GNOME GLib & GIMP: Six Vulnerabilities Disclosed, Including Code Execution Flaws
Key findings • Six vulnerabilities disclosed across GNOME ecosystem components, primarily GLib and GIMP. • GLib vulnerabilities include out-of-bounds reads, path traversal, and state confusio…

Key findings
- Six vulnerabilities disclosed across GNOME ecosystem components, primarily GLib and GIMP.
- GLib vulnerabilities include out-of-bounds reads, path traversal, and state confusion issues.
- GIMP vulnerability in PSP parser allows for potential arbitrary code execution via double-free.
- Disclosed between July 1-3, 2026, highlighting interconnected software risks.
- Potential for DoS, arbitrary code execution, and information disclosure across multiple CVEs.
On July 1st and 3rd, 2026, a batch of six vulnerabilities was disclosed, impacting components within the GNOME ecosystem. The disclosures primarily concern the GLib library, with one vulnerability affecting the GIMP image editor. These issues range in severity, with some presenting potential for arbitrary code execution and others leading to denial of service or information disclosure.
The GLib library, a foundational part of many GNOME applications and other Linux desktop environments, is affected by five distinct flaws. CVE-2026-58011 describes an out-of-bounds read in the g_date_time_get_ymd function, which could corrupt date outputs and lead to logic errors. Similarly, CVE-2026-58012 details a buffer over-read in the g_regex_replace function when using specific flags and replacement escapes, potentially leading to memory corruption due to improper UTF-8 handling.
Further complicating the GLib security posture, CVE-2026-58015 highlights a vulnerability in the D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism. A flaw in validating the cookie_context parameter allows a malicious D-Bus server to perform path traversal, potentially enabling the client to read arbitrary files. Another GLib issue, CVE-2026-58016, points to a state confusion in g_dbus_node_info_new_for_xml() when processing malformed D-Bus introspection XML, which could result in an unsigned integer overflow. Lastly, CVE-2026-58010 involves an off-by-one error in the gvs_tuple_is_normal function due to an incorrect bounds check, leading to a minor information disclosure of a single byte.
Beyond GLib, the GIMP image editor is impacted by CVE-2026-58381. This vulnerability resides in GIMP's PSP file format parser, specifically within the read_layer_block() function. A double-free condition can be triggered by a specially crafted PSP file, potentially allowing an attacker to achieve memory corruption, leading to denial of service or arbitrary code execution.
The coordinated disclosure of these vulnerabilities across GLib and GIMP underscores the interconnectedness of software components in the GNOME ecosystem. Users and administrators are advised to monitor for security updates addressing these specific CVEs. The potential for arbitrary code execution in CVE-2026-58381 and the path traversal in CVE-2026-58015 warrant particular attention, as they represent the most severe potential impacts. Prompt patching and vigilance against specially crafted files or D-Bus interactions are recommended.
As of the disclosure window, specific patch versions or vendor advisories were not detailed in the provided information. However, the nature of these vulnerabilities suggests that updates to GLib and GIMP will be necessary to mitigate the risks. The span of the disclosure, from July 1st to July 3rd, 2026, indicates a focused release of security fixes.
The implications of these vulnerabilities, particularly those in GLib, extend beyond GNOME itself, as GLib is a widely used dependency. This batch of disclosures serves as a reminder of the importance of maintaining up-to-date software across the entire stack to prevent potential security breaches. Users should consult official GNOME and Debian security channels for the latest information on patches and affected versions.