Fluid Attacks Database

Description

A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP PCX file loader due to an off-by-one error. A remote attacker could exploit this by convincing a user to open a specially crafted PCX image. Successful exploitation could lead to out-of-bounds memory disclosure and a possible application crash, resulting in a Denial of Service (DoS).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	gimp	=2.10.34-1 \|\| =2.10.34-1+deb12u1 \|\| =2.10.34-1+deb12u10 \|\| =2.10.34-1+deb12u2 \|\| =2.10.34-1+deb12u3 \|\| =2.10.34-1+deb12u4 \|\| =2.10.34-1+deb12u5 \|\| =2.10.34-1+deb12u6 \|\| =2.10.34-1+deb12u7 \|\| =2.10.34-1+deb12u8 \|\| =2.10.34-1+deb12u9 \|\| =2.10.36-1 \|\| =2.10.36-2 \|\| =2.10.36-3 \|\| =2.10.38-1 \|\| =2.10.38-2 \|\| =2.99.10-1 \|\| =2.99.12-1 \|\| =2.99.12-2 \|\| =2.99.14-1 \|\| =2.99.14-2 \|\| =2.99.16-1 \|\| =2.99.16-2 \|\| =2.99.18-1 \|\| =3.0.0-1 \|\| =3.0.0-2 \|\| =3.0.0~rc1-1 \|\| =3.0.0~rc1-3 \|\| =3.0.0~rc1-4 \|\| =3.0.0~rc2-1 \|\| =3.0.0~rc3-1 \|\| =3.0.2-1 \|\| =3.0.2-2 \|\| =3.0.2-3 \|\| =3.0.2-3.1 \|\| =3.0.4-1 \|\| =3.0.4-2 \|\| =3.0.4-3 \|\| =3.0.4-4 \|\| =3.0.4-5 \|\| =3.0.4-6 \|\| =3.0.4-6.1 \|\| =3.0.4-6.2 \|\| =3.0.6-1 \|\| =3.2.0-1 \|\| =3.2.0~rc2-1 \|\| =3.2.0~rc2-2 \|\| =3.2.0~rc2-3 \|\| =3.2.0~rc2-3.1 \|\| =3.2.0~rc2-3.2 \|\| =3.2.0~rc2-3.3 \|\| =3.2.0~rc3-1 \|\| =3.2.2-1 \|\| =3.2.4-1	-
rpm rhel9	gimp	<2:3.0.4-4.el9_8.4	2:3.0.4-4.el9_8.4
rpm rhel7	gimp	-	-
rpm rhel8	gimp	<2:2.8.22-26.module+el8.10.0+24277+6acc3952.6	2:2.8.22-26.module+el8.10.0+24277+6acc3952.6
debian 13	gimp	=3.0.4-3 \|\| =3.0.4-3+deb13u1 \|\| =3.0.4-3+deb13u2 \|\| =3.0.4-3+deb13u3 \|\| =3.0.4-3+deb13u4 \|\| =3.0.4-3+deb13u5 \|\| =3.0.4-3+deb13u6 \|\| =3.0.4-3+deb13u7 \|\| =3.0.4-3+deb13u8 \|\| =3.0.4-4 \|\| =3.0.4-5 \|\| =3.0.4-6 \|\| =3.0.4-6.1 \|\| =3.0.4-6.2 \|\| =3.0.6-1 \|\| =3.2.0-1 \|\| =3.2.0~rc2-1 \|\| =3.2.0~rc2-2 \|\| =3.2.0~rc2-3 \|\| =3.2.0~rc2-3.1 \|\| =3.2.0~rc2-3.2 \|\| =3.2.0~rc2-3.3 \|\| =3.2.0~rc3-1 \|\| =3.2.2-1 \|\| =3.2.4-1	-
debian 11	gimp	=2.10.22-4 \|\| =2.10.22-4+deb11u1 \|\| =2.10.22-4+deb11u2 \|\| =2.10.22-4+deb11u3 \|\| =2.10.22-4+deb11u4 \|\| =2.10.22-4+deb11u5 \|\| =2.10.22-4+deb11u6 \|\| =2.10.22-4+deb11u7 \|\| =2.10.22-4+deb11u8 \|\| =2.10.24-1 \|\| =2.10.24-2 \|\| =2.10.26-1 \|\| =2.10.28-1 \|\| =2.10.30-1 \|\| =2.10.32-1 \|\| =2.10.34-1 \|\| =2.10.36-1 \|\| =2.10.36-2 \|\| =2.10.36-3 \|\| =2.10.38-1 \|\| =2.10.38-2 \|\| =2.99.10-1 \|\| =2.99.12-1 \|\| =2.99.12-2 \|\| =2.99.14-1 \|\| =2.99.14-2 \|\| =2.99.16-1 \|\| =2.99.16-2 \|\| =2.99.18-1 \|\| =3.0.0-1 \|\| =3.0.0-2 \|\| =3.0.0~rc1-1 \|\| =3.0.0~rc1-3 \|\| =3.0.0~rc1-4 \|\| =3.0.0~rc2-1 \|\| =3.0.0~rc3-1 \|\| =3.0.2-1 \|\| =3.0.2-2 \|\| =3.0.2-3 \|\| =3.0.2-3.1 \|\| =3.0.4-1 \|\| =3.0.4-2 \|\| =3.0.4-3 \|\| =3.0.4-4 \|\| =3.0.4-5 \|\| =3.0.4-6 \|\| =3.0.4-6.1 \|\| =3.0.4-6.2 \|\| =3.0.6-1 \|\| =3.2.0-1 \|\| =3.2.0~rc2-1 \|\| =3.2.0~rc2-2 \|\| =3.2.0~rc2-3 \|\| =3.2.0~rc2-3.1 \|\| =3.2.0~rc2-3.2 \|\| =3.2.0~rc2-3.3 \|\| =3.2.0~rc3-1 \|\| =3.2.2-1 \|\| =3.2.4-1	-
debian 14	gimp	=3.0.4-3 \|\| =3.0.4-4 \|\| =3.0.4-5 \|\| =3.0.4-6 \|\| =3.0.4-6.1 \|\| =3.0.4-6.2 \|\| =3.0.6-1 \|\| =3.2.0~rc2-1 \|\| =3.2.0~rc2-2 \|\| =3.2.0~rc2-3 \|\| =3.2.0~rc2-3.1 \|\| =3.2.0~rc2-3.2 \|\| =3.2.0~rc2-3.3 \|\| =3.2.0~rc3-1 \|\| >=0 <3.2.0-1	3.2.0-1
rpm rhel6	gimp	-	-
rpm rhel8.4	gimp	<2:2.8.22-16.module+el8.4.0+24320+2aeffe15.6	2:2.8.22-16.module+el8.4.0+24320+2aeffe15.6

Aliases

1. CVE-2026-48872. NVD-2026-48873. OSV-DEBIAN-2026-48874. OSV-2026-48875. SECURITY-TRACKER-CVE-2026-4887

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.