CVE-2026-4150: Integer Overflow in GIMP PSD Parsing Enables Remote Code Execution
A critical integer overflow vulnerability in GIMP's PSD file parser, tracked as CVE-2026-4150, allows remote attackers to execute arbitrary code when a user opens a malicious PSD file.
A critical vulnerability in GIMP's handling of Adobe Photoshop PSD files has been disclosed, allowing attackers to achieve remote code execution simply by tricking a user into opening a crafted image. Tracked as CVE-2026-4150 and published by the Zero Day Initiative as ZDI-26-217, the flaw carries a CVSS score of 7.8 and affects all versions of GIMP prior to the commit that fixes it.
The bug resides in the PSD file parsing routine. According to the advisory, the software fails to properly validate user-supplied data, leading to an integer overflow before a buffer is allocated. This overflow corrupts memory in a way that an attacker can leverage to execute arbitrary code in the context of the current process. Because the vulnerability is triggered during parsing, no special privileges are required beyond the ability to open a file.
Exploitation requires user interaction — the victim must open a malicious PSD file or visit a page that triggers the file open. This makes the attack vector similar to other document-based exploits, but the widespread use of GIMP in both professional and hobbyist image editing environments means the potential impact is broad. GIMP is available on Windows, macOS, and Linux, and the flaw is platform-independent.
GIMP has already released a fix. The patch is contained in commit `00afdabdadeb5457fd897878b1e5aebc3780af10` on the official GNOME GitLab repository. Users are strongly advised to update to the latest version of GIMP that includes this commit. The vulnerability was reported to the vendor on March 5, 2026, and the coordinated public advisory was released on March 19, 2026.
No evidence of active exploitation in the wild has been reported as of the advisory date, but the disclosure of full technical details increases the likelihood that proof-of-concept code will emerge. The anonymous researcher credited with the discovery has not released a public exploit, but the advisory includes enough information for skilled attackers to reverse-engineer the bug.
This vulnerability is part of a broader pattern of memory-safety issues in image parsing libraries. Similar integer overflow and buffer overflow flaws have been found in recent years in libraries for PNG, JPEG, and TIFF parsing across multiple applications. The GIMP project has been proactive in addressing such issues, but the complexity of supporting legacy file formats like PSD continues to present a security challenge.
Users should update GIMP immediately and exercise caution when opening PSD files from untrusted sources. Enterprise environments that rely on GIMP for image processing should prioritize patching and consider additional file-scanning controls for PSD files.