Critical Remote Code Execution in GIMP PSD Parsing (CVE‑2026‑4150) Threatens Graphic Design Workflows
What It Is – A newly disclosed integer‑overflow flaw in GIMP’s PSD file parser (CVE‑2026‑4150) allows an attacker to execute arbitrary code on the host running the vulnerable version of the open‑source image editor. The vulnerability is rated CVSS 7.8 (High) and requires the victim to open a crafted PSD file or view a malicious web page that triggers the parser.
Exploitability – No public exploit code has been released, but the advisory notes that the attack vector is low‑complexity (AV:L) with no authentication required (PR:N). Successful exploitation yields full user‑level code execution (C:H/I:H/A:H).
Affected Products – GIMP (all versions prior to the March 2026 security patch).
TPRM Impact – Organizations that embed GIMP in internal pipelines, SaaS platforms that process user‑uploaded images, and managed‑service providers that rely on GIMP for graphic generation are exposed to potential supply‑chain compromise. A compromised host could be leveraged to pivot into broader network assets, exfiltrate data, or serve as a foothold for ransomware.
Recommended Actions –
- Deploy the March 2026 GIMP update immediately across all endpoints and CI/CD containers.
- Block or sandbox PSD files from untrusted sources until the patch is verified.
- Enable application‑allow‑list policies to restrict GIMP execution to approved binaries.
- Monitor process‑creation logs for unexpected GIMP launches and anomalous child processes.
- Review third‑party risk registers to flag any vendors that embed GIMP in their services.