GIMP XWD File Parsing Flaw (CVE-2026-2045) Enables Remote Code Execution via Malicious Images
A critical out-of-bounds write vulnerability in GIMP's XWD file parsing (CVE-2026-2045) allows remote code execution when a user opens a crafted image, with a CVSS score of 7.8.
A critical vulnerability in the GIMP image editor, tracked as CVE-2026-2045 and disclosed by the Zero Day Initiative (ZDI-26-119), allows remote attackers to execute arbitrary code on affected installations. The flaw resides in GIMP's parsing of XWD (X Window Dump) files, a legacy image format used primarily on Unix-like systems. User interaction is required — the target must open a malicious XWD file or visit a page that triggers its processing.
The specific bug is an out-of-bounds write caused by insufficient validation of user-supplied data. When GIMP reads a crafted XWD file, it writes past the end of an allocated buffer, corrupting memory in a way that an attacker can exploit to hijack the current process. The vulnerability carries a CVSS score of 7.8 (High) with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that while local access and user interaction are required, the impact on confidentiality, integrity, and availability is complete.
GIMP has released a fix in commit `68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275`, available in the project's GitLab repository. Users are strongly advised to update to the latest version of GIMP that includes this patch. The vulnerability was reported to the vendor on November 11, 2025, and the coordinated public advisory was released on February 19, 2026.
The flaw was discovered and reported by researcher Michael Randrianantenaina. While no active exploitation in the wild has been confirmed as of the advisory date, the public disclosure of technical details increases the risk of attackers crafting exploit code. GIMP's widespread use across Linux, Windows, and macOS makes this a significant concern for creative professionals and organizations relying on the software.
This vulnerability adds to a growing list of file-parsing flaws in popular open-source media tools. Similar issues have been found in libraries like libpng, libtiff, and ImageMagick, often leading to code execution or denial of service. The GIMP project has historically been responsive to such reports, but the complexity of legacy format support continues to present challenges for secure software development.
Users should apply the patch immediately and exercise caution when opening XWD files from untrusted sources. Enterprises may consider disabling automatic preview of image files in email clients and web browsers as an additional layer of defense until all systems are updated.