Fedora Account System
Red Hat Associate
Red Hat Customer
A heap buffer overflow write vulnerability exists in GIMP's Paint Shop Pro (PSP) file format parser. In read_channel_data() in file-psp.c, for low bit-depth images (depth=1 or 4), line_width uses a packed formula (8 pixels/byte) but fread() reads width bytes (1 byte/pixel). For example, with width=33 and depth=1: allocates 4 bytes, writes 33 — a 29-byte heap overflow. This is a variant of CVE-2026-4153 (commit 98cb1371), which fixed read_layer_block() but left the buf allocation in read_channel_data() unpatched. - Function: read_channel_data() - File: plug-ins/common/file-psp.c:1558-1784 - Fix: https://gitlab.gnome.org/GNOME/gimp/-/commit/b630f167 - Hardening: https://gitlab.gnome.org/GNOME/gimp/-/commit/20b00d6d - Upstream issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/16205 - Acknowledgment: bb1abu
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:38496 https://access.redhat.com/errata/RHSA-2026:38496