Vulnerability-Lookup

OPENSUSE-SU-2026:20100-1

Vulnerability from csaf_opensuse - Published: 2026-01-21 13:31 - Updated: 2026-01-21 13:31

Summary

Security update for gimp

Notes

Title of the patch

Security update for gimp

Description of the patch

This update for gimp fixes the following issues: Changes in gimp: - CVE-2025-14422: Fixed PNM File Parsing Integer Overflow (bsc#1255293) - CVE-2025-14423: Fixed LBM File Parsing Stack-based Buffer Overflow (bsc#1255294) - CVE-2025-14424: Fixed XCF File Parsing Use-After-Free (bsc#1255295) - CVE-2025-14425: Fixed JP2 File Parsing Heap-based Buffer Overflow(bsc#1255296)

Patchnames

openSUSE-Leap-16.0-packagehub-88

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for gimp",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for gimp fixes the following issues:\n\nChanges in gimp:\n\n- CVE-2025-14422: Fixed PNM File Parsing Integer Overflow (bsc#1255293)\n- CVE-2025-14423: Fixed LBM File Parsing Stack-based Buffer Overflow (bsc#1255294)\n- CVE-2025-14424: Fixed XCF File Parsing Use-After-Free (bsc#1255295)\n- CVE-2025-14425: Fixed JP2 File Parsing Heap-based Buffer Overflow(bsc#1255296)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-packagehub-88",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20100-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255293",
        "url": "https://bugzilla.suse.com/1255293"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255294",
        "url": "https://bugzilla.suse.com/1255294"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255295",
        "url": "https://bugzilla.suse.com/1255295"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255296",
        "url": "https://bugzilla.suse.com/1255296"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-14422 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-14422/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-14423 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-14423/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-14424 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-14424/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-14425 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-14425/"
      }
    ],
    "title": "Security update for gimp",
    "tracking": {
      "current_release_date": "2026-01-21T13:31:29Z",
      "generator": {
        "date": "2026-01-21T13:31:29Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:20100-1",
      "initial_release_date": "2026-01-21T13:31:29Z",
      "revision_history": [
        {
          "date": "2026-01-21T13:31:29Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gimp-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "gimp-3.0.6-bp160.2.1.aarch64",
                  "product_id": "gimp-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-devel-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "gimp-devel-3.0.6-bp160.2.1.aarch64",
                  "product_id": "gimp-devel-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
                  "product_id": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
                  "product_id": "gimp-plugin-aa-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
                  "product_id": "gimp-plugin-python3-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-vala-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "gimp-vala-3.0.6-bp160.2.1.aarch64",
                  "product_id": "gimp-vala-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
                  "product_id": "libgimp-3_0-0-3.0.6-bp160.2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
                "product": {
                  "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
                  "product_id": "libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gimp-lang-3.0.6-bp160.2.1.noarch",
                "product": {
                  "name": "gimp-lang-3.0.6-bp160.2.1.noarch",
                  "product_id": "gimp-lang-3.0.6-bp160.2.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gimp-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "gimp-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "gimp-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-devel-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "gimp-devel-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "gimp-devel-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-vala-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "gimp-vala-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "gimp-vala-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
                "product": {
                  "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
                  "product_id": "libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gimp-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "gimp-3.0.6-bp160.2.1.x86_64",
                  "product_id": "gimp-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-devel-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "gimp-devel-3.0.6-bp160.2.1.x86_64",
                  "product_id": "gimp-devel-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
                  "product_id": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
                  "product_id": "gimp-plugin-aa-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
                  "product_id": "gimp-plugin-python3-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gimp-vala-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "gimp-vala-3.0.6-bp160.2.1.x86_64",
                  "product_id": "gimp-vala-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
                  "product_id": "libgimp-3_0-0-3.0.6-bp160.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64",
                "product": {
                  "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64",
                  "product_id": "libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "gimp-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "gimp-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "gimp-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-devel-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "gimp-devel-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-devel-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "gimp-devel-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-devel-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "gimp-devel-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-lang-3.0.6-bp160.2.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch"
        },
        "product_reference": "gimp-lang-3.0.6-bp160.2.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-plugin-aa-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-plugin-aa-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-plugin-python3-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-plugin-python3-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-vala-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "gimp-vala-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-vala-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "gimp-vala-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gimp-vala-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "gimp-vala-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgimp-3_0-0-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgimp-3_0-0-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64"
        },
        "product_reference": "libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le"
        },
        "product_reference": "libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
        },
        "product_reference": "libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-14422",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-14422"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-14422",
          "url": "https://www.suse.com/security/cve/CVE-2025-14422"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255293 for CVE-2025-14422",
          "url": "https://bugzilla.suse.com/1255293"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-21T13:31:29Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-14422"
    },
    {
      "cve": "CVE-2025-14423",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-14423"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28311.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-14423",
          "url": "https://www.suse.com/security/cve/CVE-2025-14423"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255294 for CVE-2025-14423",
          "url": "https://bugzilla.suse.com/1255294"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-21T13:31:29Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-14423"
    },
    {
      "cve": "CVE-2025-14424",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-14424"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XCF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28376.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-14424",
          "url": "https://www.suse.com/security/cve/CVE-2025-14424"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255295 for CVE-2025-14424",
          "url": "https://bugzilla.suse.com/1255295"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-21T13:31:29Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-14424"
    },
    {
      "cve": "CVE-2025-14425",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-14425"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
          "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-14425",
          "url": "https://www.suse.com/security/cve/CVE-2025-14425"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255296 for CVE-2025-14425",
          "url": "https://bugzilla.suse.com/1255296"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-devel-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-extension-goat-excercises-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-lang-3.0.6-bp160.2.1.noarch",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-aa-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-plugin-python3-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:gimp-vala-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimp-3_0-0-3.0.6-bp160.2.1.x86_64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.aarch64",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.ppc64le",
            "openSUSE Leap 16.0:libgimpui-3_0-0-3.0.6-bp160.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-21T13:31:29Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-14425"
    }
  ]
}

CVE-2025-14423 (GCVE-0-2025-14423)

Vulnerability from cvelistv5 – Published: 2025-12-23 21:31 – Updated: 2026-01-07 17:09

Title

GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

Summary

GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28311.

Severity ?

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

Assigner

zdi

References

URL

Tags

	https://www.zerodayinitiative.com/advisories/ZDI-…	x_research-advisory
	https://gitlab.gnome.org/GNOME/gimp/-/commit/481c…	vendor-advisory

Impacted products

	Vendor	Product	Version
	GIMP	GIMP	Affected: 3.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14423",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-01T04:55:23.924312Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T17:09:47.343Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.6"
            }
          ]
        }
      ],
      "dateAssigned": "2025-12-10T01:42:17.294Z",
      "datePublic": "2025-12-17T20:21:15.204Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28311."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T21:31:23.374Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-1137",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1137/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/481cdbbb97746be1145ec3a633c567a68633c521"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-14423",
    "datePublished": "2025-12-23T21:31:23.374Z",
    "dateReserved": "2025-12-10T01:42:17.271Z",
    "dateUpdated": "2026-01-07T17:09:47.343Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14424 (GCVE-0-2025-14424)

Vulnerability from cvelistv5 – Published: 2025-12-23 21:31 – Updated: 2026-01-07 17:09

Title

GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability

Summary

GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XCF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28376.

Severity ?

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

zdi

References

URL

Tags

	https://www.zerodayinitiative.com/advisories/ZDI-…	x_research-advisory
	https://gitlab.gnome.org/GNOME/gimp/-/commit/5cc5…	vendor-advisory

Impacted products

	Vendor	Product	Version
	GIMP	GIMP	Affected: 3.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14424",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-01T04:55:24.634619Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T17:09:47.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.6"
            }
          ]
        }
      ],
      "dateAssigned": "2025-12-10T01:42:20.404Z",
      "datePublic": "2025-12-17T20:21:30.568Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XCF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28376."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T21:31:33.530Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-1138",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1138/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/5cc55d078b7fba995cef77d195fac325ee288ddd"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-14424",
    "datePublished": "2025-12-23T21:31:33.530Z",
    "dateReserved": "2025-12-10T01:42:20.383Z",
    "dateUpdated": "2026-01-07T17:09:47.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14425 (GCVE-0-2025-14425)

Vulnerability from cvelistv5 – Published: 2025-12-23 21:31 – Updated: 2026-01-02 14:04

Title

GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

Summary

GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248.

Severity ?

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-122 - Heap-based Buffer Overflow

Assigner

zdi

References

URL

Tags

	https://www.zerodayinitiative.com/advisories/ZDI-…	x_research-advisory
	https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c…	vendor-advisory

Impacted products

	Vendor	Product	Version
	GIMP	GIMP	Affected: 3.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14425",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-02T14:03:55.275509Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-02T14:04:01.866Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.6"
            }
          ]
        }
      ],
      "dateAssigned": "2025-12-10T01:42:24.647Z",
      "datePublic": "2025-12-17T20:21:45.285Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T21:31:42.424Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-1139",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1139/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/cd1c88a0364ad1444c06536731972a99bd8643fd"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-14425",
    "datePublished": "2025-12-23T21:31:42.424Z",
    "dateReserved": "2025-12-10T01:42:24.624Z",
    "dateUpdated": "2026-01-02T14:04:01.866Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14422 (GCVE-0-2025-14422)

Vulnerability from cvelistv5 – Published: 2025-12-23 21:31 – Updated: 2026-01-07 17:09

Title

GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability

Summary

GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273.

Severity ?

7.8 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

zdi

References

URL

Tags

	https://www.zerodayinitiative.com/advisories/ZDI-…	x_research-advisory
	https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2…	vendor-advisory

Impacted products

	Vendor	Product	Version
	GIMP	GIMP	Affected: 3.0.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-01T04:55:23.194030Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T17:09:47.467Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.6"
            }
          ]
        }
      ],
      "dateAssigned": "2025-12-10T01:41:58.784Z",
      "datePublic": "2025-12-17T20:20:57.419Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T21:31:13.262Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-25-1136",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1136/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/4ff2d773d58064e6130495de498e440f4a6d5edb"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2025-14422",
    "datePublished": "2025-12-23T21:31:13.262Z",
    "dateReserved": "2025-12-10T01:41:58.762Z",
    "dateUpdated": "2026-01-07T17:09:47.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:20100-1

CVE-2025-14423 (GCVE-0-2025-14423)

CVE-2025-14424 (GCVE-0-2025-14424)

CVE-2025-14425 (GCVE-0-2025-14425)

CVE-2025-14422 (GCVE-0-2025-14422)

Tags

Sightings

Nomenclature