CVE-2025-6199 — Sensitive Information Exposure in Gdkpixbuf

CWE-200 — Sensitive Information Exposure9 documents8 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 75.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Gdk-pixbuf Gnome Gdkpixbuf

Timeline

PublishedJun 17

Latest updateJul 22

Description

A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When an invalid symbol is encountered during decompression, the decoder sets the reported output size to the full buffer length rather than the actual number of written bytes. This logic error results in uninitialized sections of the buffer being included in the output, potentially leaking arbitrary memory contents in the processed image.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

▶Debiangnome/gdk-pixbuf< 2.42.2+dfsg-1+deb11u3+3

▶Ubuntugnome/gdk-pixbuf< 2.42.8+dfsg-1ubuntu0.4+4

▶NVDgnome/gdkpixbuf2.0.0

🔴Vulnerability Details

OSV

gdk-pixbuf vulnerabilities↗2025-07-22

▶

OSV

CVE-2025-6199: A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder↗2025-06-17

▶

CVEList

Gdk-pixbuf: uninitialized memory disclosure in gdkpixbuf gif lzw decoder↗2025-06-17

▶

GHSA

GHSA-h3qh-mvr3-r7x7: A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder↗2025-06-17

▶

📋Vendor Advisories

Ubuntu

GDK-PixBuf vulnerabilities↗2025-07-22

▶

Red Hat

gdk-pixbuf: Uninitialized Memory Disclosure in GdkPixbuf GIF LZW Decoder↗2025-06-17

▶

Microsoft

Gdk-pixbuf: uninitialized memory disclosure in gdkpixbuf gif lzw decoder↗2025-06-10

▶

Debian

CVE-2025-6199: gdk-pixbuf - A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When an invalid s...↗2025

▶