CVE-2026-25884 — Out-of-bounds Read in Exiv2

CWE-125 — Out-of-bounds Read11 documents8 sources

Severity

2.7LOWNVD

OSV8.1

EPSS

0.1%

top 82.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exiv2 Debian Exiv2

Timeline

PublishedMar 2

Latest updateMar 31

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5exiv2/exiv2< 0.28.8

▶NVDexiv2/exiv2< 0.28.8

▶debiandebian/exiv2< exiv2 0.28.8+dfsg-1 (forky)

▶Debianexiv2/exiv2< 0.28.8+dfsg-1

▶Ubuntuexiv2/exiv2< 0.27.5-3ubuntu1.1+9

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

exiv2 regression↗2026-03-19

▶

OSV

exiv2 vulnerabilities↗2026-03-18

▶

CVEList

Exiv2: Out-of-bounds read in CrwMap::decode0x0805↗2026-03-02

▶

OSV

CVE-2026-25884: Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata↗2026-03-02

▶

📋Vendor Advisories

Ubuntu

Exiv2 regression↗2026-03-19

▶

Ubuntu

Exiv2 vulnerabilities↗2026-03-18

▶

Red Hat

Exiv2: Exiv2: Denial of service via out-of-bounds read in CRW image parser↗2026-03-02

▶

Debian

CVE-2026-25884: exiv2 - Exiv2 is a C++ library and a command-line utility to read, write, delete and mod...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25884 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-25884 mingw-exiv2: Exiv2: Denial of service via out-of-bounds read in CRW image parser [fedora-all]↗2026-03-31

▶