Remote Code Execution Vulnerability in GIMP's FITS Image Loader
CVE-2026-40915

5.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-40915?

A flaw was discovered in GIMP's handling of FITS files, where an integer overflow can occur in the FITS image loader. An attacker could potentially exploit this vulnerability by submitting a specially crafted FITS file. This exploitation leads to a zero-byte memory allocation that may cause a heap buffer overflow during pixel data processing. As a consequence, this could enable a remote attacker to trigger a denial of service or execute arbitrary code on the affected system.

References

https://access.redhat.com/security/cve/CVE-2026-40915

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2458744

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Red Hat would like to thank Mehtab Zafar for reporting this issue.

CVE-2026-40915 Data

JSON