Zero Day MonitorZDM

← Back to list

5.5

CVE-2026-40915

red hat · red hat enterprise linux

Gimp: gimp: heap buffer overflow due to integer overflow in fits image loader

Description

A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.

Affected Products

Vendor	Product	Versions
red hat	red hat enterprise linux	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source gimp	cert_advisory	90%

References

https://access.redhat.com/security/cve/CVE-2026-40915(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2458744(issue-tracking, x_refsource_REDHAT)

Related News (3 articles)

Tier D

Heise Security5d ago

Gimp: Ungepatchte Lücke erlaubt Codeschmuggel mit GIFs

→ No new info (linked only)

Tier B

BSI Advisories5d ago

[NEU] [UNGEPATCHT] [mittel] GIMP: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB5d ago

CVE-2026-40915 | GIMP integer overflow

→ No new info (linked only)

CVSS 3.15.5 NONE

CISA KEV❌ No

Actively exploited❌ No

CWECWE-190

PublishedApr 15, 2026

Last enriched5d ago

Trending Score19

Source articles3

Independent3

Info Completeness0/14

Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple Vulnerabilities in Red Hat Hardened Images RPMs (jq and pyOpenSSL)

NONECVE-2026-0966

Libssh: buffer underflow in ssh_get_hexa() on invalid input

MEDIUMCVE-2026-6383EXP

Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

NONECVE-2026-4424

Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing

MEDIUMCVE-2026-37980

Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026