CVE-2025-10922: 
NixOS vulnerability analysis and mitigation

GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability (CVE-2025-10922) was discovered in September 2025. This vulnerability affects GIMP installations and allows remote attackers to execute arbitrary code. The vulnerability was initially reported as ZDI-CAN-27863 and received a CVSS 3.0 score of 7.8 (High) (ZDI Advisory, Ubuntu CVE).

The vulnerability exists within the parsing of DCM (DICOM) files in GIMP. The specific flaw results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. The vulnerability has been assigned a CVSS vector of CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability (Ubuntu CVE).

An attacker can leverage this vulnerability to execute code in the context of the current process, potentially leading to arbitrary code execution. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as high impact according to the CVSS scoring (ZDI Advisory).

GIMP has issued updates to correct this vulnerability across multiple distributions. Debian has released version 2.10.22-4+deb11u3 for Debian 11 bullseye to address this issue. Various other distributions including Ubuntu, Red Hat, and others have also released security updates to patch this vulnerability (Debian LTS).