KDE Project Security Advisory
=============================

Title:           Krita: Heap-based buffer overflow when parsing TGA files
Risk Rating:     Medium
CVE:             CVE-2025-59820
Versions:        Affected versions of Krita prior to 5.2.13
Author:          KDE Security Team
Date:            29/09/2025

Overview
========

A vulnerability was identified in Krita’s TGA file parser that could
result in a heap-based buffer overflow during file processing.

Impact
======

Opening a specially crafted TGA file in Krita may trigger a heap-based
buffer overflow, potentially leading to application crashes or
potentially in the worst case, code execution.

Workaround
==========

Avoid opening TGA files from unknown sources in Krita until the fix is applied.

Solution
========

Update to the latest release of Krita 5.2.13 or apply
the following patch:
https://commits.kde.org/krita/6d3651ac4df88efb68e013d21061de9846e83fe8

Credits
=======

This issue was reported by Trend Micro.