Bug 2497430 (CVE-2026-58383)

Summary: CVE-2026-58383 gimp: gimp: Heap buffer overflow via bpp=0 infinite loop in ReadJeffsImage()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GIMP's Jeff's Image Format (JIF) parser. A heap-based out-of-bounds write occurs in the ReadJeffsImage() function when a crafted JIF file sets bits-per-pixel to 0, causing the unpack loop to never advance and to write indefinitely past the destination buffer. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-07-06 18:53:29 UTC
Heap buffer overflow WRITE via infinite loop in GIMP's Jeff's Image Format (JIF) parser. In ReadJeffsImage() in file-gif-load.c, when bpp is 0 from the JIF header, the inner loop for (j = 0; j < 8; j += bpp) never advances and writes unboundedly past the heap buffer.

- Function: ReadJeffsImage()
- File: plug-ins/common/file-gif-load.c:1509-1635
- Fix: https://gitlab.gnome.org/GNOME/gimp/-/commit/fb63e036
- Upstream issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/16213
- Acknowledgment: bb1abu