CVE-2026-40917: Gimp: gimp: application crashes or information disclosure via crafted icns image files
A flaw was found in GIMP. This vulnerability, a heap buffer over-read in the `icns_slurp()` function, occurs when processing specially crafted ICNS image files. An attacker could provide a malicious ICNS file, potentially leading to application crashes or information disclosure on systems that process such files.
Security readout for executives and security teams
Plain-English summary
CVE-2026-40917 affects GIMP on listed Red Hat Enterprise Linux releases. A malicious ICNS image can make GIMP read past a heap buffer, potentially crashing the application. Sources also mention possible information disclosure, though the provided CVSS vector records no confidentiality impact. This is user-assisted and not listed as actively exploited.
Executive priority
Treat as a moderate endpoint and workstation risk. It is not remotely exploitable without file interaction, but it can disrupt users or image-processing workflows. Prioritize patch tracking and exposure reduction where GIMP handles external files.
Technical view
The flaw is a CWE-125 heap buffer over-read in GIMP’s icns_slurp() function while parsing crafted ICNS files. Red Hat marks gimp packages on RHEL 6, 7, 8, and 9 as affected. CVSS 3.1 is 5.0 with local attack vector, low complexity, low privileges, required user interaction, and high availability impact.
Likely exposure
Exposure is most likely on RHEL systems with GIMP installed where users or automated workflows open ICNS image files from untrusted sources. Desktop, design, support, and content-processing environments are the main concern.
Exploitation context
An attacker would need to get a crafted ICNS file opened or processed by GIMP on an affected system. The source bundle does not indicate public exploitation, weaponized exploit availability, or CISA KEV listing.
Researcher notes
Key gaps: the provided sources do not name a fixed version, patch commit, or real-world exploitation. Note the mismatch between description mentioning information disclosure and CVSS showing C:N. Validate against Red Hat updates before asserting confidentiality impact.
Mitigation direction
Check Red Hat guidance for fixed package availability and update instructions.
Avoid opening ICNS files from untrusted or unexpected sources.
Remove GIMP from systems where it is not operationally required.
Handle untrusted image files in isolated or least-privileged environments.
Validation and detection
Inventory RHEL 6, 7, 8, and 9 systems with GIMP installed.
Confirm whether workflows process ICNS files through GIMP.
Review Red Hat CVE and Bugzilla entries for package status.
Prioritize systems used by users likely to receive external image files.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-125 · source CWE mapping
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.