Critical Heap Buffer Overflow in GIMP PSP File Parsing Allows Remote Code Execution
A heap-based buffer overflow vulnerability in GIMP's PSP file parsing (CVE-2026-4153) could allow remote attackers to execute arbitrary code when a user opens a malicious PSP file. The flaw, disclosed by Zero Day Initiative as ZDI-26-220, carries a CVSS score of 7.8 and has been patched by the GIMP project.
A critical heap-based buffer overflow vulnerability has been disclosed in GIMP's PSP file parsing, tracked as CVE-2026-4153 and reported by Zero Day Initiative (ZDI-26-220). The flaw allows remote attackers to execute arbitrary code on affected installations of GIMP, requiring only that a user opens a malicious PSP file. The vulnerability carries a CVSS score of 7.8, indicating high impact on confidentiality, integrity, and availability.
The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. This type of heap overflow is particularly dangerous because it can be exploited to overwrite critical data structures in memory, leading to code execution.
GIMP is a widely used open-source image manipulation program, popular among graphic designers, photographers, and hobbyists. The vulnerability affects users across multiple platforms, including Windows, macOS, and Linux. Given GIMP's extensive user base, the potential impact is significant, especially for users who frequently open PSP files from untrusted sources.
GIMP has issued an update to correct this vulnerability. The fix is available via commit 98cb1371 in the official GIMP repository. Users are strongly advised to update their installations to the latest version to mitigate the risk of exploitation. The disclosure timeline shows the vulnerability was reported to the vendor on March 5, 2026, with the coordinated public release of the advisory on March 19, 2026.
While there is no evidence of active exploitation in the wild at the time of disclosure, the availability of detailed technical information in the advisory could lead to the development of proof-of-concept exploits. Users should prioritize patching, especially those in enterprise environments where GIMP may be deployed for image processing tasks.
This vulnerability highlights the ongoing challenges in securing complex file parsing code in widely used open-source applications. The GIMP project's prompt response in issuing a fix demonstrates the importance of coordinated disclosure processes in mitigating risks to end users.