Command Injection Vulnerability in ExifTool PNG Parser on macOS
CVE-2026-3102
What is CVE-2026-3102?
CVE-2026-3102 is a command injection vulnerability identified in ExifTool, a widely used tool for reading, writing, and editing meta information in image files. This particular vulnerability affects versions of ExifTool up to 13.49 on macOS and specifically implicates the PNG File Parser component within the library. The vulnerability arises from improper handling of the DateTimeOriginal parameter in the SetMacOSTags function located in the lib/Image/ExifTool/MacOS.pm file. By manipulating this parameter, an attacker can execute arbitrary system commands remotely, jeopardizing the integrity and security of the host system. Given that ExifTool is employed in various workflows involving file metadata management, this vulnerability poses a significant risk to organizations relying on this software, potentially allowing unauthorized actions and data manipulation.
Potential Impact of CVE-2026-3102
-
Remote Command Execution: The most critical impact stems from the ability for an attacker to execute arbitrary commands on a vulnerable system. This could lead to complete compromise of the affected machine, allowing the attacker to manipulate files, access sensitive data, or deploy malicious software.
-
Data Integrity Risks: The command injection vulnerability presents a substantial risk to data integrity. An attacker could alter or corrupt image metadata, leading to misinformation or loss of critical data which could affect business processes that rely on accurate metadata.
-
Widespread Exploitation Potential: As ExifTool is often integrated into automated processing systems and workflows, the vulnerability's remote exploitation capability poses risks not just to individual systems but potentially to entire networks. Automated tools could propagate the malicious commands, amplifying the vulnerability’s impact across connected systems and applications.
Affected Version(s)
exiftool 13.0
exiftool 13.1
exiftool 13.2