CVE-2026-2049: Critical Heap Buffer Overflow in GIMP HDR Parsing Allows Remote Code Execution

A critical vulnerability in GIMP's handling of HDR (High Dynamic Range) image files has been disclosed, posing a remote code execution risk to users who open specially crafted files. The flaw, assigned CVE-2026-2049 and reported through the Zero Day Initiative (ZDI-26-214), carries a CVSS score of 7.8, indicating high severity.

The vulnerability resides in the parsing of HDR files within GIMP, a popular open-source image editor. Specifically, the issue is a heap-based buffer overflow caused by improper validation of user-supplied data length before copying it to a heap buffer. An attacker can exploit this by convincing a user to open a malicious HDR file or visit a compromised web page that triggers the file download. Successful exploitation allows arbitrary code execution in the context of the current process, potentially leading to full system compromise.

GIMP has issued a patch for this vulnerability through the GEGL library, which handles image processing operations. The fix is available via the GEGL GitLab repository at https://gitlab.gnome.org/GNOME/gegl/-/issues/450. Users are strongly advised to update their GIMP installations to the latest version that includes the patched GEGL library.

The vulnerability was reported to the vendor on December 24, 2025, and coordinated public disclosure occurred on March 16, 2026. The discoverer chose to remain anonymous. No active exploitation in the wild has been reported as of the advisory publication, but given the widespread use of GIMP, the risk of weaponization is significant.

This disclosure highlights the ongoing challenges in securing file parsing routines in widely used software. Heap buffer overflows remain a common class of vulnerability, often leading to code execution. Users should exercise caution when opening HDR files from untrusted sources and ensure their software is up to date.