This Red Hat security advisory addresses six vulnerabilities in GIMP 3.0.4 for Red Hat Enterprise Linux 9 that could lead to memory disclosure, denial of service, or remote code execution. The flaws stem from integer overflows and improper parsing of various image file formats (PCX, XPM, ANI, JP2, PSD, PSP). Specifically, CVE-2026-4887 involves memory disclosure and denial of service via PCX images; CVE-2026-4154 and CVE-2026-4151 involve integer overflows in XPM and ANI file parsing respectively; CVE-2026-4152 and CVE-2026-4153 concern remote code execution via JP2 and PSP file parsing; and CVE-2026-4150 involves arbitrary code execution via specially crafted PSD files. Red Hat has released updated packages to fix these issues as detailed in advisory RHSA-2026:16484.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on systems processing malicious image files with GIMP, potentially leading to full system compromise. Additionally, one vulnerability could cause memory disclosure and denial of service, impacting system availability and confidentiality. These issues affect Red Hat Enterprise Linux 9 installations using the vulnerable GIMP package. No evidence of active exploitation in the wild has been reported.

Red Hat has released updated GIMP packages for Red Hat Enterprise Linux 9 that address all identified vulnerabilities. Users should apply these official updates promptly following Red Hat's guidance at https://access.redhat.com/articles/11258 to remediate the issues. No alternative mitigations or workarounds are specified in the advisory. Patch status is confirmed as fixed by Red Hat's official update.