GIMP: When a Toolbar Icon Acts Like a Trojan Horse

Isn’t it ridiculous that a simple icon, a .ico file, could completely compromise your system?

Yet, this is exactly the nightmare that millions of GIMP users are currently facing. Indeed, security researchers from Trend Micro have identified a critical vulnerability (CVSS score 7.8) that allows for remote code execution through the opening of a maliciously crafted ICO file.

We’re talking about an icon here—those small files that Windows uses to represent your applications and folders—not about some sketchy executable downloaded from a dubious Cyrillic site. Just a silly icon!

For those curious about how this black magic works, it’s quite simple to understand. The vulnerability, charmingly named ZDI-CAN-26752, exploits a buffer overflow in GIMP’s ICO file parser. This means that when GIMP opens an ICO file, it first checks the dimensions to allocate enough memory space for processing. The problem is that the program trusts the dimensions declared in the file’s metadata.

It’s like ordering a 50-liter aquarium for your goldfish on Amazon, but the delivery person shows up with an extra 200 liters of water to put in it. Result: your living room is flooded!

Well, that’s exactly what happens here because a malicious ICO file can lie about its size, leading GIMP to allocate insufficient memory, and the surplus data spills over into other parts of memory. Boom, buffer overflow!

This overflow can then be exploited to execute arbitrary code strategically placed within the ICO file. And that’s how an innocent little icon can take control of your machine. Neat, right?

How a Simple Buffer Overflow Can Compromise Your System

But here’s where the story gets really interesting—there is already a fix for this vulnerability! The developers reacted swiftly, and the patch is available in the public Git repository of GIMP. Great news, right? Well, not really…

This situation creates quite the paradox. Indeed, the fix is visible to everyone, including malicious actors who can analyze it to understand exactly how to exploit the vulnerability. Meanwhile, no installable version of GIMP with this fix is available yet!!! Boo! The developers justify this delay by stating that the next version (GIMP 3.0.4) will encompass many other improvements and cannot be rushed. Typical Kombucha drinker behavior…

In short, this “vulnerability window” where everyone knows the issue but no one has access to the fix is one of the trickiest aspects of open-source security. Total transparency but also total visibility for attackers.

And it’s bad news for those still using version 2.x of GIMP, believing they are safe, as similar vulnerabilities have been discovered in these versions (notably CVE-2025-2760 for XWD files). The pattern remains the same… insufficient validation of image dimensions, buffer overflow, arbitrary code execution.

So, what can you do while waiting for GIMP 3.0.4? Here are some straightforward measures:

1. The most obvious: don’t open ICO files with GIMP until the corrected version is released.
2. If you absolutely must work with ICO files, first convert them to PNG via an online service or another tool.
3. For tech-savvy users, you can always manually compile GIMP from the source with the integrated fix.
4. Avoid files from dubious sources (but that advice applies all the time).

Image files have become particularly favored attack vectors, and developers of image parsers have the heavy task of correctly handling often complex and legacy formats while ensuring tight security. It’s a delicate balance to maintain, as evidenced by the numerous vulnerabilities found in recent years in libraries like libjpeg, libpng, or the infamous ImageTragick vulnerability in ImageMagick.

But never let your guard down, even in the face of a simple icon. And while waiting for the official fix in GIMP 3.0.4, adopt the protective measures I’ve outlined, and take this opportunity to review your overall security practices, which could use some improvement.