usn-8057-1
Vulnerability from osv_ubuntu
Published
2026-02-23 20:09
Modified
2026-06-30 15:54
Summary
gimp vulnerabilities
Details

Hanno Böck discovered that GIMP allocated FLI images using only the information present in the file header, which allowed for a maliciously- crafted file to cause out-of-bounds writes. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-17785)

Michael Randrianantenaina discovered that that opening a maliciously crafted FLI file could cause GIMP to index out-of-bounds. An attacker could possibly use this issue to cause a denial or service or execute arbitrary code. (CVE-2025-2761)

It was discovered that opening a maliciously-crafted DCM file could cause GIMP to index out-of-bounds. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2025-10922)

It was discovered that GIMP's JP2 parser did not account for precision when allocating an image buffer. An attacker could possibly use this to cause a denial of service or execute arbitrary code when a maliciously crafted file is opened. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2025-14425)

It was discovered that GIMP's PSP parser erroneously queried the color channels of a greyscale image, which resulted in an invalid memory pointer. An attacker could possibly use this to cause a denial of service or execute arbitrary code when a maliciously-crafted file is opened. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15059)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2017-17785",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-2761",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-10922",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-14425",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:16.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "gimp",
            "binary_version": "2.8.16-1ubuntu1.1+esm1"
          },
          {
            "binary_name": "gimp-data",
            "binary_version": "2.8.16-1ubuntu1.1+esm1"
          },
          {
            "binary_name": "libgimp2.0",
            "binary_version": "2.8.16-1ubuntu1.1+esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "name": "gimp",
        "purl": "pkg:deb/ubuntu/gimp@2.8.16-1ubuntu1.1+esm1?arch=source\u0026distro=esm-apps/xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.16-1ubuntu1.1+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.8.14-1ubuntu2",
        "2.8.14-1.2ubuntu1",
        "2.8.16-1ubuntu1",
        "2.8.16-1ubuntu1.1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2025-2761",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-10922",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-14425",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:18.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "gimp",
            "binary_version": "2.8.22-1ubuntu0.1~esm1"
          },
          {
            "binary_name": "gimp-data",
            "binary_version": "2.8.22-1ubuntu0.1~esm1"
          },
          {
            "binary_name": "libgimp2.0",
            "binary_version": "2.8.22-1ubuntu0.1~esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "gimp",
        "purl": "pkg:deb/ubuntu/gimp@2.8.22-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.22-1ubuntu0.1~esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.8.20-1",
        "2.8.20-1.1",
        "2.8.20-2",
        "2.8.22-1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2025-2761",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-10922",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-14425",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:20.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "gimp",
            "binary_version": "2.10.18-1ubuntu0.1+esm1"
          },
          {
            "binary_name": "gimp-data",
            "binary_version": "2.10.18-1ubuntu0.1+esm1"
          },
          {
            "binary_name": "libgimp2.0",
            "binary_version": "2.10.18-1ubuntu0.1+esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:20.04:LTS",
        "name": "gimp",
        "purl": "pkg:deb/ubuntu/gimp@2.10.18-1ubuntu0.1+esm1?arch=source\u0026distro=esm-apps/focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.18-1ubuntu0.1+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.10.8-2",
        "2.10.14-2",
        "2.10.14-2build1",
        "2.10.14-2ubuntu1",
        "2.10.14-3",
        "2.10.18-1",
        "2.10.18-1ubuntu0.1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2025-2761",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-10922",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-14425",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-15059",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:22.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "gimp",
            "binary_version": "2.10.30-1ubuntu0.1+esm1"
          },
          {
            "binary_name": "gimp-data",
            "binary_version": "2.10.30-1ubuntu0.1+esm1"
          },
          {
            "binary_name": "libgimp2.0",
            "binary_version": "2.10.30-1ubuntu0.1+esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:22.04:LTS",
        "name": "gimp",
        "purl": "pkg:deb/ubuntu/gimp@2.10.30-1ubuntu0.1+esm1?arch=source\u0026distro=esm-apps/jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.30-1ubuntu0.1+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.10.24-2",
        "2.10.28-1",
        "2.10.30-1",
        "2.10.30-1build1",
        "2.10.30-1ubuntu0.1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2025-2761",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-10922",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-14425",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2025-15059",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:24.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "gimp",
            "binary_version": "2.10.36-3ubuntu0.24.04.1+esm1"
          },
          {
            "binary_name": "gimp-data",
            "binary_version": "2.10.36-3ubuntu0.24.04.1+esm1"
          },
          {
            "binary_name": "libgimp2.0t64",
            "binary_version": "2.10.36-3ubuntu0.24.04.1+esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:24.04:LTS",
        "name": "gimp",
        "purl": "pkg:deb/ubuntu/gimp@2.10.36-3ubuntu0.24.04.1+esm1?arch=source\u0026distro=esm-apps/noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.36-3ubuntu0.24.04.1+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.10.34-1",
        "2.10.36-1",
        "2.10.36-2",
        "2.10.36-3build2",
        "2.10.36-3build3",
        "2.10.36-3ubuntu0.24.04.1"
      ]
    }
  ],
  "aliases": [],
  "details": "Hanno B\u00f6ck discovered that GIMP allocated FLI images using only the\ninformation present in the file header, which allowed for a maliciously-\ncrafted file to cause out-of-bounds writes. An attacker could possibly use\nthis issue to cause a denial of service or execute arbitrary code. This\nissue only affected Ubuntu 16.04 LTS. (CVE-2017-17785)\n\nMichael Randrianantenaina discovered that that opening a maliciously\ncrafted FLI file could cause GIMP to index out-of-bounds. An attacker could\npossibly use this issue to cause a denial or service or execute arbitrary\ncode. (CVE-2025-2761)\n\nIt was discovered that opening a maliciously-crafted DCM file could cause\nGIMP to index out-of-bounds. An attacker could possibly use this issue to\ncause a denial of service or execute arbitrary code. (CVE-2025-10922)\n\nIt was discovered that GIMP\u0027s JP2 parser did not account for precision when\nallocating an image buffer. An attacker could possibly use this to cause a\ndenial of service or execute arbitrary code when a maliciously crafted file\nis opened. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and\nUbuntu 24.04 LTS. (CVE-2025-14425)\n\nIt was discovered that GIMP\u0027s PSP parser erroneously queried the color\nchannels of a greyscale image, which resulted in an invalid memory pointer.\nAn attacker could possibly use this to cause a denial of service or execute\narbitrary code when a maliciously-crafted file is opened. This issue only\naffected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-15059)",
  "id": "USN-8057-1",
  "modified": "2026-06-30T15:54:50Z",
  "published": "2026-02-23T20:09:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8057-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2017-17785"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-2761"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-10922"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-14425"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2025-15059"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "gimp vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2017-17785",
    "UBUNTU-CVE-2025-2761",
    "UBUNTU-CVE-2025-10922",
    "UBUNTU-CVE-2025-14425",
    "UBUNTU-CVE-2025-15059"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…