Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14422

CVE-2025-14422: GIMP PNM File Parsing RCE Vulnerability

CVE-2025-14422 is an integer overflow RCE vulnerability in GIMP's PNM file parser that enables remote attackers to execute arbitrary code. This article covers the technical details, affected versions, exploitation risks, and mitigation.

Published:

CVE-2025-14422 Overview

CVE-2025-14422 is an integer overflow vulnerability [CWE-190] in the GNU Image Manipulation Program (GIMP) PNM file parser. The flaw enables arbitrary code execution when a user opens a crafted Portable Anymap (PNM) image. GIMP version 3.0.6 is confirmed affected, and the issue was reported through the Zero Day Initiative as ZDI-CAN-28273.

Exploitation requires user interaction. A target must open a malicious PNM file or visit a page that delivers one. Successful exploitation grants code execution in the context of the GIMP process.

Critical Impact

Attackers who convince a user to open a crafted PNM file can execute arbitrary code with the privileges of the GIMP process, leading to full compromise of the user account.

Affected Products

  • GIMP 3.0.6
  • GIMP installations using vulnerable PNM plug-in builds prior to commit 4ff2d773d58064e6130495de498e440f4a6d5edb
  • Linux, Windows, and macOS distributions shipping the affected GIMP build

Discovery Timeline

  • 2025-12-23 - CVE-2025-14422 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-14422

Vulnerability Analysis

The vulnerability resides in GIMP's PNM file format parser. PNM is a family of simple image formats including PBM, PGM, and PPM. The parser reads image dimensions and color depth values from file headers and uses them to compute an allocation size for an internal buffer.

The parser fails to validate that arithmetic on these user-controlled header values stays within representable integer bounds. An attacker can supply header values whose product overflows the integer type used in the size calculation. The overflow produces a small allocation size, after which the parser writes a much larger volume of pixel data into the undersized buffer.

The resulting heap memory corruption can be steered toward arbitrary code execution in the GIMP process. The condition is local because the attacker delivers a file rather than a network request, but malicious files are routinely distributed through web pages, email, and chat applications.

Root Cause

The root cause is missing bounds validation before a size calculation in the PNM loader [CWE-190]. Width, height, and bytes-per-pixel values from the file header are multiplied without overflow checks, producing a wrapped integer that is then passed to a buffer allocator. The fix is tracked in the upstream commit 4ff2d773d58064e6130495de498e440f4a6d5edb in the GNOME GitLab repository.

Attack Vector

An attacker crafts a PNM file with header fields chosen to trigger the overflow during dimension computation. The file is delivered through a phishing email, a download link, a malicious web page, or a shared file repository. When the user opens the file in GIMP or drags it onto an open GIMP window, the vulnerable loader runs and the integer overflow is triggered. Refer to the Zero Day Initiative Advisory ZDI-25-1136 for additional technical context.

Detection Methods for CVE-2025-14422

Indicators of Compromise

  • Unexpected child processes spawned by the gimp or gimp-console binary, particularly shells or scripting interpreters
  • GIMP process crashes with heap corruption signatures shortly after opening a PNM, PBM, PGM, or PPM file
  • PNM files received from untrusted sources with abnormally large or malformed width and height header values
  • Outbound network connections initiated by the GIMP process to unfamiliar hosts

Detection Strategies

  • Inspect PNM file headers in mail and web gateways for dimension fields that would overflow a 32-bit signed integer when multiplied by channel count
  • Hunt endpoint telemetry for gimp processes that load PNM files and subsequently execute child processes outside the normal GIMP toolchain
  • Correlate GIMP crash events from operating system crash reporters with recent file open events for .pnm, .pbm, .pgm, or .ppm extensions

Monitoring Recommendations

  • Enable application crash logging on workstations running GIMP and forward crash reports to a central SIEM
  • Monitor for memory protection violations and segmentation faults tagged to the GIMP binary
  • Alert on file write or persistence operations performed by the GIMP process outside its expected working directories

How to Mitigate CVE-2025-14422

Immediate Actions Required

  • Inventory all systems running GIMP 3.0.6 and prioritize workstations used by designers, documentation teams, and forensic analysts
  • Apply upstream builds containing the fix commit 4ff2d773d58064e6130495de498e440f4a6d5edb as soon as packaged releases are available
  • Instruct users to avoid opening PNM, PBM, PGM, or PPM files from untrusted sources until patches are deployed

Patch Information

The upstream fix is committed to the GNOME GIMP repository. Reference the GitLab GIMP Commit for the source change and rebuild guidance. Distribution maintainers will publish patched packages downstream. Verify package versions against vendor advisories before declaring remediation complete.

Workarounds

  • Remove or rename the PNM loader plug-in in the GIMP installation directory to prevent the vulnerable parser from being invoked
  • Block delivery of .pnm, .pbm, .pgm, and .ppm attachments at mail gateways until patches are applied
  • Run GIMP inside a sandbox such as Flatpak with restricted filesystem and network permissions to limit the impact of successful exploitation
  • Restrict execution of GIMP to standard user accounts and prohibit running the application with elevated privileges
bash
# Verify installed GIMP version on Linux
gimp --version

# Example: remove the PNM loader plug-in as a temporary workaround
# Path varies by distribution; locate the binary first
find / -name 'file-pnm' 2>/dev/null
sudo mv /usr/lib/gimp/3.0/plug-ins/file-pnm/file-pnm \
        /usr/lib/gimp/3.0/plug-ins/file-pnm/file-pnm.disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.