A High-Risk Vulnerability Found in GIMP 3.0.2
If you’re using GIMP 3.0.2, there’s an important warning you need to be aware of. Security researchers have uncovered a dangerous vulnerability in the popular image editing software. Specifically, the issue lies within how GIMP processes certain icon files—ICO files, to be exact. Opening a specially crafted ICO file could allow attackers to execute malicious code on your system.
The vulnerability, discovered by researchers at Trend Micro’s Zero Day Initiative (ZDI), is tracked under the identifier ZDI-CAN-26752. Although it doesn’t yet have a Common Vulnerabilities and Exposures (CVE) ID, it has already been given a CVSS score of 7.8, classifying it as a high-risk issue.
How the Exploit Works
The problem occurs in the ICO parser used by GIMP. This component is responsible for reading and processing ICO files—files commonly used in Windows to store icons. When you open an ICO file in GIMP, the parser reads the image dimensions from the file’s metadata to determine how much memory (buffer size) it needs to allocate.
Here’s where things go wrong: the ICO format allows the file creator to define arbitrary image dimensions. If these values are manipulated in a certain way, the parser can underestimate the necessary buffer size, leading to a buffer overflow. This not only causes GIMP to crash, but it could also allow an attacker to execute code placed strategically in memory.
This type of vulnerability is particularly dangerous because the act of simply opening a malicious ICO file in GIMP is enough to trigger the exploit.
The Current State of Fixes
Interestingly, the faulty code in the ICO parser has already been fixed—in the public source code of GIMP. That means if you were to dig into the Git repository, you’d see the necessary changes that address the issue. However, there’s a catch: a new downloadable version of GIMP that includes this fix isn’t available yet.
The developers of GIMP have explained this strategy. Since GIMP is open-source, any code commits are publicly visible. Attackers could analyze these changes to understand exactly how to craft a working exploit. That’s why the developers chose to warn the public first, even before releasing a new patched version of the software.
The next planned release is GIMP 3.0.4, which will include not just this patch but a number of other improvements and fixes. The team does not want to release an incomplete version just for the sake of patching one issue. As a result, you’ll need to wait until the full update is ready.
What You Should Do Right Now
Until GIMP 3.0.4 becomes available, you should avoid opening any ICO files you didn’t create yourself. Even if the file looks harmless or comes from a seemingly trustworthy source, the risk is too high. A single bad file could crash your application—or worse, compromise your system.
And it’s not just users of GIMP 3.0.x who should be cautious. According to ZDI researchers, older GIMP 2.x versions are vulnerable too, although the specific vulnerabilities differ. For instance, GIMP 2.x has a known flaw when opening XWD files (X Windows Dump files), tracked as CVE-2025-2760. This issue operates similarly, involving a buffer overflow triggered by malformed metadata, but it has been fixed in GIMP 3.0.
Background on GIMP
For those unfamiliar, GIMP stands for GNU Image Manipulation Program. It’s a powerful, free, open-source image editing suite available for Linux, Windows, and macOS. First released in 1998, GIMP has grown from a modest image editor into a full-featured alternative to proprietary software, capable of advanced photo retouching, image composition, and graphic design.
Despite its open-source nature, GIMP has built a strong user base thanks to its flexibility and extensibility. But as with all software—especially open-source tools—vigilance is key when it comes to security.
Summary: Stay Cautious Until a Fix Is Released
To recap:
- GIMP 3.0.2 has a serious buffer overflow vulnerability triggered by malformed ICO files.
- The issue has been patched in the public source code, but a new installable version is not yet available.
- The vulnerability has a CVSS score of 7.8, indicating a high risk.
- Until the release of GIMP 3.0.4, you should avoid opening ICO files you didn’t create yourself.
- GIMP 2.x users should also be aware of a similar flaw involving XWD files (CVE-2025-2760).
Staying on top of security updates is essential—especially when using powerful tools like GIMP that deal directly with external file formats. Keep your version updated and be cautious about what you open until the patched release becomes available.
