Hi!
We are a company using MS Defender and found that CVE-2026-58380 & CVE-2026-58384 are affecting the latest public release of Gimp which at the time or writing is 3.4.2.
When can we expect a release that resolves these vulnerabilities?
The exploits are marked as High and can lead to ACE exploits.
One of the developers said the fix was made on April 11 and 3.2.4 was released April 19, so it should be in version 3.2.4 upwards.
Source: https://gitlab.gnome.org/GNOME/gimp/-/work_items/16216#note_2810989
For what it’s worth, the majority of the CVEs we get are for obscure file formats that are extremely unlikely to be encountered unless you’re doing really specialized work (like converting old files from the 90s to a modern format).
Even then, unless the attacker has also managed to get something else into your computer’s local memory to actually execute, the most these will do is crash the image loading plug-in (but not GIMP itself). We do fix any reported problem as soon as we’re able to be safe, but “High” is a bit extreme in my opinion.