CVE-2025-6199

LOW

GdkPixbuf - Exposure of Sensitive Information via GIF LZW Decoder Logic Error

Title source: llm

Description

A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When an invalid symbol is encountered during decompression, the decoder sets the reported output size to the full buffer length rather than the actual number of written bytes. This logic error results in uninitialized sections of the buffer being included in the output, potentially leaking arbitrary memory contents in the processed image.

References (3)

Core 3

Core References

Third Party Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2025-6199

Issue Tracking, Third Party Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2373147

Mailing List

https://lists.debian.org/debian-lts-announce/2025/06/msg00023.html

Scores

CVSS v3 3.3

EPSS 0.0010

EPSS Percentile 27.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

gnome/gdkpixbuf 2.0.0

Published Jun 17, 2025

Tracked Since Feb 18, 2026