CVE-2025-10923: 
Linux Debian vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2025-10923) was discovered in GIMP's WBMP (Wireless Bitmap) file parsing functionality. The vulnerability was disclosed on September 24, 2025, and affects GIMP installations. This vulnerability is tracked as ZDI-CAN-27878 and has been assigned a CVSS score of 7.8 (ZDI Advisory).

The vulnerability stems from an integer overflow condition during the parsing of WBMP files. The specific flaw exists due to the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. The vulnerability has been assigned a CVSS v3.0 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (ZDI Advisory).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code in the context of the current process on affected installations of GIMP. The attack requires user interaction, specifically opening a malicious WBMP file or visiting a malicious page (ZDI Advisory).

GIMP has released updates to address this vulnerability. For the Debian stable distribution (trixie), the fix has been implemented in version 3.0.4-3+deb13u1. Users are recommended to upgrade their GIMP packages to the latest version (Debian Advisory).