CVE-2025-26623 — Use After Free in Exiv2

CWE-416 — Use After Free7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

1.1%

top 21.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Debian Exiv2

Timeline

PublishedFeb 18

Latest updateFeb 21

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could pot…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDexiv2/exiv20.28.0 — 0.28.5

▶PyPIexiv2/exiv20.28.0 — 0.28.5

▶debiandebian/exiv2< exiv2 0.28.4+dfsg-2 (forky)

▶Debianexiv2/exiv2< 0.28.4+dfsg-2+1

▶CVEListV5exiv2/exiv2>= 0.28.0, < 0.28.5

🔴Vulnerability Details

GHSA

Exiv2 allows Use After Free↗2025-02-21

▶

OSV

Exiv2 allows Use After Free↗2025-02-21

▶

OSV

CVE-2025-26623: Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata↗2025-02-18

▶

CVEList

Use After Free in Exiv2↗2025-02-18

▶

📋Vendor Advisories

Red Hat

exiv2: Use After Free in Exiv2↗2025-02-18

▶

Debian

CVE-2025-26623: exiv2 - Exiv2 is a C++ library and a command-line utility to read, write, delete and mod...↗2025

▶