CVE-2025-10923
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on GIMP installations by tricking users into opening malicious WBMP image files. The integer overflow during WBMP parsing enables buffer overflow attacks leading to remote code execution. All GIMP users who open untrusted WBMP files are affected.
💻 Affected Systems
- GIMP (GNU Image Manipulation Program)
📦 What is this software?
Gimp by Gimp
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the GIMP user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or malware installation on the user's system when opening a malicious WBMP file.
If Mitigated
Application crash (denial of service) if exploit fails or security controls prevent code execution.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) and bypassing modern exploit mitigations like ASLR/DEP. ZDI has confirmed the vulnerability but weaponization status is unknown.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions including commit 2d2d39f3da1d0b01ca7d71ad2b7a8725ee92ed96
Vendor Advisory: https://gitlab.gnome.org/GNOME/gimp/-/commit/2d2d39f3da1d0b01ca7d71ad2b7a8725ee92ed96
Restart Required: No
Instructions:
1. Update GIMP to latest version from official repositories. 2. For Linux: Use package manager (apt update && apt upgrade gimp). 3. For Windows/macOS: Download latest installer from gimp.org. 4. Verify update applied successfully.
🔧 Temporary Workarounds
Disable WBMP file support
linuxRemove or disable WBMP file format plugin to prevent parsing of malicious files
mv /usr/lib/gimp/2.0/plug-ins/file-wbmp /usr/lib/gimp/2.0/plug-ins/file-wbmp.disabled
Restart GIMP
File type blocking
allBlock WBMP files at network perimeter or endpoint
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized code execution
- Use GIMP in sandboxed environment or virtual machine
🔍 How to Verify
Check if Vulnerable:
Check GIMP version and compare with patched version. Vulnerable if before commit 2d2d39f3da1d0b01ca7d71ad2b7a8725ee92ed96Check Version:
gimp --version (Linux) or check About in GIMP GUIVerify Fix Applied:
Verify GIMP version includes the fix commit or is newer than vulnerable versions📡 Detection & Monitoring
Log Indicators:
- GIMP crash logs with WBMP file references
- Unexpected process creation from GIMP
Network Indicators:
- Downloads of WBMP files to user systems
- Unusual outbound connections from GIMP process
SIEM Query:
Process:Name='gimp' AND (FileExtension='.wbmp' OR FileName='*.wbmp')