Vulnerability Description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Exiv2 | Exiv2 | < 0.28.8 |
Related Weaknesses (CWE)
References
- https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4Patch
- https://github.com/Exiv2/exiv2/issues/3511Issue Tracking
- https://github.com/Exiv2/exiv2/pull/3512Issue Tracking
- https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7PatchVendor Advisory
FAQ
What is CVE-2026-27596?
CVE-2026-27596 is a vulnerability with a CVSS score of 7.5 (HIGH). Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulne...
How severe is CVE-2026-27596?
CVE-2026-27596 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27596?
Check the references section above for vendor advisories and patch information. Affected products include: Exiv2 Exiv2.