CVE-2025-59820: 
Linux Debian 脆弱性の分析と軽減

A heap-based buffer overflow vulnerability (CVE-2025-59820) was discovered in Krita's TGA file parsing functionality affecting versions prior to 5.2.13. The vulnerability was reported on September 5, 2025, and publicly disclosed on October 27, 2025. The issue received a CVSS score of 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory, KDE Advisory).

The vulnerability exists within the parsing of TGA files in Krita. The specific flaw stems from the lack of proper validation of the length of user-supplied data before copying it to a heap-based buffer. This implementation flaw could allow an attacker to trigger a heap-based buffer overflow condition (ZDI Advisory).

The successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code in the context of the current process. User interaction is required as the target must open a malicious TGA file. The vulnerability could potentially lead to application crashes or code execution in worst-case scenarios (ZDI Advisory, KDE Advisory).

The primary mitigation is to update to Krita version 5.2.13 or later, which contains the fix for this vulnerability. As a temporary workaround, users are advised to avoid opening TGA files from unknown sources until the fix can be applied. A patch has been made available at the KDE repository (KDE Advisory).