Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58379

CVE-2026-58379: GIMP Paint Shop Pro Parser RCE Flaw

CVE-2026-58379 is a heap buffer overflow RCE vulnerability in GIMP's Paint Shop Pro file parser that enables attackers to execute arbitrary code. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-58379 Overview

CVE-2026-58379 is a heap buffer overflow vulnerability in the GNU Image Manipulation Program (GIMP) Paint Shop Pro (PSP) file format parser. The flaw stems from incorrect buffer size calculations when the parser processes low bit-depth images, allowing adjacent heap memory to be overwritten. An attacker can exploit this by convincing a user to open a specially crafted PSP image file. Successful exploitation leads to arbitrary code execution in the context of the GIMP process or a denial-of-service condition. The issue is tracked under [CWE-122: Heap-based Buffer Overflow] and carries a CVSS v3.1 base score of 7.3.

Critical Impact

A malicious PSP file opened in GIMP can trigger heap corruption, enabling arbitrary code execution or process crash on the victim's system.

Affected Products

  • GIMP (GNU Image Manipulation Program) - Paint Shop Pro (PSP) file format parser
  • Linux distributions shipping vulnerable GIMP builds (see Red Hat CVE-2026-58379 Advisory)
  • Downstream applications and workflows that use GIMP to render or convert PSP files

Discovery Timeline

  • 2026-07-03 - CVE-2026-58379 published to the National Vulnerability Database
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-58379

Vulnerability Analysis

The vulnerability resides in the PSP file format import plug-in shipped with GIMP. When the parser handles PSP images that use a low color bit depth, it miscalculates the number of bytes required for the destination image buffer. The undersized allocation is subsequently filled with attacker-controlled pixel data during decoding, producing an out-of-bounds write on the heap. The corruption occurs in a region that can influence adjacent heap metadata and object pointers, which is the primary path to code execution for this class of flaw. Additional detail on the fix is available in the GNOME GIMP Commit Details and GNOME GIMP Issue #16205.

Root Cause

The root cause is an arithmetic error in the buffer size computation for low bit-depth PSP raster data. The parser derives allocation size from image dimensions and color depth without validating that the resulting product covers the number of bytes actually written during decompression. When bit depth is small, the computed allocation is smaller than the write path, producing a classic heap buffer overflow.

Attack Vector

Exploitation requires local file interaction: a user must open or preview a crafted .psp file in GIMP. The attack vector is local with user interaction required, low attack complexity, and low privilege requirements. Delivery paths include email attachments, shared drives, download links, and automated image-processing pipelines that invoke GIMP against untrusted input. See the Red Hat Bug Report #2495997 for triage notes.

No public proof-of-concept exploit is currently listed for CVE-2026-58379, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-58379

Indicators of Compromise

  • Unexpected GIMP process crashes or SIGSEGV/SIGABRT signals immediately after opening a .psp file
  • Presence of unsolicited .psp files delivered via email, chat, or shared storage
  • Child processes spawned by gimp or gimp-2.10 that are not consistent with normal image editing (shells, interpreters, network utilities)
  • Heap corruption traces or glibc malloc() abort messages referencing the PSP import plug-in in system logs

Detection Strategies

  • Alert on GIMP processes spawning command interpreters such as sh, bash, python, or powershell
  • Monitor for outbound network connections originating from the GIMP process, which does not typically initiate network I/O during file import
  • Inspect file downloads and mail gateways for .psp attachments and flag them for sandbox detonation
  • Correlate crash telemetry from the GIMP binary with recent file-open events to identify targeted attempts

Monitoring Recommendations

  • Enable core dump collection on Linux workstations running GIMP to support post-incident forensics
  • Forward endpoint process, file, and crash telemetry to a centralized data lake for retrospective hunting
  • Track GIMP package versions across the fleet and alert on hosts running builds prior to the fixed release

How to Mitigate CVE-2026-58379

Immediate Actions Required

  • Update GIMP to the patched version distributed by your operating system vendor or from the upstream GNOME project
  • Do not open PSP files received from untrusted or unverified sources until patches are applied
  • Restrict automated image conversion pipelines from processing .psp inputs originating outside the organization
  • Apply vendor advisories such as the Red Hat CVE-2026-58379 Advisory once errata packages are published

Patch Information

Upstream GIMP developers have committed a fix referenced in GNOME GIMP Commit Details, which corrects the buffer size calculation in the PSP import path. Distribution maintainers, including Red Hat, are tracking the issue under the referenced advisory. Apply the updated GIMP package as soon as it becomes available for your platform.

Workarounds

  • Remove or disable the PSP file import plug-in from the GIMP plug-ins directory if patching is not immediately possible
  • Convert untrusted PSP files inside an isolated virtual machine or sandbox before importing them into production workstations
  • Enforce least-privilege on user accounts that handle third-party image files to limit post-exploitation impact
bash
# Configuration example: disable the PSP plug-in on Linux until patched
sudo chmod a-x /usr/lib*/gimp/2.*/plug-ins/file-psp/file-psp

# Verify the plug-in no longer loads
gimp -c --batch-interpreter=plug-in-script-fu-eval -b '(gimp-quit 0)' 2>&1 | grep -i psp

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.