Critical GIMP JP2 Parsing Flaw Allows Remote Code Execution via Malicious Files
A heap-based buffer overflow in GIMP's JP2 file parsing (CVE-2026-4152) allows remote code execution when a user opens a crafted JP2 file, with a CVSS score of 7.8.
A critical vulnerability in GIMP's handling of JP2 image files could allow attackers to execute arbitrary code on affected systems. Tracked as CVE-2026-4152 and disclosed by the Zero Day Initiative (ZDI-26-219), the flaw is a heap-based buffer overflow that arises from improper validation of user-supplied data before copying it to a heap buffer.
The vulnerability exists within the parsing of JP2 files, a format commonly used for high-quality images. An attacker can exploit this by convincing a user to open a malicious JP2 file, either by visiting a compromised website or opening an email attachment. Successful exploitation grants the attacker code execution in the context of the current process, potentially leading to full system compromise.
GIMP has released a patch to address the issue, available via commit f64c9c23ba3c37dc7b875a9fb477c23953b4666e on GitLab. Users are strongly advised to update their installations immediately. The vulnerability carries a CVSS score of 7.8, indicating high severity, though exploitation requires user interaction.
The disclosure timeline shows the vulnerability was reported to GIMP on March 5, 2026, with coordinated public release on March 19, 2026. The credit for the discovery goes to an anonymous researcher. This flaw highlights the ongoing risks associated with parsing complex file formats in widely used software.
Given GIMP's popularity among graphic designers, photographers, and open-source enthusiasts, the potential attack surface is significant. Users should prioritize applying the patch to mitigate the risk of remote code execution attacks.