It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1553 advisory.

    In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters     heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A     crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code     execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c. (CVE-2022-48622)

    A flaw was found in the GIF parser of GdkPixbuf's LZW decoder. When an invalid symbol is encountered     during decompression, the decoder sets the reported output size to the full buffer length rather than the     actual number of written bytes. This logic error results in uninitialized sections of the buffer being     included in the output, potentially leaking arbitrary memory contents in the processed image.
    (CVE-2025-6199)

    A flaw exists in gdk-pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in     glib's g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap     buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory,     potentially causing application crashes or arbitrary code execution. (CVE-2025-7345)

    A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the     JPEG image loader due to improper validation of color component counts when processing a specially crafted     JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail     generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
    (CVE-2026-5201)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2023 : gdk-pixbuf2, gdk-pixbuf2-devel, gdk-pixbuf2-modules (ALAS2023-2026-1553)

high Nessus Plugin ID 306215

Version 1.2

Version 1.1

Version 1.2 Apr 23, 2026, 4:31 AM CVE (set "CVE" coverage to "CVE-2022-48622,CVE-2025-6199,CVE-2025-7345,CVE-2026-5201") CVSS metrics ("CVSSv2 score" set to 7.2) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 7.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv2 score source (changed from "CVE-2026-5201" to "CVE-2022-48622") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin metadata Plugin Feed: 202604230431
Version 1.1 Apr 14, 2026, 3:55 AM New Plugin Feed: 202604140355