GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25082.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20055-1 advisory.

    Changes in gimp:

    Update to 3.0.6:

      - Security:

        - During development, we received reports from the Zero Day           Initiative of potential security issues with some of our file           import plug-ins. While these issues are very unlikely to           occur with real files, developers like Jacob Boerema and Alx           Sa proactively improved security for those imports.
          The resolved reports are:
          - ZDI-CAN-27793
          - ZDI-CAN-27823
          - ZDI-CAN-27836
          - ZDI-CAN-27878
          - ZDI-CAN-27863
          - ZDI-CAN-27684

      - Core:

        - Many false-positive build warnings have been cleaned out (and           proper issues fixed).
        - Various crashes fixed.
        - When creating a layer mask from the layer's alpha, but the           layer has no alpha, simply fill the mask with complete           opacity instead of a completely transparent layer.
        - Various core infrastructure code reviewed, cleaned up,           refactored and improved, in drawable, layer and filter           handling code, tree view code, and more.
        - GIMP_ICONS_LIKE_A_BOSS environment variable is not working           anymore (because gtk-menu-images and gtk-button-images           have been deprecated in GTK3 and removed in GTK4) and was           therefore removed.
        - Lock Content now shows as an undo step.
        - Add alpha channel for certain transforms.
        - Add alpha channel on filter merge, when necessary.
        - Filters can now be applied non-destructively on channels.
        - Improved Photoshop brush support.
        - After deleting a palette entry, the next entry is           automatically selected. This allows easily deleting several           entries in a row, among other usage.
        - Resize image to layers irrespective to selections.
        - Improved in-GUI release notes' demo script language:

          - We can now set a button value to click it: toolbox:text,             tool-options:outline=1, tool-options:outline-direction
          - Color selector's module names can be used as identifiers:
            color-editor,color-editor:CMYK=1,color-editor:total-ink-coverage

        - Fixed Alpha to Selection on single layers with no           transparency.
        - Various code is slowly ported to newer code, preparing for           GTK4 port (in an unplanned future step):

          - Using g_set_str() (optionally redefining it in our core             code to avoid bumping the GLib minimum requirement).
          - Start using GListModel in various pieces of code, in             particular getting rid of more and more usage of             GtkTreeView when possible (as it will be deprecated with             GTK4).
          - New GimpRow class for all future row widgets.
          - Use more of G_DECLARE_DERIVABLE_TYPE and             G_DECLARE_FINAL_TYPE where relevant.
          - New GimpContainerListView using a GtkListBox.
          - New GimpRowSeparator, GimpRowSettings, GimpRowFilter and             GimpRowDrawableFilter widgets.

        - (Experimental) GEX Format was updated.
        - Palette import:

          - Set alpha value for image palette imports.
          - Fix Lab & CMYK ACB palette import.
          - Add palette format filters to import dialog, making it more             apparent what palette formats are supported, and giving the             ability to hide irrelevant files.

        - Improved filter actions' sensitivity to make sure they are           set insensitive when relevant. In particular filters which           cannot be run non-destructively (e.g. filters with aux           inputs, non-interactive filters and GEGL Graph) must be           insensitive when trying to run them on group layers.
        - Fix bad axis centering on zoom out.
        - Export better SVG when exporting paths.

      - Tools:

        - Text tool: make sure the default color is only changed when           the user confirms the color change.
        - Foreground Selection tool: do not create a selection when no           strokes has been made. In particular this removes the           unnecessary delay which happened when switching to another           tool without actually stroking anything.
        - All Transform tools: transform boundaries for preview is now           multi-layers aware.
        - (Experimental) Seamless Clone tool: made to work again,           though it is still too slow to get out of Playground.

      - Graphical User Interface:

        - Various improvements to window management:

          - Keep-Above windows are set with the Utility hint.
          - Utility windows are not made transient to a parent.
          - Transient factory dialogs follow the active display,             ensuring that new image windows would not hide your toolbox             and dock windows.

        - Various CSS improvements for styling of the interface. Some           theme leaks were also fixed.
        - New toggle button in Brushes and Fonts dockable, allowing           brush and font previews to optionally follow the color theme.
          For instance, when using a dark theme, the brush and font           previews could be drawn on the theme background, using the           theme foreground colors. By default, these data previews are           still drawn as black on white.
        - Palette grid is now drawn with the theme's background color.
        - Consistent naming patterns on human-facing options (first           word only capitalized).
        - About dialog:

          - We will now display the date and time of the last check in             a Up to date as of <date> at <time> string, differing             from the Last checked on <date> at <time> string. The             former will be used to indicate that GIMP is indeed             up-to-date whereas the latter when a new version was             released and that you should update.
          - We now respect the system time/date format on macOS and             Windows.

        - The search popup won't pop up without an image.
        - Better zoom step algorithm for data previews in container           popup (e.g. the brush popup in paint Tool Options).
        - Disable animation in the Input Controller, Preferences and           Welcome dialogs for stack transition when animation are           disabled in system settings.
        - Fixed crosshair hotspot on Windows (crosshair cursor for           brushes was offset with a non-100% display scale factor).
        - Debug/CRITICAL dialog:

          - Make sure it is non-modal.
          - Follow the theme mode under Windows.

        - While loading images, all widgets in the file dialog are made           insensitive, except for the Cancel button and the progress           bar.
        - Both grid and list views can now zoom via scroll and zoom           gestures (it used to only work in list views).
        - Pop an error message up on startup when GIO modules to read           HTTPS links are not found and that we therefore fail to load           the remote gimp_versions.json file. With the AppImage package           in particular, we depend on an environment daemon which           cannot be shipped in the package. So the next best thing is           to warn people and tell them what they should install to get           version checks.
        - Welcome dialog:

          - The Community Tutorials link is now shown after the             Documentation link.
          - The Learn more link in Release Notes tab leads to the             actual release news for this version.

      - Plug-ins:

        - PDF export: do not draw disabled layer masks.
        - Jigsaw: the plug-in can now draw on transparent layers.
        - Various file format fixes and improvements: JPEG 2000 import,           TIFF import, DDS import, SVG import, PSP import, FITS export,           ICNS import, Dicom import, WBMP import, Farbfeld import, XWD           import, ILBM import.
        - Sphere Designer: use spin scale instead of spin entries (the           latter is unusable with little horizontal space).
        - Animation Play: frames are shown again in the playback           progress bar.
        - Vala Goat Exercise: ignoring C warning in this Vala plug-in           as it is generated code and we cannot control it.
        - file-gih: brush pipe selection modes now have nice,           translatable names.
        - Metadata viewer: port from GtkTreeView to GtkListBox.
        - File Raw Data: reduce Raw Data load dialogue height by moving           to a 2-column layout.
        - SVG import: it is now possible to break aspect ratio with           specific width/height arguments, when calling the PDB           procedure non-interactively (from other plug-ins).
        - Print: when run through a portal print dialog, the Image           Settings will be exposed as a secondary dialog, outputted           after the portal dialog, instead of a tab on the main print           dialog (because it is not possible to tweak the print dialog           when it is created by a portal). This will bring back usable           workflow of printing with GIMP when run in a sandbox (e.g.
          Flatpak or Snap).
        - Recompose: fixed for YCbCr decomposed images.
        - Fixed vulnerabilities: ZDI-CAN-27684, ZDI-CAN-27863,           ZDI-CAN-27878, ZDI-CAN-27836, ZDI-CAN-27823, ZDI-CAN-27793.
        - C Source and HTML export can now be run non-interactively too           (e.g. from other plug-ins).
        - Map Object: fix missing spin boxes.
        - Small Tiles: fix display lag.

    - CVE-2025-10925: Fix GIMP ILBM file parsing stack-based buffer overflow remote code       execution vulnerability. (ZDI-25-914, ZDI-CAN-27793, bsc#1250501)

    - CVE-2025-10922: Fix GIMP DCM file parsing heap-based buffer overflow remote code       execution vulnerability.  (ZDI-25-911, ZDI-CAN-27863, bsc#1250497)

    - CVE-2025-10920: Prevent overflow attack by checking if output >= max, not just       output > max. (ZDI-25-909, ZDI-CAN-27684, bsc#1250495)

    - CVE-2025-10924: Fix integer overflow while parsing FF files. (bsc#1250499)

    - CVE-2025-2760: A vulnerability allows remote attackers to execute arbitrary       code on affected installations of GIMP. The specific flaw exists       within parsing of XWD files. An integer overflow happens before       allocating a buffer. This fixed in GIMP 3.0.0.
      https://www.gimp.org/news/2025/03/16/gimp-3-0-released       (bsc#1241690)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0383 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2025-2761:
    GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows     remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required     to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

    The specific flaw exists within the parsing of FLI files. The issue results from the lack of proper     validation of user-supplied data, which can result in a write past the end of an allocated buffer. An     attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-     CAN-25100.

    CVE-2025-2760:
    GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows     remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required     to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

    The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper     validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An     attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-     CAN-25082.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6043 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6043-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     October 28, 2025                      https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : gimp     CVE ID         : CVE-2025-2760 CVE-2025-6035 CVE-2025-10922

    Several vulnerabilities were discovered in GIMP, the GNU Image     Manipulation Program, which could result in denial of service or     potentially the execution of arbitrary code if malformed DICOM or DDS     images are opened.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 2.10.34-1+deb12u4.

    We recommend that you upgrade your gimp packages.

    For the detailed security status of gimp please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/gimp

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4342 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4342-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Sylvain Beucler     October 22, 2025                              https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : gimp     Version        : 2.10.22-4+deb11u3     CVE ID         : CVE-2025-2760 CVE-2025-2761 CVE-2025-5473 CVE-2025-6035                      CVE-2025-10922 CVE-2025-48797 CVE-2025-48798     Debian Bug     : 1105005 1107758 1116459

    Several vulnerabilities were discovered in GIMP, the GNU Image     Manipulation Program, which could result in denial of service or     potentially the execution of arbitrary code if malformed DDS, FLI,     ICO, DICOM, TGA or XCF images are opened, or when using the Despeckle     plug-in on a very large image.

    CVE-2025-2760

        GIMP XWD File Parsing Integer Overflow Remote Code Execution         Vulnerability. The specific flaw exists within the parsing of XWD         files. The issue results from the lack of proper validation of         user-supplied data, which can result in an integer overflow before         allocating a buffer. An attacker can leverage this vulnerability         to execute code in the context of the current process. Was         ZDI-CAN-25082.

    CVE-2025-2761

        GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution         Vulnerability. The specific flaw exists within the parsing of FLI         files. The issue results from the lack of proper validation of         user-supplied data, which can result in a write past the end of an         allocated buffer. An attacker can leverage this vulnerability to         execute code in the context of the current process. Was         ZDI-CAN-25100.

    CVE-2025-5473

        GIMP ICO File Parsing Integer Overflow Remote Code Execution         Vulnerability. The specific flaw exists within the parsing of ICO         files. The issue results from the lack of proper validation of         user-supplied data, which can result in an integer overflow before         writing to memory. An attacker can leverage this vulnerability to         execute code in the context of the current process. Was         ZDI-CAN-26752.

    CVE-2025-6035

        An integer overflow vulnerability exists in the GIMP Despeckle         plug-in. The issue occurs due to unchecked multiplication of image         dimensions, such as width, height, and bytes-per-pixel (img_bpp),         which can result in allocating insufficient memory and         subsequently performing out-of-bounds writes. This issue could         lead to heap corruption, a potential denial of service (DoS), or         arbitrary code execution in certain scenarios.

    CVE-2025-10922

        ZDI-CAN-27863: GIMP DCM File Parsing Heap-based Buffer Overflow         Remote Code Execution Vulnerability

    CVE-2025-48797

        Flaw when processing certain TGA image files. If a user opens one         of these image files that has been specially crafted by an         attacker, GIMP can be tricked into making serious memory errors,         potentially leading to crashes and causing a heap buffer overflow.

    CVE-2025-48798

        Flaw when processing XCF image files. If a user opens one of these         image files that has been specially crafted by an attacker, GIMP         can be tricked into making serious memory errors, potentially         leading to crashes and causing use-after-free issues.

    For Debian 11 bullseye, these problems have been fixed in version     2.10.22-4+deb11u3.

    We recommend that you upgrade your gimp packages.

    For the detailed security status of gimp please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/gimp

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:03075-1 advisory.

    - CVE-2025-2760: lack of proper validation of user-supplied data in DDS parser can lead to integer     overflow and remote       code execution (bsc#1241690).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows     remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required     to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The     specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation     of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can     leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25082.
    (CVE-2025-2760)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5939 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5939-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     June 06, 2025                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : gimp     CVE ID         : CVE-2025-2760 CVE-2025-2761 CVE-2025-48797 CVE-2025-48798

    Several vulnerabilities were discovered in GIMP, the GNU Image     Manipulation Program, which could result in denial of service or     potentially the execution of arbitrary code if malformed XCF, TGA, DDS,     FLI or ICO files are opened.

    For the stable distribution (bookworm), these problems have been fixed in     version 2.10.34-1+deb12u3.

    We recommend that you upgrade your gimp packages.

    For the detailed security status of gimp please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/gimp

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the da0a4374-3fc9-11f0-a39d-b42e991fc52e advisory.

    zdi-disclosures@trendmicro.com reports:
    GIMP XWD File Parsing Integer Overflow Remote Code Execution             Vulnerability.  This vulnerability allows remote attackers to execute             arbitrary code on affected installations of GIMP.  User interaction             is required to exploit this vulnerability in that the target must             visit a malicious page or open a malicious file.
            The specific flaw exists within the parsing of XWD files.  The issue             results from the lack of proper validation of user-supplied data,             which can result in an integer overflow before allocating a buffer.
            An attacker can leverage this vulnerability to execute code in the             context of the current process.  Was ZDI-CAN-25082.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
291313	openSUSE 16 Security Update : gimp (openSUSE-SU-2026:20055-1)	Nessus	SuSE Local Security Checks	high
276287	TencentOS Server 4: gimp (TSSA-2025:0383)	Nessus	Tencent Local Security Checks	high
271933	Debian dsa-6043 : gimp - security update	Nessus	Debian Local Security Checks	high
271202	Debian dla-4342 : gimp - security update	Nessus	Debian Local Security Checks	high
261519	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gimp (SUSE-SU-2025:03075-1)	Nessus	SuSE Local Security Checks	high
255739	Linux Distros Unpatched Vulnerability : CVE-2025-2760	Nessus	Misc.	high
237912	Debian dsa-5939 : gimp - security update	Nessus	Debian Local Security Checks	high
237700	FreeBSD : Gimp -- GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability (da0a4374-3fc9-11f0-a39d-b42e991fc52e)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2025-2760

high

Tenable Plugins

high

high

high

high

high

high

high

high