Fluid Attacks Database

Description

A flaw was found in GIMP. A stack buffer overflow vulnerability in the TIM image loader's 4BPP decoding path allows a local user to cause a Denial of Service (DoS). By opening a specially crafted TIM image file, the application crashes due to an unconditional overflow when writing to a variable-length array.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	gimp	=3.0.4-3 \|\| =3.0.4-4 \|\| =3.0.4-5 \|\| =3.0.4-6 \|\| =3.0.4-6.1 \|\| =3.0.4-6.2 \|\| =3.0.6-1 \|\| =3.2.0-1 \|\| =3.2.0~rc2-1 \|\| =3.2.0~rc2-2 \|\| =3.2.0~rc2-3 \|\| =3.2.0~rc2-3.1 \|\| =3.2.0~rc2-3.2 \|\| =3.2.0~rc2-3.3 \|\| =3.2.0~rc3-1 \|\| >=0 <3.2.2-1	3.2.2-1
rpm rhel6	gimp	-	-
rpm rhel7	gimp	-	-
rpm rhel8	gimp	-	-
rpm rhel9	gimp	-	-

Aliases

1. CVE-2026-409162. NVD-2026-409163. OSV-DEBIAN-2026-409164. OSV-2026-409165. SECURITY-TRACKER-CVE-2026-40916

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.