GNOME Free Software Desktop Project
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any GNOME product.
RSS Feeds for GNOME security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in GNOME products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by GNOME Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 2 vulnerabilities in GNOME with an average score of 7.0 out of ten. Last year, in 2024 GNOME had 9 security vulnerabilities published. Right now, GNOME is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.85
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 2 | 6.95 |
2024 | 9 | 7.80 |
2023 | 10 | 6.78 |
2022 | 11 | 7.30 |
2021 | 22 | 6.16 |
2020 | 16 | 6.26 |
2019 | 24 | 6.98 |
2018 | 19 | 7.88 |
It may take a day or so for new GNOME vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GNOME Security Vulnerabilities
A flaw was found in Yelp
CVE-2025-3155
7.4 - High
- April 03, 2025
A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.
Open Redirect
A flaw was found in libsoup
CVE-2025-2784
6.5 - Medium
- April 03, 2025
A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.
Out-of-bounds Read
GNOME GLib 2.x SOCKS4 Proxy Buffer Overflow Vulnerability
CVE-2024-52533
- November 11, 2024
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.
GNOME libsoup HTTP Request Smuggling Vulnerability in Header Parsing
CVE-2024-52530
- November 11, 2024
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.
GNOME libsoup Buffer Overflow Vulnerability in UTF-8 Conversion
CVE-2024-52531
- November 11, 2024
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response).
GNOME libsoup 3.x WebSocket Infinite Loop and Memory Consumption Vulnerability
CVE-2024-52532
- November 11, 2024
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients.
An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52
CVE-2024-36474
7.8 - High
- October 03, 2024
An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. A specially crafted file can result in an integer overflow when processing the directory from the file that allows for an out-of-bounds index to be used when reading and writing to an array. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
Integer Overflow or Wraparound
An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf)
CVE-2024-42415
7.8 - High
- October 03, 2024
An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). A specially crafted file can result in an integer overflow that allows for a heap-based buffer overflow when processing the sector allocation table. This can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
Integer Overflow or Wraparound
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1
CVE-2024-34397
- May 07, 2024
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.
plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox
CVE-2020-36774
- February 19, 2024
plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash).
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10
CVE-2022-48622
7.8 - High
- January 26, 2024
In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
Memory Corruption
A flaw was found in the tracker-miners package
CVE-2023-5557
7.7 - High
- October 13, 2023
A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.
A vulnerability was found in GNOME Shell
CVE-2023-43090
5.5 - Medium
- September 22, 2023
A vulnerability was found in GNOME Shell. GNOME Shell's lock screen allows an unauthenticated local user to view windows of the locked desktop session by using keyboard shortcuts to unlock the restricted functionality of the screenshot tool.
A flaw was found in GLib
CVE-2023-32643
7.8 - High
- September 14, 2023
A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but does affect GLib distributors who followed the guidance of GLib developers to backport the initial fix for CVE-2023-32665.
Memory Corruption
A flaw was found in GLib
CVE-2023-32611
5.5 - Medium
- September 14, 2023
A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.
Resource Exhaustion
A flaw was found in GLib
CVE-2023-32665
5.5 - Medium
- September 14, 2023
A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.
Marshaling, Unmarshaling
A flaw was found in GLib
CVE-2023-29499
7.5 - High
- September 14, 2023
A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
Resource Exhaustion
A flaw was found in glib
CVE-2023-32636
7.5 - High
- September 14, 2023
A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.
Marshaling, Unmarshaling
CSV Injection vulnerability in GNOME time tracker version 3.0.2
CVE-2023-36250
7.8 - High
- September 14, 2023
CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record.
Injection
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area)
CVE-2023-38633
5.5 - Medium
- July 22, 2023
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
Directory traversal
In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords
CVE-2023-26081
7.5 - High
- February 20, 2023
In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.
Exposure of Resource to Wrong Sphere
A vulnerability was found in GNOME gvdb
CVE-2019-25085
8.8 - High
- December 26, 2022
A vulnerability was found in GNOME gvdb. It has been classified as critical. This affects the function gvdb_table_write_contents_async of the file gvdb-builder.c. The manipulation leads to use after free. It is possible to initiate the attack remotely. The name of the patch is d83587b2a364eb9a9a53be7e6a708074e252de14. It is recommended to apply a patch to fix this issue. The identifier VDB-216789 was assigned to this vulnerability.
Dangling pointer
GNOME Nautilus 42.2
CVE-2022-37290
5.5 - Medium
- November 14, 2022
GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.
NULL Pointer Dereference
There is a Information Disclosure vulnerability in anjuta/plugins/document-manager/anjuta-bookmarks.c
CVE-2021-42522
7.5 - High
- August 25, 2022
There is a Information Disclosure vulnerability in anjuta/plugins/document-manager/anjuta-bookmarks.c. This issue was caused by the incorrect use of libxml2 API. The vendor forgot to call 'g_free()' to release the return value of 'xmlGetProp()'.
Memory Leak
A flaw was found in glib before version 2.63.6
CVE-2021-3800
5.5 - Medium
- August 23, 2022
A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
Information Disclosure
GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8
CVE-2021-46829
7.8 - High
- July 24, 2022
GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.
Integer Overflow or Wraparound
Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue
CVE-2021-3982
5.5 - Medium
- April 29, 2022
Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine.
Improper Check for Dropped Privileges
In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process)
CVE-2022-29536
7.5 - High
- April 20, 2022
In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.
Memory Corruption
A flaw was found in Caribou due to a regression of CVE-2020-25712 fix
CVE-2021-3567
7.5 - High
- March 25, 2022
A flaw was found in Caribou due to a regression of CVE-2020-25712 fix. An attacker could use this flaw to bypass screen-locking applications that leverage Caribou as an input mechanism. The highest threat from this vulnerability is to system availability.
Memory Corruption
GNOME OCRFeeder before 0.8.4
CVE-2022-27811
9.8 - Critical
- March 24, 2022
GNOME OCRFeeder before 0.8.4 allows OS command injection via shell metacharacters in a PDF or image filename.
Shell injection
A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8
CVE-2021-20315
6.1 - Medium
- February 18, 2022
A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the "Application menu" or "Window list" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked.
Improper Locking
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
CVE-2021-44648
8.8 - High
- January 12, 2022
GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.
Memory Corruption
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place
CVE-2021-45085
6.1 - Medium
- December 16, 2021
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list.
XSS
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1
CVE-2021-45086
6.1 - Medium
- December 16, 2021
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js.
XSS
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used
CVE-2021-45087
6.1 - Medium
- December 16, 2021
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title.
XSS
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1
CVE-2021-45088
6.1 - Medium
- December 16, 2021
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page.
XSS
In GNOME grilo though 0.3.13
CVE-2021-39365
5.9 - Medium
- August 22, 2021
In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Improper Certificate Validation
In GNOME libgda through 6.0.0
CVE-2021-39359
5.9 - Medium
- August 22, 2021
In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Improper Certificate Validation
In GNOME libzapojit through 0.0.3
CVE-2021-39360
5.9 - Medium
- August 22, 2021
In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Improper Certificate Validation
In GNOME evolution-rss through 0.3.96
CVE-2021-39361
5.9 - Medium
- August 22, 2021
In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Improper Certificate Validation
In GNOME libgfbgraph through 0.2.4
CVE-2021-39358
5.9 - Medium
- August 22, 2021
In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Improper Certificate Validation
GNOME gThumb before 3.10.1
CVE-2020-36427
5.5 - Medium
- July 19, 2021
GNOME gThumb before 3.10.1 allows an application crash via a malformed JPEG image.
A flaw was found in gdk-pixbuf in versions before 2.42.0
CVE-2021-20240
8.8 - High
- May 28, 2021
A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Integer underflow
Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser
CVE-2009-3721
7.8 - High
- May 26, 2021
Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to write data in arbitrary locations on the filesystem, crash, or potentially execute arbitrary code when decoding attachments.
Directory traversal
A flaw was found in NetworkManager in versions before 1.30.0
CVE-2021-20297
5.5 - Medium
- May 26, 2021
A flaw was found in NetworkManager in versions before 1.30.0. Setting match.path and activating a profile crashes NetworkManager. The highest threat from this vulnerability is to system availability.
Improper Input Validation
libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds
CVE-2016-20011
7.5 - High
- May 25, 2021
libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync.
Improper Certificate Validation
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5
CVE-2021-33516
8.1 - High
- May 24, 2021
An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software
CVE-2020-36314
3.9 - Low
- April 07, 2021
fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used by GNOME Shell and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-11736.
Directory traversal
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software
CVE-2021-28650
5.5 - Medium
- March 17, 2021
autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.
insecure temporary file
An issue was discovered in GNOME GLib before 2.66.8
CVE-2021-28153
5.3 - Medium
- March 11, 2021
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
insecure temporary file