Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.7
Exiv2 Image Parser Can Read Outside Its Allowed Memory Area
CVE-2026-25884
Summary
A security issue exists in Exiv2 versions before 0.28.8. An attacker could potentially access sensitive data that is not meant to be accessed. Update to version 0.28.8 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| exiv2 | exiv2 | <= 0.28.8 | – |
Original title
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerabili...
Original description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8.
nvd CVSS3.1
8.1
nvd CVSS4.0
2.7
Vulnerability type
CWE-125
Out-of-bounds Read
- https://github.com/Exiv2/exiv2/commit/cbba4d206512fe63e12d164fdd1881562f072a9d Patch
- https://github.com/Exiv2/exiv2/pull/3462 Issue Tracking Patch
- https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp Exploit Vendor Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026