Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0320

NIXPKGS-2026-0320
published on
Permalink CVE-2026-0797
updated 2 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months ago
  • @LeSuisse ignored
    28 packages
    • gimp2Plugins.waveletSharpen
    • gimpPlugins.waveletSharpen
    • gimpPlugins.resynthesizer
    • gimp2Plugins.gimplensfun
    • gimpPlugins.gimplensfun
    • gimp3Plugins.lightning
    • gimp2Plugins.texturize
    • gimp2Plugins.lqrPlugin
    • gimp2Plugins.lightning
    • gimpPlugins.texturize
    • gimpPlugins.lqrPlugin
    • gimpPlugins.lightning
    • gimp2Plugins.farbfeld
    • gimpPlugins.farbfeld
    • gimpPlugins.fourier
    • gimp3-with-plugins
    • gimp2-with-plugins
    • gimp3Plugins.gmic
    • gimp3Plugins.gimp
    • gimp2Plugins.gmic
    • gimp2Plugins.gimp
    • gimp2Plugins.fourier
    • gimp2Plugins.bimp
    • gimp-with-plugins
    • gimpPlugins.gmic
    • gimpPlugins.gimp
    • gimpPlugins.bimp
    • zigimports
    2 months, 4 weeks ago
  • @LeSuisse accepted 2 months, 4 weeks ago
  • @LeSuisse published on GitHub 2 months, 4 weeks ago
GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.

References

Affected products

GIMP
  • ==3.2.0-RC1

Matching in nixpkgs

pkgs.gimp

GNU Image Manipulation Program

pkgs.gimp3

GNU Image Manipulation Program

Ignored packages (28)

pkgs.zigimports

Automatically remove unused imports and globals from Zig files

pkgs.gimp2Plugins.bimp

Batch Image Manipulation Plugin for GIMP

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6
  • nixos-25.11 2.6
    • nixos-25.11-small 2.6
    • nixpkgs-25.11-darwin 2.6

pkgs.gimpPlugins.lightning

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

pkgs.gimp2Plugins.lightning

None

  • nixos-unstable -
    • nixpkgs-unstable
    • nixos-unstable-small
  • nixos-25.11 -
    • nixos-25.11-small
    • nixpkgs-25.11-darwin

Package maintainers

Upstream issue: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555
Upstream patches:
* master:
  - https://gitlab.gnome.org/GNOME/gimp/-/commit/c54bf22acb04b83ae38ed50add58f300e898dd81
  - https://gitlab.gnome.org/GNOME/gimp/-/commit/905ce4b48782c5e71c79714b7ba7f6ebe4d0329d
* gimp-3-0:
  - https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d
  - https://gitlab.gnome.org/GNOME/gimp/-/commit/13849c5a9a65c2366c47f703d9d075e4bfb83525