Critical GIMP XPM Parsing Flaw CVE-2026-4154 Allows Remote Code Execution
A critical integer overflow vulnerability in GIMP's XPM file parsing, tracked as CVE-2026-4154, can be exploited to achieve remote code execution via a specially crafted XPM file.
A critical vulnerability in GIMP's XPM file parsing has been disclosed, allowing remote attackers to execute arbitrary code on affected installations. The flaw, tracked as CVE-2026-4154 and reported by Zero Day Initiative as ZDI-26-221, stems from an integer overflow that occurs when processing specially crafted XPM files.
The vulnerability resides in the parsing of XPM images, where improper validation of user-supplied data can lead to an integer overflow before buffer allocation. This overflow can be leveraged to trigger a buffer overflow, enabling code execution in the context of the current process. User interaction is required, such as opening a malicious file or visiting a malicious page.
GIMP has released a patch to address this vulnerability via commit 2e7ed91793792d9e980b2df4c829e9aa60459253. Users are strongly advised to update their installations immediately. The advisory was coordinated with the vendor and publicly released on March 19, 2026.
The vulnerability carries a CVSS score of 7.8, indicating high severity. It affects all versions of GIMP prior to the patch. Given GIMP's widespread use in graphic design and digital art, the flaw poses a significant risk to users who may be tricked into opening malicious XPM files.
This disclosure follows a trend of vulnerabilities in image parsing libraries, which are often targeted due to their complexity and the difficulty of validating all input paths. Users should exercise caution when opening XPM files from untrusted sources and ensure their software is up to date.