CVE-2026-27631Uncaught Exception in Exiv2

CWE-248Uncaught Exception11 documents8 sources
Severity
2.7LOWNVD
OSV8.1
EPSS
0.0%
top 89.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Exiv2Debian Exiv2
Timeline
PublishedMar 2
Latest updateMar 31

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

CVEListV5exiv2/exiv2< 0.28.8
debiandebian/exiv2< exiv2 0.28.8+dfsg-1 (forky)
Debianexiv2/exiv2< 0.28.8+dfsg-1
Ubuntuexiv2/exiv2< 0.27.5-3ubuntu1.1+9
NVDexiv2/exiv20.28.8

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
exiv2 regression2026-03-19
OSV
exiv2 vulnerabilities2026-03-18
CVEList
Exiv2: Uncaught exception - cannot create std::vector larger than max_size()2026-03-02
OSV
CVE-2026-27631: Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata2026-03-02

📋Vendor Advisories

4
Ubuntu
Exiv2 regression2026-03-19
Ubuntu
Exiv2 vulnerabilities2026-03-18
Red Hat
Exiv2: Exiv2: Denial of Service via integer overflow in preview component2026-03-02
Debian
CVE-2026-27631: exiv2 - Exiv2 is a C++ library and a command-line utility to read, write, delete and mod...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27631 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-27631 mingw-exiv2: Exiv2: Denial of Service via integer overflow in preview component [fedora-all]2026-03-31