new file mode 100644
@@ -0,0 +1,84 @@
+From f8c00176788240744218e43664cba1cec4092822 Mon Sep 17 00:00:00 2001
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Wed, 31 Dec 2025 14:45:15 +0000
+Subject: [PATCH] plug-ins: Add OoB check for loading XWD
+
+Resolves #15554
+This patch adds a check for if our pointer arithmetic
+exceeds the memory allocated for the dest array. If so,
+we throw an error rather than access memory outside
+the bounds.
+
+CVE: CVE-2026-2048
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/57712677007793118388c5be6fb8231f22a2b341]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ plug-ins/common/file-xwd.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
+index 8ab11c0..c84d70e 100644
+--- a/plug-ins/common/file-xwd.c
++++ b/plug-ins/common/file-xwd.c
+@@ -2103,6 +2103,7 @@ load_xwd_f1_d24_b1 (const gchar *filename,
+ gulong redmask, greenmask, bluemask;
+ guint redshift, greenshift, blueshift;
+ gulong g;
++ guint32 maxval;
+ guchar redmap[256], greenmap[256], bluemap[256];
+ guchar bit_reverse[256];
+ guchar *xwddata, *xwdin, *data;
+@@ -2194,6 +2195,7 @@ load_xwd_f1_d24_b1 (const gchar *filename,
+
+ tile_height = gimp_tile_height ();
+ data = g_malloc (tile_height * width * bytes_per_pixel);
++ maxval = tile_height * width * bytes_per_pixel;
+
+ ncols = xwdhdr->l_colormap_entries;
+ if (xwdhdr->l_ncolors < ncols)
+@@ -2218,6 +2220,8 @@ load_xwd_f1_d24_b1 (const gchar *filename,
+
+ for (tile_start = 0; tile_start < height; tile_start += tile_height)
+ {
++ guint current_dest = 0;
++
+ memset (data, 0, width*tile_height*bytes_per_pixel);
+
+ tile_end = tile_start + tile_height - 1;
+@@ -2241,7 +2245,16 @@ load_xwd_f1_d24_b1 (const gchar *filename,
+ else /* 3 bytes per pixel */
+ {
+ fromright = xwdhdr->l_pixmap_depth-1-plane;
+- dest += 2 - fromright/8;
++ current_dest += 2 - fromright / 8;
++ if (current_dest < maxval)
++ {
++ dest += 2 - fromright / 8;
++ }
++ else
++ {
++ err = 1;
++ break;
++ }
+ outmask = (1 << (fromright % 8));
+ }
+
+@@ -2296,7 +2309,17 @@ load_xwd_f1_d24_b1 (const gchar *filename,
+
+ if (g & inmask)
+ *dest |= outmask;
+- dest += bytes_per_pixel;
++
++ current_dest += bytes_per_pixel;
++ if (current_dest < maxval)
++ {
++ dest += bytes_per_pixel;
++ }
++ else
++ {
++ err = 1;
++ break;
++ }
+
+ inmask >>= 1;
+ }
@@ -57,6 +57,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
file://CVE-2026-0797.patch \
file://CVE-2026-2044.patch \
file://CVE-2026-2045.patch \
+ file://CVE-2026-2048.patch \
"
SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-2048 Pick the patch from the relevant upstream issue[1]; [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15554 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../gimp/gimp/CVE-2026-2048.patch | 84 +++++++++++++++++++ meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb | 1 + 2 files changed, 85 insertions(+) create mode 100644 meta-gnome/recipes-gimp/gimp/gimp/CVE-2026-2048.patch