A high-severity vulnerability has been identified in multiple GIMP products, allowing for remote code execution. An attacker could exploit this by tricking a user into opening a specially crafted ICNS image file, which could lead to a full system compromise, enabling data theft or the installation of further malware. Immediate patching is required to mitigate this significant risk.

The vulnerability is an out-of-bounds write within the GIMP component responsible for parsing Apple Icon Image files (.icns). When a user opens a malicious .icns file, the parser fails to properly validate the size of the input data before copying it into a fixed-size memory buffer. This allows an attacker to write data beyond the buffer's intended boundary, corrupting adjacent memory. A skilled attacker can leverage this memory corruption to overwrite critical program data, such as a function pointer or a return address on the stack, to hijack the program's execution flow and run arbitrary code with the same privileges as the user running GIMP.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could have a severe impact on the business. An attacker could achieve remote code execution on an employee's workstation, leading to the compromise of sensitive corporate data, intellectual property, or personal information accessible by that user. Further risks include the installation of persistent malware such as ransomware or spyware, loss of system integrity, and the potential for the compromised machine to be used as a pivot point for lateral movement attacks into the broader corporate network.

Immediate Action:

• Identify all systems with vulnerable versions of GIMP installed.
• Prioritize patching for any internet-facing systems or workstations used by employees who frequently handle external media (e.g., marketing, design departments).
• Apply the security patches released by the vendor immediately to all affected assets to remediate the vulnerability.

Proactive Monitoring:

• Monitor system and application logs for GIMP application crashes, which could indicate failed exploitation attempts.
• Monitor for suspicious child processes spawning from the GIMP process (e.g., gimp.exe launching cmd.exe, powershell.exe, or making unexpected network connections).
• Implement network monitoring to detect and alert on unusual outbound traffic from workstations running GIMP.

Compensating Controls:

• If immediate patching is not feasible, implement user awareness campaigns instructing employees not to open or download .icns files from untrusted sources, such as email attachments or websites.
• Utilize Endpoint Detection and Response (EDR) solutions to detect and block anomalous process behavior associated with exploitation.
• Enforce application control policies to prevent unauthorized executables from running on workstations, which could limit the impact of a successful RCE.

Public Exploit Available: False

This is a critical vulnerability that requires immediate attention. The potential for remote code execution through a common user action—opening an image file—presents a significant risk. We strongly recommend that all organizations apply the vendor-supplied patches on an emergency basis. Although this CVE is not currently on the CISA KEV list, its high severity and straightforward attack vector make it a prime candidate for future inclusion. Organizations should treat this vulnerability with the urgency of an actively exploited threat and implement the recommended monitoring and compensating controls as part of a defense-in-depth security posture.