Fluid Attacks Database

Description

A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When an invalid symbol is encountered during decompression, the decoder sets the reported output size to the full buffer length rather than the actual number of written bytes. This logic error results in uninitialized sections of the buffer being included in the output, potentially leaking arbitrary memory contents in the processed image.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	gdk-pixbuf	>=0 <2.42.12+dfsg-3	2.42.12+dfsg-3
debian 11	gdk-pixbuf	=2.42.2+dfsg-1 \|\| =2.42.2+dfsg-1+deb11u1 \|\| =2.42.2+dfsg-1+deb11u2 \|\| >=0 <2.42.2+dfsg-1+deb11u3	2.42.2+dfsg-1+deb11u3
debian 12	gdk-pixbuf	=2.42.10+dfsg-1 \|\| =2.42.10+dfsg-1+deb12u1 \|\| >=0 <2.42.10+dfsg-1+deb12u2	2.42.10+dfsg-1+deb12u2
debian 13	gdk-pixbuf	>=0 <2.42.12+dfsg-3	2.42.12+dfsg-3
rpm rhel9	gdk-pixbuf2	-	-
rpm rhel10	glycin-loaders	-	-
rpm rhel10	gdk-pixbuf2	-	-
rpm rhel6	gdk-pixbuf2	-	-
rpm rhel7	gdk-pixbuf2	-	-
rpm rhel8	gdk-pixbuf2	-	-

1-10 of 13

Aliases

1. CVE-2025-61992. NVD-2025-61993. OSV-DEBIAN-2025-61994. OSV-2025-61995. SECURITY-TRACKER-CVE-2025-6199