Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Exiv2 Image Parser Reads Data Outside Allowed Range
UBUNTU-CVE-2026-25884
Summary
A security flaw in older versions of the Exiv2 library and utility could allow an attacker to read sensitive data. This issue has been fixed in version 0.28.8. Update to the latest version to ensure security.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | exiv2 | All versions | – |
| canonical | exiv2 | All versions | – |
| canonical | exiv2 | All versions | – |
| canonical | exiv2 | All versions | – |
| canonical | exiv2 | All versions | – |
| canonical | exiv2 | All versions | – |
Original title
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerabili...
Original description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8.
osv CVSS4.0
7.8
osv CVSS3.1
8.1
- https://ubuntu.com/security/CVE-2026-25884 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-25884 Third Party Advisory
- https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp Third Party Advisory
- https://github.com/Exiv2/exiv2/pull/3462 Third Party Advisory
- https://github.com/Exiv2/exiv2/commit/cbba4d206512fe63e12d164fdd1881562f072a9d Third Party Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026