ZDI-26-217

A vulnerability known as ZDI-26-217 allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit the issue in that the target must visit a malicious page or open a malicious file. The flaw occurs within the parsing of PSD files. It stems from the lack of proper validation of user supplied data, which can result in an integer overflow before allocating a buffer. An attacker can use the vulnerability to execute code in the context of the current process. GIMP has issued an update to correct the vulnerability. More details can be found at the commit on the GNOME GitLab repository. The disclosure timeline shows the vulnerability was reported to the vendor on 2026-03-05 with a coordinated public release of the advisory on 2026-03-19. The advisory was also updated on 2026-03-19. Credit goes to an anonymous researcher.