GIMP PGM File Parsing Vulnerability (CVE-2026-2044) Allows Remote Code Execution
A critical uninitialized memory vulnerability in GIMP's PGM file parsing (CVE-2026-2044) allows remote code execution, requiring only that a user opens a malicious file.
A remote code execution vulnerability has been disclosed in GIMP, the popular open-source image editor. The flaw, tracked as CVE-2026-2044 and reported via the Zero Day Initiative (ZDI-26-118), resides in the parsing of PGM (Portable Graymap) files. An attacker can exploit this by crafting a malicious PGM file and tricking a user into opening it, leading to arbitrary code execution in the context of the current process.
The vulnerability stems from the lack of proper initialization of memory before it is accessed during PGM file parsing. This uninitialized memory can be leveraged by an attacker to execute arbitrary code. The CVSS score for this vulnerability is 7.8, indicating high severity, with the attack vector being local (requiring user interaction) and the impact on confidentiality, integrity, and availability all rated as high.
GIMP has issued a patch to address this vulnerability. The fix is available via a merge request on GitLab, specifically commit 112a5e038f0646eae5ae314988ec074433d2b365. Users are strongly advised to update their GIMP installations to the latest version that includes this patch. The disclosure timeline shows the vulnerability was reported to the vendor on November 11, 2025, and the coordinated public release of the advisory occurred on February 19, 2026.
This vulnerability affects all installations of GIMP that parse PGM files. Given GIMP's widespread use across platforms including Windows, macOS, and Linux, the potential impact is significant. The exploit requires user interaction, such as visiting a malicious webpage or opening a malicious file, which reduces the risk of automated widespread exploitation but still poses a threat through social engineering attacks.
The discovery of this vulnerability highlights the ongoing challenges in software security, particularly in file parsing routines. Uninitialized memory vulnerabilities are a common class of bugs that can lead to serious consequences if left unpatched. GIMP's prompt response in issuing a fix demonstrates the importance of coordinated disclosure and vendor cooperation.
Users and administrators should prioritize updating GIMP to the patched version. As a general security practice, users should exercise caution when opening files from untrusted sources, even from within trusted applications. The advisory credits an anonymous researcher for reporting the flaw.