cbcvebase.
CVE-2025-26623
published 2025-02-18

CVE-2025-26623: Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.82%
52.5th percentile
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianexiv2< exiv2 0.28.4+dfsg-2 (forky)exiv2 0.28.4+dfsg-2 (forky)
exiv2exiv2
exiv2exiv2>= 0 < 0.28.4+dfsg-20.28.4+dfsg-2
exiv2exiv2>= 0 < 0.28.4+dfsg-20.28.4+dfsg-2
exiv2exiv2>= 0.28.0 < 0.28.50.28.5
exiv2exiv2>= 0.28.0 < 0.28.50.28.5

Detection & IOCsextracted from sources · hover to see the quote

  • The heap overflow is triggered only when Exiv2 is used to WRITE metadata (not read). Monitor for Exiv2 invocations with write-mode arguments such as `fixiso` on image files, especially from untrusted sources.
  • Focus detection on Exiv2 versions v0.28.0 through v0.28.4 — versions prior to v0.28.0 (e.g., v0.27.7) are NOT affected. Alert on process execution of vulnerable Exiv2 builds writing metadata to crafted image files.
  • The vulnerability requires the victim to run Exiv2 on a crafted image file; monitor for Exiv2 processing of unexpected or externally-supplied image files combined with write-mode operations.
  • ·The bug is only triggered when WRITING metadata, not reading. Read-only Exiv2 usage is not exploitable.
  • ·Red Hat Enterprise Linux 9 ships a version of exiv2 that is not affected. RHEL 6, 7, and 8 packages are out of support scope.
  • ·There are no known workarounds; the only remediation is upgrading to v0.28.5 or later.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv5.3MEDIUM
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.