{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-15T18:41:40Z",
  "bugzilla" : {
    "description" : "gimp: GIMP: Denial of Service via crafted PVR image file",
    "id" : "2458747",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458747"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-131",
  "details" : [ "A flaw was found in GIMP. Processing a specially crafted PVR image file with large dimensions can lead to a denial of service (DoS). This occurs due to a stack-based buffer overflow and an out-of-bounds read in the PVR image loader, causing the application to crash. Systems that process untrusted PVR image files are affected.", "A flaw was found in GIMP. Processing a specially crafted PVR image file with large dimensions can lead to a denial of service (DoS). This occurs due to a stack-based buffer overflow and an out-of-bounds read in the PVR image loader, causing the application to crash. Systems that process untrusted PVR image files are affected." ],
  "statement" : "This is a Moderate impact vulnerability. Processing a specially crafted PVR image file can lead to a denial of service due to a stack-based buffer overflow and out-of-bounds read in the PVR image loader. Systems that process untrusted PVR image files are affected. The impact may be limited if the PVR image loader is part of an optional component or plugin not enabled by default.",
  "acknowledgement" : "Red Hat would like to thank mzfr for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "gimp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "gimp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "gimp:2.8/gimp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "gimp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40918\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40918" ],
  "name" : "CVE-2026-40918",
  "mitigation" : {
    "value" : "To reduce the risk associated with this vulnerability, avoid processing untrusted PVR image files. Users should exercise caution when opening PVR files from unknown or suspicious sources. If the PVR image loader is part of an application that processes untrusted content, consider running that application in a sandboxed environment to limit potential impact.",
    "lang" : "en:us"
  },
  "csaw" : false
}