CVE-2026-27631

low-risk

Published 2026-03-02

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Exiv2

Affected Vendors

Exiv2

References (4)

Patch https://github.com/Exiv2/exiv2/commit/659db316eef745899a778a1e0b760a971d1b69df

Issue Tracking https://github.com/Exiv2/exiv2/issues/3513

Issue Tracking https://github.com/Exiv2/exiv2/pull/3514

Patch https://github.com/Exiv2/exiv2/security/advisories/GHSA-p2pw-7935-c73j

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal