CVE-2025-6199

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-6199
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6199.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-6199
Downstream
Related
Published
2025-06-17T15:15:54.307Z
Modified
2026-04-16T04:30:54.934348077Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When an invalid symbol is encountered during decompression, the decoder sets the reported output size to the full buffer length rather than the actual number of written bytes. This logic error results in uninitialized sections of the buffer being included in the output, potentially leaking arbitrary memory contents in the processed image.

References

Affected packages

Git / gitlab.gnome.org/GNOME/gdk-pixbuf

Affected ranges

Type
GIT
Repo
https://gitlab.gnome.org/GNOME/gdk-pixbuf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
0714dd66124139e187eb58f3de6ec4de0753d921
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0-NA"
        }
    ]
}

Affected versions

Other
GDK_OBJECT_WITH_PANGO_BRANCHPOINT
GDK_PIXBUF_0_2
GDK_PIXBUF_0_3
GDK_PIXBUF_0_4
GDK_PIXBUF_0_5_0
GDK_PIXBUF_0_6_0
GDK_PIXBUF_0_7_0
GDK_PIXBUF_0_8_0
GTK_0_99_0
GTK_0_99_1
GTK_0_99_10
GTK_0_99_2
GTK_0_99_3
GTK_0_99_4
GTK_0_99_5
GTK_0_99_6
GTK_0_99_7
GTK_0_99_7a
GTK_0_99_8
GTK_0_99_9
GTK_1_0_0
GTK_1_1_0
GTK_1_1_1
GTK_1_1_10
GTK_1_1_11
GTK_1_1_12
GTK_1_1_13
GTK_1_1_14
GTK_1_1_15
GTK_1_1_16
GTK_1_1_2
GTK_1_1_2_MARTIN
GTK_1_1_2a
GTK_1_1_3
GTK_1_1_5
GTK_1_1_6
GTK_1_1_7
GTK_1_1_8
GTK_1_1_9
GTK_1_2_0
GTK_1_3_1
GTK_1_3_10
GTK_1_3_11
GTK_1_3_12
GTK_1_3_13
GTK_1_3_14
GTK_1_3_15
GTK_1_3_2
GTK_1_3_3
GTK_1_3_4
GTK_1_3_5
GTK_1_3_6
GTK_1_3_7
GTK_1_3_8
GTK_1_3_9
GTK_2_0_0
GTK_2_0_0_RC1
GTK_ALL_1_3_6
GTK_BEFORE_GDK_GOBJECT_MERGE
GTK_HP_PATCHES_BRANCHPOINT
GTK_MULTIHEAD_BRANCHPOINT
GTK_MULTIHEAD_MERGE1
GTK_MULTIHEAD_MERGEPOINT_01_02_02
GTK_MULTIHEAD_MERGEPOINT_03_09_01
GTK_MULTIHEAD_MERGEPOINT_05_02_02
GTK_MULTIHEAD_MERGEPOINT_05_03_02
GTK_MULTIHEAD_MERGEPOINT_11_02_02
GTK_MULTIHEAD_MERGEPOINT_18_02_02
GTK_MULTIHEAD_MERGEPOINT_22_01_02
GTK_MULTIHEAD_MERGEPOINT_22_10_01
GTK_MULTIHEAD_MERGEPOINT_26_02_02
GTK_MULTIHEAD_MERGEPOINT_26_09_01
GTK_MULTIHEAD_MERGEPOINT_30_11_01
GTK_MULTIHEAD_MERGPOINT_03_09_01
GTK_PRE_FLICKER
GTK_PRE_NO_FLICKER
GTK_VERSION_1_1_2
Initial
PIXBUF_0_0
PIXBUF_ENGINE_GTK_1_2
SNAP_19971121
SNAP_19971201
gdk-object-branchpoint
merge-to-themes-2-1
merge-to-themes-2-2
merge-to-themes-2-3
merge-to-themes-2-4
merge-to-themes-2-5
merge-to-themes-2-6
nautilus_ms_may_31
pre-themes-merge
start

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6199.json"