Skip to main content
CVE Vulnerability Database

CVE-2026-4150: GIMP PSD Parsing RCE Vulnerability

CVE-2026-4150 is a remote code execution flaw in GIMP's PSD file parser caused by integer overflow. Attackers can exploit this to run arbitrary code when users open malicious files. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-4150 Overview

CVE-2026-4150 is an integer overflow vulnerability in GIMP's PSD file parsing functionality that enables remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. This vulnerability was tracked internally as ZDI-CAN-28807.

Critical Impact

Remote attackers can achieve arbitrary code execution by convincing users to open specially crafted PSD files, potentially leading to complete system compromise with the privileges of the GIMP process.

Affected Products

  • GIMP version 3.0.8
  • GIMP installations with PSD file parsing enabled
  • Systems where users open untrusted PSD files

Discovery Timeline

  • 2026-04-11 - CVE-2026-4150 published to NVD
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-4150

Vulnerability Analysis

This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw occurs during the parsing of Adobe Photoshop Document (PSD) files, where user-controlled data from the file is used in size calculations without adequate validation. When processing malformed PSD files, the parser performs arithmetic operations on attacker-controlled values that can cause an integer overflow condition.

The integer overflow occurs before a memory buffer allocation, resulting in a significantly smaller buffer being allocated than intended. Subsequent write operations to this undersized buffer cause heap memory corruption, which attackers can leverage to achieve arbitrary code execution within the context of the GIMP process.

Root Cause

The root cause of this vulnerability is improper validation of user-supplied data from PSD files before using it in arithmetic operations for buffer size calculations. The PSD file format contains various size and dimension fields that GIMP's parser reads and uses to calculate memory allocation sizes. When these values are crafted to cause an integer overflow, the resulting buffer allocation is much smaller than the data that will be written to it, creating a classic heap buffer overflow condition.

Attack Vector

The attack vector is local, requiring user interaction where the victim must open a maliciously crafted PSD file. Attack scenarios include:

  1. Phishing campaigns - Attackers distribute malicious PSD files via email or messaging platforms targeting graphic designers and creative professionals
  2. Watering hole attacks - Compromised file-sharing sites or design resource repositories hosting malicious PSD files
  3. Social engineering - Malicious files disguised as legitimate design assets or project files

When a user opens the malicious PSD file in GIMP, the integer overflow triggers during file parsing, leading to heap corruption and ultimately code execution with the user's privileges.

The vulnerability requires no authentication and can be exploited without any prior access to the target system. The attacker simply needs to deliver the malicious file and convince the user to open it.

Detection Methods for CVE-2026-4150

Indicators of Compromise

  • Unexpected GIMP process crashes when opening PSD files
  • GIMP processes spawning unusual child processes or network connections
  • Memory access violations or heap corruption errors in GIMP logs
  • Suspicious PSD files with anomalous size fields or malformed layer data

Detection Strategies

  • Monitor for unusual behavior from GIMP processes, including unexpected network connections or child process spawning
  • Implement file integrity monitoring for PSD files entering the environment
  • Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts and post-exploitation activity
  • Configure application whitelisting to prevent unauthorized code execution from GIMP's context

Monitoring Recommendations

  • Enable crash dump collection and analysis for GIMP processes to identify potential exploitation attempts
  • Implement centralized logging for workstations where GIMP is installed
  • Monitor for PSD files received from external sources, particularly via email or web downloads
  • Configure SentinelOne to alert on anomalous process behavior from graphics applications

How to Mitigate CVE-2026-4150

Immediate Actions Required

  • Update GIMP to the latest patched version immediately
  • Exercise caution when opening PSD files from untrusted sources
  • Consider temporarily disabling PSD file associations until patching is complete
  • Implement network segmentation to limit lateral movement if exploitation occurs

Patch Information

The GIMP project has released a security patch to address this vulnerability. The fix is available in GitLab commit 00afdabdadeb5457fd897878b1e5aebc3780af10. Organizations should update to a patched version of GIMP as soon as possible.

For additional technical details, refer to the Zero Day Initiative Advisory ZDI-26-217.

Workarounds

  • Avoid opening PSD files from untrusted or unknown sources until patching is complete
  • Use alternative image editing software for processing untrusted PSD files
  • Implement application sandboxing or containerization for GIMP to limit the impact of potential exploitation
  • Configure email and web gateways to quarantine or block PSD file attachments from external sources
bash
# Configuration example
# Disable PSD file association on Linux systems as a temporary mitigation
xdg-mime uninstall /usr/share/applications/gimp.desktop
# Or rename the PSD plugin to disable parsing (adjust path as needed)
sudo mv /usr/lib/gimp/3.0/plug-ins/file-psd/file-psd /usr/lib/gimp/3.0/plug-ins/file-psd/file-psd.disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.