CVE-2026-58384 Overview
CVE-2026-58384 is an integer overflow vulnerability in the GNU Image Manipulation Program (GIMP) PSD file parser. The flaw resides in the read_RLE_channel() function, which processes run-length encoded (RLE) data in Adobe Photoshop Document (PSD) files. An arithmetic overflow during size calculation causes an undersized heap allocation for the RLE row-length table. Subsequent per-row writes exceed the allocated buffer and corrupt adjacent heap memory. The vulnerability is tracked under [CWE-190: Integer Overflow or Wraparound].
Critical Impact
Opening a crafted PSD file in GIMP can corrupt heap memory, leading to denial of service or arbitrary code execution in the context of the local user.
Affected Products
- GNU Image Manipulation Program (GIMP)
- Linux distributions shipping affected GIMP builds (including Red Hat Enterprise Linux)
- Any downstream software embedding the vulnerable GIMP PSD loader
Discovery Timeline
- 2026-07-07 - CVE-2026-58384 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-58384
Vulnerability Analysis
The defect exists in GIMP's PSD import code path. The read_RLE_channel() routine parses per-row byte counts declared in the PSD RLE section header. GIMP uses these counts to allocate a row-length table on the heap before iterating over the channel data. The size computation multiplies row count by an element width without bounds validation, producing a wrapped 32-bit result when the attacker-controlled row count is large enough.
The wrapped value drives a heap allocation that is smaller than the loop actually needs. When the parser then writes per-row length entries in sequence, writes past the end of the allocation modify adjacent heap chunk metadata and data. Attackers can use the resulting heap layout corruption to influence control-flow structures such as function pointers or vtable entries.
Exploitation requires a local user to open a malicious PSD file, so social engineering or file-drop delivery is the typical delivery vector. The vulnerability affects confidentiality, integrity, and availability because heap corruption in a desktop GUI process can be steered toward code execution under the user's account.
Root Cause
The root cause is missing overflow checking on the multiplication used to size the RLE row-length table. The parser trusts the row count field from the untrusted PSD header without validating it against the file size or a safe upper bound. When the product overflows the native integer width, the allocator returns a buffer that satisfies the wrapped size but not the real iteration count.
Attack Vector
An attacker crafts a PSD file with header fields that force the row-length table size calculation to overflow. The attacker delivers the file through email, chat, shared storage, or a web download. When the victim opens the file in GIMP, the parser allocates the undersized buffer and writes past it during RLE decoding, corrupting the heap.
The vulnerability manifests during file parsing before any rendering or user interaction beyond opening the file. See the GNOME GIMP Commit Detail and GNOME GIMP Issue #16216 for the code-level fix and reproducer details.
Detection Methods for CVE-2026-58384
Indicators of Compromise
- Unexpected GIMP process crashes with heap corruption signatures such as malloc() assertion failures, free(): invalid pointer, or glibc double free or corruption messages.
- PSD files originating from untrusted sources with abnormally large or malformed row-count fields in the RLE section header.
- Child processes spawned by gimp or gimp-2.x that are inconsistent with normal image editing workflows, such as shells or network utilities.
Detection Strategies
- Enable AddressSanitizer or glibc MALLOC_CHECK_=3 in test environments to surface heap out-of-bounds writes during PSD ingestion.
- Hunt endpoint telemetry for GIMP crash events correlated with recent PSD file access, using EDR process and file event logs.
- Inspect PSD files in gateway or mail sandboxes and flag those whose declared RLE row counts multiplied by row-length element size exceed reasonable bounds.
Monitoring Recommendations
- Log and alert on core dumps or segmentation faults from GIMP binaries across workstations.
- Correlate PSD file downloads from external sources with subsequent GIMP process anomalies.
- Track package versions of gimp and gimp-libs across the fleet to identify hosts still running unpatched builds.
How to Mitigate CVE-2026-58384
Immediate Actions Required
- Apply the upstream GIMP patch referenced in commit da29e217 as soon as vendor packages become available.
- Restrict opening of PSD files from untrusted sources until patched builds are deployed.
- Prefer previewing untrusted PSD files in a sandboxed or ephemeral virtual machine rather than on production endpoints.
Patch Information
The upstream fix is available in the GIMP source tree via commit da29e217. Distribution updates are tracked in the Red Hat CVE-2026-58384 Advisory and Red Hat Bug Report #2497431. Install the vendor-provided GIMP package that includes the row-length table size validation and integer overflow check.
Workarounds
- Do not open PSD files received from untrusted or unverified sources on hosts running unpatched GIMP.
- Associate the .psd file extension with a viewer that does not use the GIMP PSD loader until patches are applied.
- Run GIMP under a restricted user account with mandatory access controls such as SELinux, AppArmor, or Flatpak sandboxing to limit the blast radius of heap corruption.
# Verify installed GIMP version and update on Red Hat based systems
rpm -q gimp
sudo dnf update gimp gimp-libs
# Verify installed GIMP version and update on Debian based systems
dpkg -l | grep gimp
sudo apt update && sudo apt upgrade gimp libgimp2.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

