CVE-2026-25884

EUVD-2026-9259
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
exiv2exiv2
𝑥
< 0.28.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
exiv2
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
0.28.8+dfsg-1
fixed
sid
0.28.8+dfsg-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/Exiv2/exiv2/commit/cbba4d206512fe63e12d164fdd1881562f072a9d
https://github.com/Exiv2/exiv2/pull/3462
https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp