This security update addresses multiple critical vulnerabilities in GIMP, including remote code execution via specially crafted image files (PCX, XPM, ANI, JP2, PSD, PSP) and memory disclosure leading to denial of service. The CVSS scores for the listed CVEs range from 6.1 (MEDIUM) to 7.8 (HIGH). Based on the provided NVD data, version 3.0.8 is confirmed affected for CVE-2026-4154 and CVE-2026-4151, while CVE-2026-4887 is fixed in version 3.2.0.
Red Hat Product Errata RHSA-2026:16484 - Security Advisory Issued: 2026-05-12 Updated: 2026-05-12 RHSA-2026:16484 - Security Advisory Overview Updated Packages Synopsis Important: gimp security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for gimp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix(es): gimp: GIMP:Memory disclosure and denial of service via specially crafted PCX image (CVE-2026-4887) gimp: GIMP: Remote Code Execution via XPM File Parsing Integer Overflow (CVE-2026-4154) gimp: GIMP: Remote Code Execution via ANI File Parsing Integer Overflow (CVE-2026-4151) gimp: GIMP: Remote Code Execution via malicious JP2 file parsing (CVE-2026-4152) GIMP: GIMP: Arbitrary code execution via specially crafted PSD file (CVE-2026-4150) gimp: GIMP: Remote Code Execution via PSP file parsing (CVE-2026-4153) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2451669 - CVE-2026-4887 gimp: GIMP:Memory disclosure and denial of service via specially crafted PCX image BZ - 2457530 - CVE-2026-4154 gimp: GIMP: Remote Code Execution via XPM File Parsing Integer Overflow BZ - 2457532 - CVE-2026-4151 gimp: GIMP: Remote Code Execution via ANI File Parsing Integer Overflow BZ - 2457533 - CVE-2026-4152 gimp: GIMP: Remote Code Execution via malicious JP2 file parsing BZ - 2457535 - CVE-2026-4150 GIMP: GIMP: Arbitrary code execution via specially crafted PSD file BZ - 2457536 - CVE-2026-4153 gimp: GIMP: Remote Code Execution via PSP file parsing CVEs CVE-2026-4150 CVE-2026-4151 CVE-2026-4152 CVE-2026-4153 CVE-2026-4154 CVE-2026-4887 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM gimp-3.0.4-1.el9_7.5.src.rpm SHA-256: 769f5ed0b3eb2ef8149961f3601aeb84cf413fc6dbf8883e9274239eec5b7dee x86_64 gimp-3.0.4-1.el9_7.5.x86_64.rpm SHA-256: e786a7299322d9ac1e4e5162fa80b1bc05a372ac41359fe14e191dd33515def6 gimp-debuginfo-3.0.4-1.el9_7.5.i686.rpm SHA-256: aaf5b1b7cf11e0160d1669ed0994ca4d21b5a31cab45d3f83ca2aca4254c1b8d gimp-debuginfo-3.0.4-1.el9_7.5.x86_64.rpm SHA-256: 323733d260a332ee3a6a393a839431d2c944b578fb8596f1ac781b4b250d11cd gimp-debugsource-3.0.4-1.el9_7.5.i686.rpm SHA-256: ab726f8faf671765874aa6005ab072a1e6ad67f362c7b56cd4651f06625283c8 gimp-debugsource-3.0.4-1.el9_7.5.x86_64.rpm SHA-256: 321780785fb65b5fd5c287f764fe90366e0c2a51724c6dc068b5d0551c1a2cd5 gimp-devel-tools-debuginfo-3.0.4-1.el9_7.5.i686.rpm SHA-256: 7dbf1220b84cce9a26d058252ebe2a3e326848d1711b904a5e785e32359899e8 gimp-devel-tools-debuginfo-3.0.4-1.el9_7.5.x86_64.rpm SHA-256: 7b1df0407c53df33da67a06d35c09dfbe279ce87f8acf2618f4016d7936106af gimp-libs-3.0.4-1.el9_7.5.i686.rpm SHA-256: c74abbeddab485f3eb6333f7ef42a0e3d1b60de495f7a4884eb3f2ec2f49f63a gimp-libs-3.0.4-1.el9_7.5.x86_64.rpm SHA-256: 81af4d989a79ffb3bff5dd4e00aef10b697de2d3b4acec7e363c86a9bcc5a8dd gimp-libs-debuginfo-3.0.4-1.el9_7.5.i686.rpm SHA-256: 434e35756c46e5b2ae04fadac22a01439ef07a838fe15dbea8f6b8f020fea594 gimp-libs-debuginfo-3.0.4-1.el9_7.5.x86_64.rpm SHA-256: 6b8215e2680e1fa45c98dd4d86c70e901e7eb2833791cafd63a1c140f8a24455 Red Hat Enterprise Linux for Power, little endian 9 SRPM gimp-3.0.4-1.el9_7.5.src.rpm SHA-256: 769f5ed0b3eb2ef8149961f3601aeb84cf413fc6dbf8883e9274239eec5b7dee ppc64le gimp-3.0.4-1.el9_7.5.ppc64le.rpm SHA-256: cf0bc8fd3096248321baa66592fe47b7086d000b112de8892d5bf67b841e6a6e gimp-debuginfo-3.0.4-1.el9_7.5.ppc64le.rpm SHA-256: 361b4be6c9880a6af45f14e0e51efa3642cb6f00e70d39dcfc479171994dfd5f gimp-debugsource-3.0.4-1.el9_7.5.ppc64le.rpm SHA-256: 8821da7b79ed97a9e18c1902f1d47a971b9264a7a508ef2b59fdacd8355fd8e6 gimp-devel-tools-debuginfo-3.0.4-1.el9_7.5.ppc64le.rpm SHA-256: 6a8295c4fc42a69cbb8a8f5e937e28ced586f769a94e9bdc8b79c28828f2de69 gimp-libs-3.0.4-1.el9_7.5.ppc64le.rpm SHA-256: 0ae4868f7bde4ae029af0ce02d9dd26213b1c2d0bf5286bfbff49cee83158116 gimp-libs-debuginfo-3.0.4-1.el9_7.5.ppc64le.rpm SHA-256: d1d1803a0c9677b759a9956059f846bf8595805ef8321a46bace0c1f1c0804bf Red Hat Enterprise Linux for ARM 64 9 SRPM gimp-3.0.4-1.el9_7.5.src.rpm SHA-256: 769f5ed0b3eb2ef8149961f3601aeb84cf413fc6dbf8883e9274239eec5b7dee aarch64 gimp-3.0.4-1.el9_7.5.aarch64.rpm SHA-256: 56f71b197dc207e1e3d7a80559a941ce20fceab077389166f964c3d825340698 gimp-debuginfo-3.0.4-1.el9_7.5.aarch64.rpm SHA-256: 3dc75ef7b34d3dea18309282a4500933edeaea2e7572dd02488cb528de74be4a gimp-debugsource-3.0.4-1.el9_7.5.aarch64.rpm SHA-256: 7737c5f97f58e7c0246f8121162d89880145ebd5abf7b6d060f50e575c53220e gimp-devel-tools-debuginfo-3.0.4-1.el9_7.5.aarch64.rpm SHA-256: 77965173e185bc5fbed3912d9f8cacb0b212762c416b7f88eb716fb8c5c335fa gimp-libs-3.0.4-1.el9_7.5.aarch64.rpm SHA-256: 192d593bec71d00cfd79843e26eed84a9d3e67d1bf128cfb0b1ea46033e8621a gimp-libs-debuginfo-3.0.4-1.el9_7.5.aarch64.rpm SHA-256: 68864e67593999ca0ed581c84928692e97368a427fbe4f874f63d8e70aeaa7ff The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .