Stack Buffer Overflow in GIMP's TIM Image Loader
CVE-2026-40916

5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-40916?

A vulnerability exists in GIMP's TIM image loader specifically within the 4BPP decoding path, allowing a local user to manipulate the application into a denial of service state. When opening a specially crafted TIM image file, the application crashes due to an unconditional overflow during the writing process to a variable-length array. This flaw highlights the importance of validating inputs and maintaining robust error-handling mechanisms to ensure software stability.

References

https://access.redhat.com/security/cve/CVE-2026-40916

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2458745

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Red Hat would like to thank Mehtab Zafar for reporting this issue.

CVE-2026-40916 Data

JSON