Multiple vulnerabilities (CVE-2026-4150, CVE-2026-4151, CVE-2026-4152, CVE-2026-4153) in GIMP allow denial of service or arbitrary code execution when processing malformed PSP, JPEG 2000, PSD, or ANI files. The CVSS score for the documented CVEs is 7.8, and GIMP version 3.0.8 is specifically listed as affected. For Debian stable (trixie), the issue is fixed in gimp version 3.0.4-3+deb13u8, and for oldstable (bookworm) in version 2.10.34-1+deb12u10.
[SECURITY] [DSA 6215-1] gimp security update To : debian-security-announce@lists.debian.org Subject : [SECURITY] [DSA 6215-1] gimp security update From : Moritz Muehlenhoff < jmm@debian.org > Date : Fri, 17 Apr 2026 21:18:14 +0000 Message-id : < [🔎] aeKjlqllGXHdy9u_@seger.debian.org > Reply-to : debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6215-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 17, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gimp CVE ID : CVE-2026-4150 CVE-2026-4151 CVE-2026-4152 CVE-2026-4153 Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed PSP, JPEG 2000, PSD or ANI files are opened. For the oldstable distribution (bookworm), these problems have been fixed in version 2.10.34-1+deb12u10. For the stable distribution (trixie), these problems have been fixed in version 3.0.4-3+deb13u8. We recommend that you upgrade your gimp packages. For the detailed security status of gimp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gimp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmniolgACgkQEMKTtsN8 TjaFZBAAnWF8q3PvwSYqP6Wt2SEJolBS5/BCJq4hmFZE/NOsHLXJnFJ44zueVxu9 R4JTCOxSe31x42RyEWQk1OsXnbj4UX7/KOJw4AV9ZI1BNNnrX+uSjmPJfYbQmALL +5wp1Qud1cPLivcksWOk9h1yfVekpLRJsDlDimkYbVBE55R9w7+biirBt4KshLl/ o5vZ9LSXYRlWAsAgLiitd2vTZpLjavHIt0SP3jsv+VaxWFu1ZAkNIZ6XdoN5dS4C JGrQX70uVEF7iZ/yFMlAD8t3r8hQ8sYaub63aumOkdSr1UcARi34Leg+EY7+yUAW Aehpb0WiNoU37ZksqlcPDgHOVFVumV1UiQgbMnLTpqC5H1gNvy0DpEQ3SkkxJdqs LR3QmyIqpNa/v/ihJSEUCAMU0erGfagFufWaQk4EUJoiIQ8/vFF1D97jDjSImRTv Z+CeqtlxOiUCgVNXhLvsHFfMkn6TbGfEdlToceyr8bbenpWaVj9slibTozFMr9Ij IzcLxDM4V5XZmwcRJVeuqkrthDFCls6iTCJNqjIkPMj7siT8pmHUxMNSUfUNyzPO 8nk1Ecz+7NwacVjzz/G8gqVyr9XR5k2Mc2luBvk3Ys1RFGxm6uC0wpi+f0Hh1xpf PabEIJjvRKQLIMgetKcJenlepm5YIRZ5GniPIRplGcFhUsWAfr4= =oEN1 -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6214-1] chromium security update Next by Date: [SECURITY] [DSA 6216-1] opam security update Previous by thread: [SECURITY] [DSA 6214-1] chromium security update Next by thread: [SECURITY] [DSA 6216-1] opam security update Index(es): Date Thread