Urgent Security Alert: GIMP Remote Code Execution Vulnerabilities in Ubuntu LTS (USN-8057-1)

 

Critical GIMP vulnerabilities (USN-8057-1) impact Ubuntu 16.04-24.04 LTS. Attackers can execute arbitrary code via FLI, DCM, JP2, and PSP files. Update immediately with Ubuntu Pro to mitigate CVE-2025-2761, CVE-2025-10922, and more. Essential reading for Linux security administrators.

Is your Ubuntu LTS environment exposed to unpatched code execution flaws? A new, critical Ubuntu Security Notice (USN-8057-1) has been released, detailing multiple high-severity vulnerabilities in the GNU Image Manipulation Program (GIMP). 

These flaws could allow an attacker to compromise your system simply by convincing a user to open a maliciously crafted image file. This is not a routine update; it addresses a cluster of security defects that enable arbitrary code execution and denial of service across multiple Ubuntu LTS releases.

Executive Summary: The GIMP Threat Landscape

On February 23, 2026, Canonical published USN-8057-1, patching five distinct Common Vulnerabilities and Exposures (CVEs) affecting GIMP. 

The vulnerabilities span multiple image parsers—FLI, DCM (DICOM), JP2 (JPEG 2000), and PSP (PaintShop Pro)—and affect systems from Ubuntu 16.04 LTS up to the latest Ubuntu 24.04 LTS. Critically, these are not theoretical risks; they are weaponizable flaws that can lead to full system compromise. 

The patches are available exclusively through an Ubuntu Pro subscription for most affected versions, highlighting the importance of enterprise-grade security maintenance.

Anatomy of the Vulnerabilities: Technical Deep Dive (CVE Analysis)

Understanding the technical root cause is the first step in effective vulnerability management. Here is a detailed breakdown of each flaw, mapped to its specific attack vector.

1. FLI Parser Heap Corruption (CVE-2017-17785 & CVE-2025-2761)

The Autodesk FLIC (FLI) animation format parser has been a recurring source of risk. Security researchers Hanno Böck and Michael Randrianantenaina identified two critical flaws:

• CVE-2017-17785 (Ubuntu 16.04 LTS only): An allocation flaw occurs when GIMP relies solely on the file header for memory allocation. A malicious FLI file can specify an excessively large size, leading to out-of-bounds (OOB) writes on the heap. This classic memory corruption vector can be exploited to overwrite critical program data and redirect execution flow.

• CVE-2025-2761 (All Affected Versions): This is a separate out-of-bounds (OOB) read issue within the same FLI parser. By manipulating specific indexes, an attacker can cause the parser to read memory beyond the intended buffer, potentially leaking sensitive information or triggering a segmentation fault, resulting in a denial of service.

2. Medical Image Parser Flaw: DCM Out-of-Bounds Read (CVE-2025-10922)

GIMP's ability to open DICOM (DCM) files, a standard medical image format, introduces a significant supply chain risk. CVE-2025-10922 is triggered by a maliciously-crafted DCM file that causes the parser to index out-of-bounds. 

For security teams in healthcare or research, this is a potent reminder that image processing tools can be an entry point for threats targeting sensitive PII/PHI data.

3. JPEG-2000 Precision Error: Buffer Overflow (CVE-2025-14425)

The JPEG 2000 (JP2) format is known for its complex compression algorithms. CVE-2025-14425 stems from a failure to account for color precision during image buffer allocation. 

When GIMP reads a malicious JP2 file, the miscalculation leads to an undersized buffer. Subsequent write operations then cause a buffer overflow, a primary enabler for remote code execution (RCE). This issue specifically impacts modern versions (20.04, 22.04, 24.04 LTS).

4. PSP Parser Greyscale Logic Error: Invalid Pointer (CVE-2025-15059)

The PaintShop Pro (PSP) parser contains a logical flaw: when processing a greyscale image, it erroneously attempts to query non-existent color channels. This results in the generation of an invalid memory pointer. 

If dereferenced, this pointer will cause an immediate program crash (DoS). In more complex exploit scenarios, controlling this invalid pointer could potentially lead to arbitrary code execution.

Affected Systems & Remediation Protocol

If your organization utilizes any of the following Ubuntu LTS releases, your GIMP installation is vulnerable. Immediate action is required.

Comprehensive List of Vulnerable Ubuntu Releases

• Ubuntu 24.04 LTS (Noble Numbat)

• Ubuntu 22.04 LTS (Jammy Jellyfish)

• Ubuntu 20.04 LTS (Focal Fossa)

• Ubuntu 18.04 LTS (Bionic Beaver)

• Ubuntu 16.04 LTS (Xenial Xerus)

Mitigation Strategy: Patching with Ubuntu Pro

The standard system update command (sudo apt update && sudo apt upgrade) will not secure your system unless the esm-infra or esm-apps repository is enabled via an Ubuntu Pro subscription. 

This underscores the "Available with Ubuntu Pro" designation in the advisory.

Step-by-Step Remediation for Ubuntu Administrators:

1. Verify Subscription: Ensure your Ubuntu Pro token is attached. Run sudo pro attach [TOKEN].

2. Enable ESM Repos: Enable the ESM (Expanded Security Maintenance) repository for apps: sudo pro enable esm-apps.

3. Update Packages: Execute sudo apt update && sudo apt upgrade to pull the patched GIMP versions.

4. Verify Installation: Confirm the updated version matches the advisory:

   • Ubuntu 24.04 LTS: gimp 2.10.36-3ubuntu0.24.04.1+esm1

   • Ubuntu 22.04 LTS: gimp 2.10.30-1ubuntu0.1+esm1

   • Ubuntu 20.04 LTS: gimp 2.10.18-1ubuntu0.1+esm1

   • Refer to the full advisory for legacy versions.

Why This Matters for Enterprise Security 

As a Linux security authority, it's critical to look beyond the patch level. Here is an expert analysis of the broader implications.

Experience: The Real-World Attack Vector

How would this happen in a corporate environment? An attacker compromises a design agency's website and replaces a legitimate .dcm medical illustration or .fli animation with a malicious one. 

An unsuspecting researcher or marketing professional downloads and opens the file in GIMP. The exploit triggers, giving the attacker a foothold inside the network perimeter for lateral movement.

Expertise: The Ubiquity of Image Parsers

Image parsers are notoriously difficult to secure. They are often written in memory-unsafe languages like C and must handle a vast array of legacy and complex formats. The cluster of CVEs—spanning FLI (a legacy format) to JP2 (a modern, complex standard)—demonstrates the wide attack surface of a seemingly simple application like GIMP.

Authoritativeness: Why Ubuntu Pro is the Key

Canonical's decision to gate these patches behind Ubuntu Pro for older LTS releases reinforces a key enterprise architecture principle: security maintenance has a cost. Organizations still running Ubuntu 16.04 or 18.04 LTS without a subscription are now exposed to critical RCE vulnerabilities. 

This validates the shift towards subscription-based security models for long-term stability and safety.

Trustworthiness: Verifying the Fix

System administrators should not just take the update at face value. Best practice involves:

• Checksum Verification: After downloading, verify the integrity of the updated gimp binaries against the SHA256 checksums provided in the Ubuntu Pro repository metadata.

• Staged Rollouts: Deploy the patch to a staging environment first to ensure compatibility with custom workflows or scripts that may interact with GIMP.

Frequently Asked Questions (FAQ)

Q1: Is GIMP safe to use after applying these updates?

A: Yes. Once you have updated to the patched versions listed in USN-8057-1 (via Ubuntu Pro or the standard repos for 24.04), the specific code execution vectors are mitigated. However, as with all complex software, maintaining a regular patch cadence is the only way to ensure ongoing security.

Q2: I don't have Ubuntu Pro. What are my options?

A: For Ubuntu 16.04, 18.04, 20.04, and 22.04 LTS, an Ubuntu Pro subscription is required to receive these patches. You can either:

1. Purchase Ubuntu Pro for your nodes (free for personal use on up to 5 machines).

2. Upgrade your OS to Ubuntu 24.04 LTS and ensure you have the universe repository enabled to receive the fix without Ubuntu Pro, as noted in the advisory for the base version.

Q3: Do these vulnerabilities require user interaction?

A: Yes. The attack vector is local and requires the user to open a malicious file with GIMP. This is not a wormable, network-borne exploit. However, social engineering (e.g., phishing emails with malicious attachments) makes this a potent threat.

Q4: What is the difference between CVE-2017-17785 and CVE-2025-2761?

A: Both target the FLI parser. CVE-2017-17785 is an out-of-bounds write (corrupting memory), which is more likely to lead to reliable code execution. CVE-2025-2761 is an out-of-bounds read, primarily leading to information disclosure or a denial of service (crash).

Conclusion: Proactive Security in a Persistent Threat Environment

The disclosure of USN-8057-1 serves as a critical reminder that even ubiquitous desktop applications like GIMP can become the weakest link in your security chain. 

The combination of heap corruptions, buffer overflows, and invalid pointer dereferences across multiple image formats creates a credible and serious risk for any organization using Ubuntu LTS.

Actionable Next Steps for the Reader:

1. Immediate Audit: Run dpkg -l | grep gimp on all Ubuntu LTS workstations and servers to inventory your exposure.

2. Prioritize Patching: If you have Ubuntu Pro, deploy the gimp and libgimp2.0 updates as a Critical Priority task today.

3. Review ESM Coverage: If you lack Ubuntu Pro, use this incident to build a business case for securing your LTS fleet with Expanded Security Maintenance.

4. User Education: Remind users—especially in design, marketing, and research—to exercise extreme caution when opening unsolicited image files, particularly .fli, .dcm, .jp2, and .psp formats.