CVE-2025-10920: 
NixOS vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability was discovered in GIMP, tracked as CVE-2025-10920. The vulnerability exists within the parsing of ICNS files and was discovered by Michael Randrianantenaina. The flaw allows remote attackers to execute arbitrary code on affected installations of GIMP through user interaction, requiring the target to open a malicious file (ZDI Advisory, Ubuntu Security).

The vulnerability stems from improper validation of user-supplied data during ICNS file parsing, which can result in an out-of-bounds write condition. This buffer overflow vulnerability can be leveraged to execute code in the context of the current process. The vulnerability has been assigned a CVSS 3.0 score of 7.8 (High) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code with the privileges of the current process. The impact is considered high for confidentiality, integrity, and availability, though user interaction is required for successful exploitation (Ubuntu Security).

GIMP has released patches to address this vulnerability. The fix was implemented through a merge request and is available in updated versions of the software. Various Linux distributions have also released security updates to address this vulnerability (Debian Security).