Heap‑Based Buffer Overflow in GIMP JP2 Parsing (CVE‑2026‑4152) Enables Remote Code Execution
What It Is — A heap‑based buffer overflow in the JP2 file parser of the GNU Image Manipulation Program (GIMP) permits remote attackers to execute arbitrary code when a victim opens a crafted JP2 image. The flaw arises from missing length validation before copying user‑supplied data to a heap buffer.
Exploitability — CVSS 7.8 (High). Exploits require user interaction (opening a malicious JP2 file or visiting a malicious page) and a proof‑of‑concept has been released. No widespread active exploitation reported yet.
Affected Products — GIMP (all versions prior to the March 2026 security update).
TPRM Impact —
- Vendors that embed GIMP in internal tools or content pipelines inherit the execution risk.
- Organizations that rely on GIMP‑generated assets for marketing, design, or documentation may see compromised workstations, enabling lateral movement.
- Supply‑chain exposure if malicious JP2 images are distributed to customers or partners.
Recommended Actions —
- Apply the GIMP patch released on 2026‑03‑19 (commit f64c9c23).
- Block JP2 MIME type (image/jp2) at email gateways and web proxies until patched.
- Scan endpoints for unexpected processes launched by GIMP.
- Update asset inventories to flag GIMP as a critical application requiring timely patching.