GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:4173 advisory.

    * gimp: GIMP: Remote code execution via heap-based buffer overflow in ICNS file parsing (CVE-2026-2047)
      * gimp: GIMP: Remote Code Execution via uninitialized memory in PGM file parsing (CVE-2026-2044)
      * gimp: GIMP: Remote Code Execution via out-of-bounds write in XWD file parsing (CVE-2026-2045)
      * gimp: GIMP: Remote Code Execution via ICO File Parsing Vulnerability (CVE-2026-0797)
      * gimp: GIMP: Remote Code Execution via XWD file parsing vulnerability (CVE-2026-2048)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:4173 advisory.

    * gimp: GIMP: Remote code execution via heap-based buffer overflow in ICNS file parsing (CVE-2026-2047)

    * gimp: GIMP: Remote Code Execution via uninitialized memory in PGM file parsing (CVE-2026-2044)

    * gimp: GIMP: Remote Code Execution via out-of-bounds write in XWD file parsing (CVE-2026-2045)

    * gimp: GIMP: Remote Code Execution via ICO File Parsing Vulnerability (CVE-2026-0797)

    * gimp: GIMP: Remote Code Execution via XWD file parsing vulnerability (CVE-2026-2048)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-4173 advisory.

    - fix CVE-2026-0797
    - fix CVE-2026-2044
    - fix CVE-2026-2045
    - fix CVE-2026-2047

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4173 advisory.

    The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a     large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and     anti-aliasing, and conversions, all with multi-level undo.

    Security Fix(es):

    * gimp: GIMP: Remote code execution via heap-based buffer overflow in ICNS file parsing (CVE-2026-2047)

    * gimp: GIMP: Remote Code Execution via uninitialized memory in PGM file parsing (CVE-2026-2044)

    * gimp: GIMP: Remote Code Execution via out-of-bounds write in XWD file parsing (CVE-2026-2045)

    * gimp: GIMP: Remote Code Execution via ICO File Parsing Vulnerability (CVE-2026-0797)

    * gimp: GIMP: Remote Code Execution via XWD file parsing vulnerability (CVE-2026-2048)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6156 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6156-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     March 03, 2026                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : gimp     CVE ID         : CVE-2026-0797 CVE-2026-2044 CVE-2026-2045 CVE-2026-2048                      CVE-2026-2047

    Several vulnerabilities were discovered in GIMP, the GNU Image     Manipulation Program, which could result in denial of service or     potentially the execution of arbitrary code if malformed XWD, ICNS, PGM     or ICO files are opened.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 2.10.34-1+deb12u9.

    For the stable distribution (trixie), these problems have been fixed in     version 3.0.4-3+deb13u7.

    We recommend that you upgrade your gimp packages.

    For the detailed security status of gimp please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/gimp

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability     allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is     required to exploit this vulnerability in that the target must visit a malicious page or open a malicious     file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper     validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can     leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.
    (CVE-2026-0797)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0442-1 advisory.

    - CVE-2026-0797: Fixed a heap-based buffer overflow in the parsing of ICO files. (bsc#1257549)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
301888	AlmaLinux 9 : gimp (ALSA-2026:4173)	Nessus	Alma Linux Local Security Checks	high
301817	RockyLinux 9 : gimp (RLSA-2026:4173)	Nessus	Rocky Linux Local Security Checks	high
301735	Oracle Linux 9 : gimp (ELSA-2026-4173)	Nessus	Oracle Linux Local Security Checks	high
301732	RHEL 9 : gimp (RHSA-2026:4173)	Nessus	Red Hat Local Security Checks	high
300806	Debian dsa-6156 : gimp - security update	Nessus	Debian Local Security Checks	high
299702	Linux Distros Unpatched Vulnerability : CVE-2026-0797	Nessus	Misc.	high
298749	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gimp (SUSE-SU-2026:0442-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2026-0797

high

Tenable Plugins

high

high

high

high

high

high

high