CVE-2026-2044

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-2044
GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28158.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2569/diffs?commit_id=112a5e038f0646eae5ae314988ec074433d2b365 Issue Tracking Patch Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-26-118/ Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:*
History

24 Feb 2026, 21:41

Type Values Removed Values Added
CPE cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:*
First Time Gimp gimp
Gimp
Summary
  • (es) Vulnerabilidad de ejecución remota de código por memoria no inicializada en el análisis de archivos PGM de GIMP. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de GIMP. Para explotar esta vulnerabilidad se necesita la interacción del usuario quien debe visitar una página maliciosa o abrir un archivo malicioso. La falla se encuentra dentro del análisis de archivos PGM. El problema resulta de la falta de inicialización adecuada de la memoria antes de acceder a ella. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual. Fue ZDI-CAN-28158.
References () https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2569/diffs?commit_id=112a5e038f0646eae5ae314988ec074433d2b365 - () https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2569/diffs?commit_id=112a5e038f0646eae5ae314988ec074433d2b365 - Issue Tracking, Patch, Third Party Advisory
References () https://www.zerodayinitiative.com/advisories/ZDI-26-118/ - () https://www.zerodayinitiative.com/advisories/ZDI-26-118/ - Third Party Advisory

20 Feb 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-20 23:16

Updated : 2026-02-24 21:41

NVD link : CVE-2026-2044

Mitre link : CVE-2026-2044

CVE.ORG link : CVE-2026-2044

JSON object : View

Products Affected

gimp

  • gimp
CWE
CWE-908

Use of Uninitialized Resource