GIMP, Integer Overflow, CVE-2025-6035 (High)

Listen to this Post

The GIMP Despeckle plug-in performs an unchecked multiplication of image dimensions: width height img_bpp. On 32‑bit platforms, this product can overflow a 32‑bit integer, wrapping to a very small or even negative value. The vulnerable code then uses this overflowed value to allocate a heap buffer, resulting in a drastically undersized allocation. When the subsequent despeckle processing loop writes pixel data, it exceeds the allocated buffer size, causing a heap buffer overflow. The AddressSanitizer report confirms the out‑of‑bounds write:

==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a
WRITE of size 8 at 0xea2fb818 thread T0

Because the integer overflow is not detected, the logic assumes the resulting value will be larger than the original, but it becomes a small or negative number. This heap corruption can lead to denial of service or arbitrary code execution when a victim opens a specially crafted image.
Platform: GIMP
Version: ≤2.10.22
Vulnerability: Integer Overflow
Severity: High
Date: 06/13/2025

Prediction: Patch 2025-06-13

What Undercode Say:

Check installed GIMP version
gimp --version
Run GIMP with AddressSanitizer to detect the overflow
ASAN_OPTIONS=detect_leaks=0 gimp
Generate a crafted PNG with extreme dimensions (Python)
python3 -c "
from PIL import Image
img = Image.new('RGB', (50000, 50000))
img.save('crafted.png')
"

Exploit:

An attacker crafts an image with maliciously large width/height values (e.g., 50,000×50,000). When the victim opens this image and applies the Despeckle filter, the integer overflow triggers a small heap allocation. The subsequent memory write loops exceed the buffer, corrupting adjacent heap metadata. This corruption can be leveraged to hijack control flow and execute arbitrary code.

Protection from this CVE

  • Update GIMP to version 2.10.22-4+deb11u3 or later.
  • Avoid opening untrusted image files, especially in 32‑bit environments.
  • Run GIMP in a sandboxed environment (e.g., Firejail, AppArmor).
  • Disable or remove the Despeckle plug-in if not needed.

Impact

  • Heap corruption leading to application crash (DoS).
  • Potential arbitrary code execution under the victim’s privileges.
  • No authentication required; only user interaction (opening a crafted image).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top