CVE-2026-3102
published 2026-02-24CVE-2026-3102: A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the…
PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
3.41%
87.4th percentile
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
Affected
52 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libimage-exiftool-perl | — | — |
| exiftool_project | exiftool | < 13.50 | 13.50 |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
| exiftool_project | exiftool | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor invocations of ExifTool (versions ≤ 13.49 on macOS) processing PNG files where the DateTimeOriginal / FileCreateDate metadata field contains shell metacharacters or command-injection payloads — these are passed unsanitized to system() via SetMacOSTags in lib/Image/ExifTool/MacOS.pm. ↗
- →Alert on ExifTool spawning unexpected child processes (e.g. shells or network utilities) from within the SetMacOSTags code path, which calls system() with unsanitized $val derived from MDItemFSCreationDate / $FileCreateDate. ↗
- →Treat any image file (especially PNG) received from untrusted sources (freelancers, contractors, BYOD) as a potential exploit carrier; isolate ExifTool processing of such files in sandboxed/VM environments with restricted network and storage access. ↗
- ·The vulnerability is macOS-specific; the SetMacOSTags sink and the system() call it triggers are only exercised on macOS hosts. Linux/Windows ExifTool deployments are not affected by this particular code path. ↗
- ·Exploitation requires ExifTool to process a crafted file with a malicious DateTimeOriginal value; the attacker-controlled value flows through $FileCreateDate → $val into system(). Detection rules should focus on the metadata field value, not just the file type. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian5.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-3102: libimage-exiftool-perl - A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affe...
vendor_debian·2026·CVSS 5.3
CVE-2026-3102 [MEDIUM] CVE-2026-3102: libimage-exiftool-perl - A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affe...
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-mr6q-w873-6jfr: A vulnerability was determined in exiftool up to 13
ghsa_unreviewed·2026-02-24
CVE-2026-3102 [MEDIUM] CWE-77 GHSA-mr6q-w873-6jfr: A vulnerability was determined in exiftool up to 13
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Securelist
How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)
blogs_securelist·2026-05-20·CVSS 7.8
CVE-2026-3102 [HIGH] How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)
Lucas Tay
Table of Contents
Introduction
Technical details
Disclaimer
Tracing the vulnerable sink
Finding an unsanitized date value
Planning the payload delivery
Bypassing the filter
Triggering the exploit
Patch analysis
How to protect against ExifTool vulnerability
Conclusions
Authors
Lucas Tay
## Introduction
ExifTool is a widely adopted utility for reading and writing metadata in image, PDF, audio, and video files. It is available both as a standalone command-line application and as a library that can be embedded in other software. In this article, we break down CVE-2026-3102 , an ExifTool vulnerability discovered by Kaspersky’s Global Research and Analysis Team (GReAT) in February 2026 and patched by the developers within the same month. Affecting macOS systems with Exi
Wiz
CVE-2026-3102 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-3102 [MEDIUM] CVE-2026-3102 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3102 :
NixOS vulnerability analysis and mitigation
A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.
Source : NVD
## 5.3
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
NixOS
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV R
Bugzilla
CVE-2026-46101 kernel: netfilter: reject zero shift in nft_bitwise
bugzilla·2026-05-27
CVE-2026-46101 [LOW] CVE-2026-46101 kernel: netfilter: reject zero shift in nft_bitwise
CVE-2026-46101 kernel: netfilter: reject zero shift in nft_bitwise
In the Linux kernel, the following vulnerability has been resolved:
netfilter: reject zero shift in nft_bitwise
Reject zero shift operands for nft_bitwise left and right shift
expressions during initialization.
The carry propagation logic computes the carry from the adjacent 32-bit
word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this
into a 32-bit shift, which is undefined behaviour.
Reject zero shift operands in the control plane, alongside the existing
check for values greater than or equal to 32, so malformed rules never
reach the packet path.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052705-CVE-2026-46101-3102@gregkh/T
https://github.com/exiftool/exiftool/https://github.com/exiftool/exiftool/commit/e9609a9bcc0d32bd252a709a562fb822d6dd86f7https://github.com/exiftool/exiftool/releases/tag/13.50https://vuldb.com/?ctiid.347528https://vuldb.com/?id.347528https://vuldb.com/?submit.758146https://www.youtube.com/watch?v=akk0vmilfb4
2026-02-24
Published