<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>GNOME - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/gnome/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 09:18:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/gnome/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-58384: GIMP PSD Parser Integer Overflow Leads to RCE/DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58384-gimp-psd-parser/</link><pubDate>Tue, 07 Jul 2026 09:18:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58384-gimp-psd-parser/</guid><description>An integer overflow vulnerability (CVE-2026-58384) exists in GIMP's PSD parser within the `read_RLE_channel()` function, leading to undersized heap allocations that can cause subsequent heap memory corruption, potentially resulting in denial of service or arbitrary code execution.</description><content:encoded><![CDATA[<p>CVE-2026-58384 describes a critical flaw in the GIMP (GNU Image Manipulation Program) PSD (Photoshop Document) parser. Specifically, an integer overflow occurs within the <code>read_RLE_channel()</code> function. This vulnerability arises when processing specially crafted PSD files, causing an undersized heap allocation for the Run-Length Encoding (RLE) row-length table. Following this incorrect allocation, subsequent per-row writes attempt to use more memory than allocated, leading to heap memory corruption. This memory corruption can have severe consequences, including the application crashing (denial of service) or, in a more advanced scenario, the execution of arbitrary code on the affected system. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and affects GIMP, including its package within Red Hat Enterprise Linux 9.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious PSD file designed to trigger an integer overflow in GIMP's parser.</li>
<li>The malicious PSD file contains specially formatted RLE channel data intended to cause an undersized buffer allocation.</li>
<li>A user is enticed to open the malicious PSD file using an affected version of the GIMP application.</li>
<li>GIMP's <code>read_RLE_channel()</code> function begins processing the RLE channel data from the malicious file.</li>
<li>During the calculation for the RLE row-length table allocation, an integer overflow occurs due to the crafted input.</li>
<li>This integer overflow results in an undersized heap allocation for the RLE row-length table, creating a buffer overflow condition.</li>
<li>Subsequent writes by the <code>read_RLE_channel()</code> function, intended for per-row data, exceed the boundary of the undersized buffer, corrupting adjacent heap memory.</li>
<li>This heap memory corruption ultimately leads to either a denial-of-service condition (e.g., GIMP application crash) or, under specific exploit conditions, arbitrary code execution in the context of the user running GIMP.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-58384 is significant, potentially leading to application instability, data loss, or complete system compromise. If exploited for denial of service, GIMP users would experience application crashes, hindering productivity. More critically, successful exploitation for arbitrary code execution could allow an attacker to run malicious code with the privileges of the compromised user, potentially leading to further compromise of the system, data exfiltration, or installation of additional malware. While no specific victim counts or sectors are mentioned, any organization or individual using affected GIMP versions is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update GIMP to a patched version immediately to remediate CVE-2026-58384, as referenced by the <code>https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217</code> commit.</li>
<li>Apply security updates for Red Hat Enterprise Linux 9 if using the GIMP package, addressing CVE-2026-58384, as detailed in the Red Hat advisory <code>https://access.redhat.com/security/cve/CVE-2026-58384</code>.</li>
<li>Ensure all software, particularly applications that handle untrusted file formats, are kept up-to-date with the latest security patches.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>rce</category><category>dos</category><category>gimp</category><category>linux</category><category>heap-overflow</category></item><item><title>CVE-2026-58380: GIMP PNM Parser Off-by-One Error Leads to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58380-gimp-pnm-parser-vulnerability/</link><pubDate>Mon, 06 Jul 2026 15:25:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58380-gimp-pnm-parser-vulnerability/</guid><description>A high-severity off-by-one error, CVE-2026-58380, in GIMP's PNM file format parser (specifically the `pnmscanner_gettoken()` function) allows an attacker to corrupt memory by crafting a malicious PNM file, potentially leading to denial of service or arbitrary code execution when the file is opened.</description><content:encoded><![CDATA[<p>CVE-2026-58380 details a critical vulnerability discovered in GIMP's PNM (Portable Anymap) image file format parser. The flaw resides within the <code>pnmscanner_gettoken()</code> function, where an off-by-one error during a loop boundary check causes a null terminator to be written one byte beyond the intended boundary of a stack-allocated buffer. This memory corruption is triggered when GIMP attempts to parse a specially crafted PNM file. While not yet observed in active exploitation, successful exploitation could lead to application instability and denial of service due to crashes, or, more severely, arbitrary code execution, granting an attacker control over the compromised system. This vulnerability affects various GIMP versions, including those shipped with Red Hat Enterprise Linux distributions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious PNM image file specifically designed to exploit the off-by-one error in GIMP's <code>pnmscanner_gettoken()</code> function.</li>
<li>The malicious PNM file is delivered to a victim through common vectors such as email attachments, malicious websites, or untrusted file shares.</li>
<li>The victim opens the specially crafted PNM file using the vulnerable GIMP application.</li>
<li>During the file parsing process, the <code>pnmscanner_gettoken()</code> function attempts to process the malicious input.</li>
<li>The off-by-one error causes a null byte to be written past the end of a stack buffer, corrupting adjacent memory.</li>
<li>This memory corruption disrupts program execution flow, leading to either an immediate application crash (denial of service) or, under controlled conditions, enables arbitrary code execution on the victim's system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability, CVE-2026-58380, carries a CVSS v3.1 Base Score of 7.3 (High), indicating significant potential impact. If successfully exploited, systems running vulnerable versions of GIMP could suffer from denial of service, where the application crashes, leading to loss of productivity. More critically, an attacker could achieve arbitrary code execution, allowing them to install malware, exfiltrate data, or gain full control over the compromised system. While there are no reports of in-the-wild exploitation, the widespread use of GIMP, particularly on Linux distributions like Red Hat Enterprise Linux, makes this a high-risk vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply available patches for CVE-2026-58380 immediately to all GIMP installations, particularly on Red Hat Enterprise Linux systems, by referring to the official Red Hat security advisory at <code>https://access.redhat.com/security/cve/CVE-2026-58380</code>.</li>
<li>Monitor Red Hat security channels for updates to affected products as detailed in the Red Hat advisory and apply them promptly.</li>
<li>Implement user awareness training regarding the risks associated with opening untrusted image files, especially those in less common formats like PNM.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>memory-corruption</category><category>buffer-overflow</category><category>GIMP</category><category>linux</category></item><item><title>Potential Proxy Execution via Systemd-run on Linux</title><link>https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/</link><pubDate>Mon, 06 Jul 2026 14:39:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-systemd-run-proxy-execution/</guid><description>This brief details how attackers may leverage the `systemd-run` utility on Linux systems for defense evasion and execution by running commands as detached, transient services or scopes to obscure their activities and parent-child process chains.</description><content:encoded><![CDATA[<p>This threat brief outlines a technique where adversaries utilize the <code>systemd-run</code> binary on Linux systems for proxy execution, a method aimed at defense evasion and enabling command execution. <code>systemd-run</code> is a legitimate system utility designed to schedule commands for background execution through <code>systemd</code>. Attackers can exploit this functionality to run malicious payloads, such as shells, downloaders, or credential-harvesting scripts, as transient services or scopes. This technique allows them to detach their processes, obscure the direct parent-child relationships in the process tree, and mask their activities behind a trusted system utility, significantly reducing visibility for defenders. The technique can be used post-initial access to establish persistence, expand access, or facilitate data exfiltration without directly revealing the true malicious parent process.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux system, often via exploitation of a vulnerable service, compromised credentials, or a successful phishing attempt.</li>
<li>After establishing a foothold, the attacker performs reconnaissance to understand the environment and identifies <code>systemd-run</code> as a potential tool for evading detection.</li>
<li>The attacker stages a malicious payload (e.g., a reverse shell script, a downloader for additional malware, or a credential harvesting tool) onto the compromised system, possibly in a temporary directory.</li>
<li>The attacker executes the malicious payload using <code>systemd-run</code>, typically with options like <code>--user</code> or <code>--scope</code>, to launch it as a transient systemd unit or scope, detaching it from the initiating process.</li>
<li><code>systemd-run</code> acts as a proxy, launching the malicious command or script in the background, making it appear as a legitimate systemd-managed process.</li>
<li>The detached malicious payload executes, performing its intended actions such as establishing command and control, downloading further stages, escalating privileges, or exfiltrating data.</li>
<li>The attacker might configure persistence mechanisms within the transient unit definition or by other means, ensuring continued access even after the initial session ends.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If successful, attacks employing <code>systemd-run</code> for proxy execution can lead to significant compromises. Adversaries can execute arbitrary commands, establish covert persistence, download additional malicious tooling, or exfiltrate sensitive data without being easily detected through conventional process monitoring. The use of detached, transient units complicates forensic analysis and incident response by obfuscating the true origin and nature of the malicious processes. This can result in full system compromise, severe data breaches, unauthorized privilege escalation, or lateral movement across the network, making remediation challenging and prolonged.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Potential Proxy Execution via Systemd-run&quot; in this brief to your SIEM and tune for your environment.</li>
<li>When triggered by the Sigma rule, reconstruct the full process tree around the <code>systemd-run</code> event to determine which user, shell, script, service, or remote access session invoked it.</li>
<li>Review the exact command passed through <code>systemd-run</code>, including flags such as <code>--user</code>, <code>--scope</code>, scheduling options, or custom unit names, to classify the spawned payload as expected or suspicious.</li>
<li>Isolate any affected Linux host from the network immediately, and terminate the malicious <code>systemd-run</code> transient unit or scope along with any child processes it launched.</li>
<li>Remove attacker persistence by deleting unauthorized unit files and drop-ins from <code>/etc/systemd/system/</code>, <code>/run/systemd/transient/</code>, <code>/var/lib/systemd/</code>, and affected users’ <code>~/.config/systemd/user/</code> directories.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>defense-evasion</category><category>execution</category><category>linux</category></item><item><title>CVE-2026-58379: GIMP Heap Buffer Overflow in PSP Parser Allows RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58379-gimp-heap-overflow/</link><pubDate>Fri, 03 Jul 2026 19:18:57 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-58379-gimp-heap-overflow/</guid><description>A heap buffer overflow vulnerability (CVE-2026-58379) in GIMP's Paint Shop Pro (PSP) file format parser allows a remote attacker to achieve arbitrary code execution or cause a denial of service (DoS) by tricking a user into opening a specially crafted PSP image file, exploiting incorrect buffer size calculations when processing low bit-depth images.</description><content:encoded><![CDATA[<p>A critical heap buffer overflow vulnerability, identified as CVE-2026-58379, has been discovered in GIMP's Paint Shop Pro (PSP) file format parser. This flaw allows a remote attacker to achieve arbitrary code execution or a denial of service (DoS) on affected systems. The vulnerability is triggered when a user is tricked into opening a specially crafted PSP image file. The core issue lies in the software's incorrect calculation of buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory. This affects the GIMP application, particularly the <code>gimp</code> package on Red Hat Enterprise Linux 9, as confirmed by Red Hat. Defenders should prioritize patching GIMP to mitigate the risk of successful exploitation, which could lead to complete system compromise or disruption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Paint Shop Pro (PSP) image file specifically designed to exploit CVE-2026-58379, incorporating malformed low bit-depth image data.</li>
<li>The attacker delivers the specially crafted PSP file to a target user, often via social engineering tactics such as email attachments or malicious download links.</li>
<li>The unsuspecting user is tricked into opening the malicious PSP image file using the GIMP application on their system.</li>
<li>GIMP's internal PSP file format parser attempts to process the malformed image data within the file.</li>
<li>During the parsing of low bit-depth image data, GIMP incorrectly calculates buffer sizes for memory allocation, leading to a heap buffer overflow condition.</li>
<li>This overflow allows attacker-controlled data to overwrite adjacent memory regions within the GIMP process.</li>
<li>Successful exploitation of the memory corruption leads to either arbitrary code execution within the context of the GIMP process or a denial of service, crashing the application.</li>
<li>With arbitrary code execution, the attacker can establish persistence, exfiltrate data, or further compromise the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-58379 can lead to significant consequences, ranging from a denial of service (DoS) that crashes the GIMP application, disrupting user workflow, to arbitrary code execution. Arbitrary code execution would allow an attacker to run malicious code within the context of the affected user, potentially leading to full system compromise, data exfiltration, or the installation of additional malware. While specific victim counts or targeted sectors are not detailed, any user of the vulnerable GIMP version, particularly on Red Hat Enterprise Linux 9, is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update GIMP to a patched version that addresses CVE-2026-58379. Consult Red Hat advisories (e.g., <a href="https://access.redhat.com/security/cve/CVE-2026-58379">https://access.redhat.com/security/cve/CVE-2026-58379</a>) for specific package updates for Red Hat Enterprise Linux 9.</li>
<li>Educate users about the risks of opening unsolicited or suspicious image files, especially those from untrusted sources, to mitigate the initial access vector associated with opening specially crafted PSP files.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>heap-buffer-overflow</category><category>vulnerability</category><category>image-processing</category><category>gimp</category></item></channel></rss>