GIMP ICNS File Parsing Heap-Based Buffer Overflow (CVE-2026-2047) Enables Remote Code Execution
A heap-based buffer overflow vulnerability in GIMP's ICNS file parsing (CVE-2026-2047) allows remote code execution when a user opens a malicious file, with a CVSS score of 7.8.
A critical heap-based buffer overflow vulnerability has been disclosed in GIMP's ICNS file parsing, tracked as CVE-2026-2047. The flaw, reported through the Zero Day Initiative (ZDI-26-120), allows remote attackers to execute arbitrary code on affected installations of the popular open-source image editor. User interaction is required for exploitation, as the target must open a malicious ICNS file or visit a malicious page that triggers the parsing routine.
The vulnerability resides in the way GIMP handles ICNS (Apple Icon Image) files. The specific issue stems from a lack of proper validation of the length of user-supplied data before copying it to a heap-based buffer. This oversight leads to a heap-based buffer overflow, which an attacker can leverage to overwrite adjacent memory and achieve code execution in the context of the current process. The flaw carries a CVSS score of 7.8, indicating high severity due to the potential for full compromise of confidentiality, integrity, and availability.
GIMP has issued a patch to address the vulnerability. The fix is available via merge request 2600 on the GNOME GitLab repository, specifically in commit `dd2faac351f1ff2588529fedc606e6a5f815577c`. Users are strongly advised to update their GIMP installations to the latest patched version as soon as possible. The disclosure details become public. The vulnerability was reported to the vendor on December 4, 2025, and the coordinated public release of the advisory occurred on February 19, 2026.
The impact of this vulnerability is significant given GIMP's widespread use as a free alternative to commercial image editing software. It is deployed across Linux, Windows, and macOS platforms, often in environments where security updates may not be applied promptly. The ICNS format is commonly used for macOS icons, but the parsing code is present in all platform builds, making the entire user base potentially vulnerable.
No active exploitation in the wild has been reported at the time of disclosure, but the availability of a patch and the public advisory details mean that attackers may quickly reverse-engineer the fix to develop exploits. Users should prioritize applying the update, especially if they handle untrusted image files from untrusted sources. The vulnerability was discovered by an anonymous researcher and coordinated through the ZDI program.
This disclosure adds to a growing list of file-parsing vulnerabilities in popular software, highlighting the ongoing challenge of memory safety in applications that handle complex binary formats. Heap-based buffer overflows remain one of the most common and dangerous classes of vulnerabilities, often leading to full exploitation often leading to complete system compromise. The GIMP project's quick response in issuing a patch demonstrates the importance of coordinated disclosure processes in protecting the open-source ecosystem.