CVE-2025-59820

Dec. 6, 2025, 3:15 a.m.

6.7
Medium

Description

In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative.

Product(s) Impacted

Product Versions
krita
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1284
Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

References

https://invent.kde.org/graphics/krita/
https://invent.kde.org/graphics/krita/-/commit/6d3651ac4df88efb68e013d21061de9846e83fe8
https://kde.org/info/security/advisory-20250929-1.txt
https://lists.debian.org/debian-lts-announce/2025/12/msg00006.html

Tags

cve@mitre.org
CWE-1284
2025-11-26
CVE-2025-59820

CVSS Score

6.7 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

    View Vector String

Timeline

Published: Nov. 26, 2025, 6:15 a.m.
Last Modified: Dec. 6, 2025, 3:15 a.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.