PT-2026-37303 · Unknown · Exiftool-Vendored
Dobby153
·
Published
2026-05-05
·
Updated
2026-05-11
·
CVE-2026-43893
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
exiftool-vendored versions prior to 35.19.0
Description
Certain strings provided by the caller are interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return within these strings can split a single intended argument into multiple arguments, leading to argument injection. This occurs because the software starts ExifTool in a mode where arguments are read from stdin one per line. This issue allows an attacker to force ExifTool to read files accessible to the process or write output to attacker-chosen file system paths. The issue specifically affects tag-name arguments (tag keys), filename or path arguments, and the
imageHashType option. Affected functions include ExifTool#write(), ExifTool#read(), ExifTool#readRaw(), ExifTool#deleteAllTags(), ExifTool#rewriteAllTags(), ExifTool#extractBinaryTag(), ExifTool#extractBinaryTagToBuffer(), ExifTool#extractJpgFromRaw(), ExifTool#extractPreview(), and ExifTool#extractThumbnail().Recommendations
Update to version 35.19.0 or later.
As a temporary workaround, reject untrusted strings containing control characters before passing them to the affected APIs, specifically for tag names,
retain or numericTags entries, binary-extraction tag names, filenames, and the imageHashType option.Fix
RCE
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Exiftool-Vendored