Multiple critical vulnerabilities in GIMP, including remote code execution via specially crafted XPM, JP2, PSP, and PSD files, as well as memory disclosure/denial of service via PCX files. The CVSS scores for these issues range from 6.1 (Medium) to 7.8 (High). Affected versions include GIMP 3.0.8 and versions prior to 3.2.0, with the fix requiring an upgrade to version 3.2.0.
Red Hat Product Errata RHSA-2026:20691 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20691 - Security Advisory Overview Updated Packages Synopsis Important: gimp security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for gimp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix(es): gimp: GIMP:Memory disclosure and denial of service via specially crafted PCX image (CVE-2026-4887) gimp: GIMP: Remote Code Execution via XPM File Parsing Integer Overflow (CVE-2026-4154) gimp: GIMP: Remote Code Execution via malicious JP2 file parsing (CVE-2026-4152) GIMP: GIMP: Arbitrary code execution via specially crafted PSD file (CVE-2026-4150) gimp: GIMP: Remote Code Execution via PSP file parsing (CVE-2026-4153) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2451669 - CVE-2026-4887 gimp: GIMP:Memory disclosure and denial of service via specially crafted PCX image BZ - 2457530 - CVE-2026-4154 gimp: GIMP: Remote Code Execution via XPM File Parsing Integer Overflow BZ - 2457533 - CVE-2026-4152 gimp: GIMP: Remote Code Execution via malicious JP2 file parsing BZ - 2457535 - CVE-2026-4150 GIMP: GIMP: Arbitrary code execution via specially crafted PSD file BZ - 2457536 - CVE-2026-4153 gimp: GIMP: Remote Code Execution via PSP file parsing CVEs CVE-2026-4150 CVE-2026-4152 CVE-2026-4153 CVE-2026-4154 CVE-2026-4887 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 SRPM gimp-2.99.8-3.el9_0.6.src.rpm SHA-256: eaae372e7ffb4aefe7a24a88b5550094fe3c903daa258b3926eeef24c83158d7 ppc64le gimp-2.99.8-3.el9_0.6.ppc64le.rpm SHA-256: c719d1e896ecb9d7f9ef1e35625a6a5fcebd839a11f604c0f051a76c22251dca gimp-debuginfo-2.99.8-3.el9_0.6.ppc64le.rpm SHA-256: b6be6f11dba5ee870a364772b51cdc6c4a3ac026e75f0d92f12433284a176de7 gimp-debugsource-2.99.8-3.el9_0.6.ppc64le.rpm SHA-256: 94638c23df41de3bbf5fd91509fe14fa6ffc7e7ad64f7e7705ddfab436b34080 gimp-devel-tools-debuginfo-2.99.8-3.el9_0.6.ppc64le.rpm SHA-256: 6bba10f82b46441fca7b14cd503b69d746c17446f9445fa2c96e3337a3790059 gimp-libs-2.99.8-3.el9_0.6.ppc64le.rpm SHA-256: 423335d5fb8ef16cc83b09b7d6414764cbf5be18c74163fab83ca0ab97f7f546 gimp-libs-debuginfo-2.99.8-3.el9_0.6.ppc64le.rpm SHA-256: 340bc3f873d142a57aa7a953c57c88668b87753d0e5b6549439399fcdad4b759 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 SRPM gimp-2.99.8-3.el9_0.6.src.rpm SHA-256: eaae372e7ffb4aefe7a24a88b5550094fe3c903daa258b3926eeef24c83158d7 x86_64 gimp-2.99.8-3.el9_0.6.x86_64.rpm SHA-256: 741a580aa7ab770d882a10155455cfb660d5a86268bf2ef3af2a7a7a73c55c35 gimp-debuginfo-2.99.8-3.el9_0.6.i686.rpm SHA-256: e637c02277bbb5b4270bc2b910841831f7e4c76b22942d467130fea47583e6f9 gimp-debuginfo-2.99.8-3.el9_0.6.x86_64.rpm SHA-256: 40666c524bd39530c905d445dda401c609b9dfafe0c89b386bb8547aa40e3db3 gimp-debugsource-2.99.8-3.el9_0.6.i686.rpm SHA-256: c6c2c83f5a9014eb044ab015f1a87689b9b26af8a87c118a5d3f4c0dc4ba1a8d gimp-debugsource-2.99.8-3.el9_0.6.x86_64.rpm SHA-256: dcdf15288ae6833efd1f197f8ccb0cfd089378456abd327249c5a1d3084eba30 gimp-devel-tools-debuginfo-2.99.8-3.el9_0.6.i686.rpm SHA-256: 04d8da6d6b01a65dc82b49c3caec0100faf591b4e3a02642a391337a44846f96 gimp-devel-tools-debuginfo-2.99.8-3.el9_0.6.x86_64.rpm SHA-256: 93afc578c245235e653d8c91c829f78655a19afd5942f8d000562d291d927f80 gimp-libs-2.99.8-3.el9_0.6.i686.rpm SHA-256: 344ef5f25334bd7afdb93e45fb3811bd5167546101d32b99232bfb99623de11b gimp-libs-2.99.8-3.el9_0.6.x86_64.rpm SHA-256: 234b88e55293026e15f13c62d7cb08ecdc9af800cb4679ee4e12051f11a1c084 gimp-libs-debuginfo-2.99.8-3.el9_0.6.i686.rpm SHA-256: 4c56877d6c2d36465b0089b84d00e94b962aebc3273cae5eb4dd1fd997930584 gimp-libs-debuginfo-2.99.8-3.el9_0.6.x86_64.rpm SHA-256: 43d0c49cc650cbc745a46c3a89c3a443661829f91503b7248ed8faf5b6620f48 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 SRPM gimp-2.99.8-3.el9_0.6.src.rpm SHA-256: eaae372e7ffb4aefe7a24a88b5550094fe3c903daa258b3926eeef24c83158d7 aarch64 gimp-2.99.8-3.el9_0.6.aarch64.rpm SHA-256: 1a2f3856311b4265ad8abb886a3a35f3d8d0b6c5b52584cb4fb32730201019de gimp-debuginfo-2.99.8-3.el9_0.6.aarch64.rpm SHA-256: de1b853d4dd12acfe5805387823cb885ed6bcde9de9ba9663f095efbff0eec81 gimp-debugsource-2.99.8-3.el9_0.6.aarch64.rpm SHA-256: 89f64f494d3ae5925f779091a821b0ae2fa4b93a5c10e394cafc10377cda9db4 gimp-devel-tools-debuginfo-2.99.8-3.el9_0.6.aarch64.rpm SHA-256: 9e233d59846f0aae57f701d8a4c402398eedab37eb6a8af43b65c8301affc244 gimp-libs-2.99.8-3.el9_0.6.aarch64.rpm SHA-256: 9b50d4ec3ce512b5b3b953995e8ff15dd21d616be2f911ba90c4cbaf37ba39dc gimp-libs-debuginfo-2.99.8-3.el9_0.6.aarch64.rpm SHA-256: 26e4fd21ce609eb0bf1df05385e114e0d4a83bc86686552081755b3075943450 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 SRPM gimp-2.99.8-3.el9_0.6.src.rpm SHA-256: eaae372e7ffb4aefe7a24a88b5550094fe3c903daa258b3926eeef24c83158d7 s390x gimp-2.99.8-3.el9_0.6.s390x.rpm SHA-256: 39c39610c69324ce9c74381bec7228b425bc6415ad51db06aee044b3bb1f5aae gimp-debuginfo-2.99.8-3.el9_0.6.s390x.rpm SHA-256: 6da881c418efcbcec4bcc1a468c81fa87191ebfd14b93d3912077128e6baa649 gimp-debugsource-2.99.8-3.el9_0.6.s390x.rpm SHA-256: e8201249ceb7bec69ecc54a87bfc5c468caf226df40288920673dba81d3a74eb gimp-devel-tools-debuginfo-2.99.8-3.el9_0.6.s390x.rpm SHA-256: 4241d23ce0958fbc6551131f49a04b222582ca0e75e3c9f3b0ed81d227d0c4b9 gimp-libs-2.99.8-3.el9_0.6.s390x.rpm SHA-256: c2ebfa75f495c07b4c06aa5c92b234027c1e18b3cf75f2be8165bb06c948dc77 gimp-libs-debuginfo-2.99.8-3.el9_0.6.s390x.rpm SHA-256: 9c058c5f2ac3afb9fa4e47535d99f788a9bf5c4e6e40086520d56a1639398097 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .