CVE-2025-10920 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-10920?

CVE-2025-10920 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious ICNS files in GIMP. The flaw exists in ICNS file parsing where improper data validation leads to an out-of-bounds write. All GIMP users who open untrusted ICNS files are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious ICNS files in GIMP. The flaw exists in ICNS file parsing where improper data validation leads to an out-of-bounds write. All GIMP users who open untrusted ICNS files are affected.

💻 Affected Systems

Products:

GIMP (GNU Image Manipulation Program)

Versions: Versions prior to the fix in MR 2443

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations that can open ICNS files are vulnerable. The vulnerability requires user interaction to open a malicious file.

📦 What is this software?

Gimp by Gimp

View all CVEs affecting Gimp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the GIMP user, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or malware execution in user context, potentially leading to credential theft, lateral movement, or data exfiltration.

🟢

If Mitigated

Limited impact with proper application sandboxing, user privilege restrictions, and file validation controls in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file). The vulnerability is documented by ZDI with advisory ZDI-25-909.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing merge request 2443

Vendor Advisory: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2443

Restart Required: Yes

Instructions:

1. Update GIMP to the latest version containing the fix from merge request 2443. 2. Restart GIMP after update. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable ICNS file support

all

Remove or disable ICNS file format support in GIMP to prevent exploitation

# Remove ICNS plugin file (location varies by OS)
# Example for Linux: rm /usr/lib/gimp/2.0/plug-ins/file-icns

Use application sandboxing

linux

Run GIMP in a sandboxed environment to limit potential damage

# Example using Firejail on Linux: firejail gimp

🧯 If You Can't Patch

Implement strict file validation policies to block ICNS files from untrusted sources
Run GIMP with reduced user privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check if GIMP version is older than the version containing merge request 2443 fix

Check Version:

gimp --version

Verify Fix Applied:

Verify GIMP version is updated to include the fix from merge request 2443

📡 Detection & Monitoring

Log Indicators:

GIMP crash logs with memory access violations
Unexpected process execution from GIMP context

Network Indicators:

Outbound connections from GIMP process to unknown destinations

SIEM Query:

Process:gimp AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2025-10920

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.11% exploit probability (29.2th percentile)

Published: October 29, 2025

Last Updated: November 4, 2025

🔗 References

https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2443 Patch
https://www.zerodayinitiative.com/advisories/ZDI-25-909/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10920, you might also want to check these: