Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-5201EXPLOITED

red hat · red hat enterprise linux

Gdk-pixbuf: gdk-pixbuf: denial of service via heap-based buffer overflow when processing a specially crafted jpeg image

Description

A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.

Affected Products

Vendor	Product	Versions
red hat	red hat enterprise linux	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	gdk-pixbuf	cert_advisory	90%

References

https://access.redhat.com/security/cve/CVE-2026-5201(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2453291(issue-tracking, x_refsource_REDHAT)
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304

Related News (2 articles)

Tier B

BSI Advisories2h ago

[NEU] [mittel] gdk-pixbuf: Schwachstelle ermöglicht Denial of Service und potenzielle Codeausführung

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-5201 | gdk-pixbuf JPEG Image Loader heap-based overflow

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-122

PublishedMar 31, 2026

Last enriched2h agov2

Trending Score68

Source articles2

Independent2

Info Completeness8/14

Missing: versions, epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-5121

Libarchive: libarchive: arbitrary code execution via integer overflow in iso9660 image processing

HIGHCVE-2026-1961EXP

Forman: foreman: remote code execution via command injection in websocket proxy

HIGHCVE-2026-28369EXP

Undertow: undertow: request smuggling via malformed http request headers

HIGHCVE-2026-28367EXP

Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator

NONECVE-2026-5165EXP

Virtio-win: virtio-win: memory corruption via use-after-free in virtio blk device reset

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Actively Exploited

Mar 31, 2026

Exploit Available

Mar 31, 2026

Updated: severity, exploitAvailable, activelyExploited

Apr 1, 2026

Version History

v2

Last enriched 2h ago

v2Tier B2h ago

Updated severity to HIGH and marked the vulnerability as actively exploited with an exploit available.

severityexploitAvailableactivelyExploited

via BSI Advisories

v11d ago

Initial creation