Bug 2497384 (CVE-2026-58382)

Summary: CVE-2026-58382 gimp: gimp: Heap buffer overflow write in ReadJeffsImage()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GIMP's Jeff's Image Format (JIF) parser. A heap-based out-of-bounds write occurs in the ReadJeffsImage() function when a crafted JIF file supplies an invalid bits-per-pixel value that causes the unpack loop to write beyond the destination buffer. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-06 16:18:33 UTC
Heap buffer overflow WRITE in GIMP's Jeff's Image Format (JIF) parser. In ReadJeffsImage() in file-gif-load.c, the bpp byte from the JIF header is used without validation as the unpack step. With bpp=1, the inner loop produces 8 pixels per decompressed byte, but the output buffer is sized for 1 pixel per byte, causing an 8x heap out-of-bounds write.

- Function: ReadJeffsImage()
- File: plug-ins/common/file-gif-load.c:1509-1635
- Fix: https://gitlab.gnome.org/GNOME/gimp/-/commit/de76a604
- Upstream issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/16212
- Acknowledgment: bb1abu