Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.
Conclusion & alert: CVE-2015-4491 is rated Moderate Risk (64.9/100): CVSS Medium severity, with high exploitation likelihood (EPSS 8.40%, 94th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +4.71% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 3.69% | 8.40% | +4.71% |
| 2 | 2026-05-13 | 4.30% | 3.69% | -0.60% |
| 3 | 2025-12-28 | — | 4.30% | — |
Full EPSS history (20 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2015-4491 not yet assigned priority: Debian including 2 source packages (gdk-pixbuf, gtk+2.0), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. | https://security-tracker.debian.org/tracker/CVE-2015-4491 |
gentoo
|
normal | CVE-2015-4491: 2 GLSA(s) (201512-05, 201605-06), 7 atom(s) (dev-libs/nspr, dev-libs/nss, …); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2015-4491 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2015-4491 |
suse
|
medium | CVE-2015-4491 severity moderate: SUSE including 515 source package names (MozillaFirefox-102.11.0-150200.152.87.1, MozillaFirefox-115.10.0-150200.152.134.1, …), 960 product×package rows across 103 product lines (HPE Helion OpenStack 8, Image SLES12-SP5-Azure-BYOS, … (103 product lines)): Fixed 628, Known Affected 231, Known Not Affected 101. | https://www.suse.com/security/cve/CVE-2015-4491/ |
ubuntu
|
medium | CVE-2015-4491 medium priority: Ubuntu including 3 source packages (firefox, gdk-pixbuf, thunderbird), 12 status rows across 4 suites (precise, trusty, upstream, vivid): released 11, needed 1. | https://ubuntu.com/security/CVE-2015-4491 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| gnome | gdk-pixbuf | <= 2.31.4 | cpe:2.3:a:gnome:gdk-pixbuf:*:*:*:*:*:*:*:* |
| oracle | solaris | 10 | cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:* |
| oracle | solaris | 11.3 | cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 12.04 | cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 14.04 | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 15.04 | cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:* |
| fedoraproject | fedora | 21 | cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:* |
| fedoraproject | fedora | 22 | cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:* |
| opensuse | opensuse | 13.1 | cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:* |
| opensuse | opensuse | 13.2 | cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:* |