GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-44441

7.8HIGH

Key Information:

Vendor

Gimp

Status
Gimp
Vendor
CVE Published:
3 May 2024

What is CVE-2023-44441?

This vulnerability involves a heap-based buffer overflow that arises during the parsing of DDS files. The flaw is due to insufficient validation of length in user-supplied data, allowing attackers to exploit this weakness and execute arbitrary code within the context of the application. Successful exploitation requires user interaction, specifically that the target visits a malicious web page or opens a specially crafted file. This significant security risk can affect installations of GIMP, underscoring the need for users to ensure they are on the latest version to mitigate potential threats.

Affected Version(s)

GIMP GIMP 2.10.34 (revision 2)

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1592/
x_research-advisory
https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/
vendor-advisory

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.