CVE-2025-26623

Name of the Vulnerable Software and Affected Versions: Exiv2 versions v0.28.0 through v0.28.4

Description: A heap buffer overflow was found in Exiv2 when used to write metadata into a crafted image file. This issue can be exploited by an attacker to gain code execution if they can trick the victim into running Exiv2 on a crafted image file. The heap overflow is triggered by a less frequently used Exiv2 operation, which is writing the metadata. For example, to trigger the bug in the Exiv2 command-line application, an extra command-line argument such as fixiso is needed.

Recommendations: For Exiv2 versions v0.28.0 through v0.28.4, update to version v0.28.5 to resolve the issue. As a temporary workaround, consider avoiding the use of Exiv2 for writing metadata until the issue is resolved. Restrict access to crafted image files to minimize the risk of exploitation. Avoid using Exiv2 with untrusted image files until the issue is resolved. At the moment, there are no other known workarounds for this vulnerability.