Heap Buffer Overflow in Exiv2 Command-Line Utility and C++ Library
CVE-2025-26623

5.3MEDIUM

Key Information:

Vendor: Exiv2
Status: Exiv2
Vendor: CVE Published:; 18 February 2025

What is CVE-2025-26623?

A heap buffer overflow vulnerability exists in Exiv2, a C++ library and command-line utility for manipulating image metadata. This vulnerability occurs in versions v0.28.0 to v0.28.4 when the library is utilized to write metadata into specially crafted image files. An attacker could exploit this vulnerability to potentially execute arbitrary code if the victim inadvertently runs Exiv2 with a malicious image file. This particular issue is triggered by specific command-line arguments, like fixiso, making it essential for users to prioritize upgrading to version v0.28.5, which addresses this flaw. Current users are warned that no workarounds are available for this vulnerability.

Affected Version(s)

exiv2 >= 0.28.0, < 0.28.5

References

https://github.com/Exiv2/exiv2/security/advisories/GHSA-3...

x_refsource_CONFIRM

https://github.com/Exiv2/exiv2/issues/3168

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2025
Vulnerability Reserved
Feb 12, 2025