies in the software's incorrect calculation of buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory. This affects the GIMP application, particularly the \u003ccode\u003egimp\u003c/code\u003e package on Red Hat Enterprise Linux 9, as confirmed by Red Hat. Defenders should prioritize patching GIMP to mitigate the risk of successful exploitation, which could lead to complete system compromise or disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Paint Shop Pro (PSP) image file specifically designed to exploit CVE-2026-58379, incorporating malformed low bit-depth image data.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the specially crafted PSP file to a target user, often via social engineering tactics such as email attachments or malicious download links.\u003c/li\u003e\n\u003cli\u003eThe unsuspecting user is tricked into opening the malicious PSP image file using the GIMP application on their system.\u003c/li\u003e\n\u003cli\u003eGIMP's internal PSP file format parser attempts to process the malformed image data within the file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing of low bit-depth image data, GIMP incorrectly calculates buffer sizes for memory allocation, leading to a heap buffer overflow condition.\u003c/li\u003e\n\u003cli\u003eThis overflow allows attacker-controlled data to overwrite adjacent memory regions within the GIMP process.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation of the memory corruption leads to either arbitrary code execution within the context of the GIMP process or a denial of service, crashing the application.\u003c/li\u003e\n\u003cli\u003eWith arbitrary code execution, the attacker can establish persistence, exfiltrate data, or further compromise the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-58379 can lead to significant consequences, ranging from a denial of service (DoS) that crashes the GIMP application, disrupting user workflow, to arbitrary code execution. Arbitrary code execution would allow an attacker to run malicious code within the context of the affected user, potentially leading to full system compromise, data exfiltration, or the installation of additional malware. While specific victim counts or targeted sectors are not detailed, any user of the vulnerable GIMP version, particularly on Red Hat Enterprise Linux 9, is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update GIMP to a patched version that addresses CVE-2026-58379. Consult Red Hat advisories (e.g., \u003ca href=\"https://access.redhat.com/security/cve/CVE-2026-58379\"\u003ehttps://access.redhat.com/security/cve/CVE-2026-58379\u003c/a\u003e) for specific package updates for Red Hat Enterprise Linux 9.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening unsolicited or suspicious image files, especially those from untrusted sources, to mitigate the initial access vector associated with opening specially crafted PSP files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T19:18:57Z","date_published":"2026-07-03T19:18:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58379-gimp-heap-overflow/","summary":"A heap buffer overflow vulnerability (CVE-2026-58379) in GIMP's Paint Shop Pro (PSP) file format parser allows a remote attacker to achieve arbitrary code execution or cause a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file, exploiting incorrect buffer size calculations when processing low bit-depth images.","title":"CVE-2026-58379: GIMP Heap Buffer Overflow in PSP Parser Allows RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58379-gimp-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - GNOME","version":"https://jsonfeed.org/version/1.1"}