CVE-2026-27596

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4	Patch
https://github.com/Exiv2/exiv2/issues/3511	Issue Tracking
https://github.com/Exiv2/exiv2/pull/3512	Issue Tracking
https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:exiv2:exiv2:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-02 20:16

Updated : 2026-03-05 22:16

NVD link : CVE-2026-27596

Mitre link : CVE-2026-27596

CVE.ORG link : CVE-2026-27596

JSON object : View

Products Affected

exiv2

exiv2

CWE

CWE-125

Out-of-bounds Read

CWE-191

Integer Underflow (Wrap or Wraparound)

{"id": "CVE-2026-27596", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-02T20:16:27.217", "references": [{"url": "https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Exiv2/exiv2/issues/3511", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Exiv2/exiv2/pull/3512", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}]}], "descriptions": [{"lang": "en", "value": "Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8."}, {"lang": "es", "value": "Exiv2 es una librer\u00eda de C++ y una utilidad de l\u00ednea de comandos para leer, escribir, eliminar y modificar metadatos de imagen Exif, IPTC, XMP e ICC. Antes de la versi\u00f3n 0.28.8, se encontr\u00f3 una lectura fuera de l\u00edmites en Exiv2. La vulnerabilidad est\u00e1 en el componente de vista previa, que solo se activa al ejecutar Exiv2 con un argumento adicional de l\u00ednea de comandos, como -pp. La lectura fuera de l\u00edmites est\u00e1 en un desplazamiento de 4 GB, lo que generalmente provoca que Exiv2 falle. Este problema ha sido parcheado en la versi\u00f3n 0.28.8."}], "lastModified": "2026-03-05T22:16:24.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:exiv2:exiv2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E856F04-2C58-41F7-8F09-6313FD6A0D53", "versionEndExcluding": "0.28.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}