Critical GIMP Heap Buffer Overflow in LBM File Parsing Allows Remote Code Execution
A critical heap-based buffer overflow vulnerability in GIMP's LBM file parsing has been disclosed, allowing remote attackers to execute arbitrary code by tricking users into opening a malicious file.
A critical vulnerability in GIMP, the popular open-source image editor, has been disclosed that could allow remote attackers to execute arbitrary code on affected systems. The flaw, tracked as CVE-2026-2046 and assigned a CVSS score of 7.8, resides in GIMP's parsing of LBM (Deluxe Paint) image files. The vulnerability was reported to the vendor on November 11, 2025, and publicly disclosed on March 16, 2026, by the Zero Day Initiative (ZDI) as advisory ZDI-26-213.
The specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. This heap-based buffer overflow can be triggered when a user opens a specially crafted LBM file or visits a malicious page that delivers such a file. Exploitation requires user interaction, making it a classic client-side attack vector.
If successfully exploited, the vulnerability could allow an attacker to execute arbitrary code in the context of the current process. Given GIMP's widespread use across Linux, Windows, and macOS platforms, the potential impact is significant. The vulnerability is classified as high severity due to the potential for complete compromise of confidentiality, integrity, and availability.
GIMP has already released a fix for the vulnerability. The patch is available via commit b4d41182dde4a1f98431b4d5b749a5a18bed0ab3 in the official GIMP GitLab repository. Users are strongly advised to update their GIMP to the latest version that includes this fix. The disclosure timeline indicates that the vendor was notified on November 11, 2025, and the coordinated public release of the advisory occurred on March 16, 2026.
This vulnerability highlights the ongoing risks associated with file parsing in widely used software. LBM files, while less common today, are still supported by GIMP for legacy compatibility. The heap-based buffer overflow class of vulnerabilities remains a persistent threat, often leading to remote code execution when exploited. Users should exercise caution when opening files from untrusted sources and ensure their software is up to date.
The discovery was credited to an anonymous researcher. The ZDI advisory notes that GIMP has issued an update to correct this vulnerability, and users can find more details in the commit referenced. As with all software vulnerabilities, prompt patching is the most effective mitigation. Organizations using GIMP in their workflows should prioritize applying this update to reduce the risk of exploitation.