Gimp: gimp integer overflow
Description
A flaw was found in GIMP. An integer overflow vulnerability exists in the GIMP "Despeckle" plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7- Range: BASE_ZERO, BEFORE_GIMAGE_IS_FLAT_REMOVAL, BEFORE_MATTS_CRAZY_TOOL_PATCH, …
- osv-coords5 versionspkg:rpm/opensuse/gimp&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/gimp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/gimp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/gimp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6pkg:rpm/suse/gimp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP7
< 2.10.30-150400.3.23.1+ 4 more
- (no CPE)range: < 2.10.30-150400.3.23.1
- (no CPE)range: < 2.10.30-150400.3.23.1
- (no CPE)range: < 2.10.30-150400.3.23.1
- (no CPE)range: < 2.10.30-150400.3.23.1
- (no CPE)range: < 2.10.30-150400.3.23.1
Patches
Vulnerability mechanics
Root cause
"Unchecked multiplication of image dimensions (width, height) and bytes-per-pixel (img_bpp) in the Despeckle plug-in's despeckle function causes an integer overflow, leading to undersized heap allocation and subsequent out-of-bounds writes."
Attack vector
An attacker crafts an image with very large dimensions (e.g., 70,000 x 70,000 pixels) and convinces the victim to open it in GIMP and apply the Despeckle filter [ref_id=1]. The despeckle function multiplies width * height * img_bpp without overflow checking; when the product exceeds the bounds of gsize, the result wraps around to a small value [ref_id=1]. The subsequent g_new() call allocates insufficient memory, and the pixel-processing loops then write beyond the allocated src and dst buffers, causing heap corruption [ref_id=1].
Affected code
The vulnerable code is in the despeckle function within the file despeckle.c [ref_id=1]. The width and height values are retrieved from gimp_drawable_mask_intersect() and img_bpp is determined via babl_format_get_bytes_per_pixel() (commonly 1 to 4) [ref_id=1]. The multiplication width * height * img_bpp is performed without overflow checking before being passed to g_new() [ref_id=1].
What the fix does
The issue report recommends using overflow-safe arithmetic (e.g., g_size_checked_mul or similar) to compute the allocation size before calling g_new() [ref_id=1]. No patch is included in the bundle, so the exact committed fix is not shown; however, the remediation is to validate that width * height * img_bpp does not overflow gsize before performing the allocation, preventing undersized buffer creation and subsequent out-of-bounds writes [ref_id=1].
Preconditions
- inputVictim must open a specially crafted image with very large dimensions (e.g., 70,000 x 70,000 pixels) in GIMP.
- inputVictim must apply the Despeckle filter to the crafted image.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- access.redhat.com/security/cve/CVE-2025-6035mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- gitlab.gnome.org/GNOME/gimp/-/issues/13518mitre
News mentions
0No linked articles in our index yet.