{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27596", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.601Z", "datePublished": "2026-03-02T19:40:48.559Z", "dateUpdated": "2026-03-02T20:25:31.790Z"}, "containers": {"cna": {"title": "Exiv2: Integer Underflow in LoaderNative::getData() Causes Heap Buffer Overflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7"}, {"name": "https://github.com/Exiv2/exiv2/issues/3511", "tags": ["x_refsource_MISC"], "url": "https://github.com/Exiv2/exiv2/issues/3511"}, {"name": "https://github.com/Exiv2/exiv2/pull/3512", "tags": ["x_refsource_MISC"], "url": "https://github.com/Exiv2/exiv2/pull/3512"}, {"name": "https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4"}], "affected": [{"vendor": "Exiv2", "product": "exiv2", "versions": [{"version": "< 0.28.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T19:40:48.559Z"}, "descriptions": [{"lang": "en", "value": "Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8."}], "source": {"advisory": "GHSA-3wgv-fg4w-75x7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:25:12.745500Z", "id": "CVE-2026-27596", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:25:31.790Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27596", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T20:25:12.745500Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:25:20.476Z"}}], "cna": {"title": "Exiv2: Integer Underflow in LoaderNative::getData() Causes Heap Buffer Overflow", "source": {"advisory": "GHSA-3wgv-fg4w-75x7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Exiv2", "product": "exiv2", "versions": [{"status": "affected", "version": "< 0.28.8"}]}], "references": [{"url": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7", "name": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Exiv2/exiv2/issues/3511", "name": "https://github.com/Exiv2/exiv2/issues/3511", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Exiv2/exiv2/pull/3512", "name": "https://github.com/Exiv2/exiv2/pull/3512", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4", "name": "https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T19:40:48.559Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27596", "state": "PUBLISHED", "dateUpdated": "2026-03-02T20:25:31.790Z", "dateReserved": "2026-02-20T19:43:14.601Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-02T19:40:48.559Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:exiv2:exiv2:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E856F04-2C58-41F7-8F09-6313FD6A0D53", "versionEndExcluding": "0.28.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8."}], "id": "CVE-2026-27596", "lastModified": "2026-03-05T22:16:24.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-02T20:16:27.217", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/Exiv2/exiv2/issues/3511"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/Exiv2/exiv2/pull/3512"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "exiv2: Exiv2: Denial of Service via out-of-bounds read in preview component", "id": "2443991", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443991"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "details": ["Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8."], "name": "CVE-2026-27596", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "exiv2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "exiv2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "compat-exiv2-023", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "compat-exiv2-026", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "exiv2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "compat-exiv2-026", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "exiv2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "exiv2", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-02T19:40:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27596\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27596\nhttps://github.com/Exiv2/exiv2/commit/eaa9e21aabe06b3f91cfe66686f5ebc3ca3c0ed4\nhttps://github.com/Exiv2/exiv2/issues/3511\nhttps://github.com/Exiv2/exiv2/pull/3512\nhttps://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7"], "statement": "This is a LOW impact flaw in Exiv2. The vulnerability in the preview component is only triggered when the `exiv2` utility is executed with the `-pp` command-line argument.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.28.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "exiv2", "source": "cna", "vendor": "Exiv2"}, "product": "exiv2", "vendor": "exiv2"}], "analysis": {"en": {"generated_at": "2026-04-16T14:16:54.379618+00:00", "value": {"mitigation_remediation": ["Update Exiv2 to version 0.28.8 or newer, which removes the integer underflow and adds bounds checks in the preview loader.", "If an immediate upgrade is not possible, do not invoke the preview functionality \u2013 omit the \u2013pp flag when running Exiv2; remove it from any scripts that call the utility.", "As a temporary safeguard, validate input dimensions and prevent underflow by ensuring offsets are non\u2011negative before performing calculations, thereby mitigating the risk of heap corruption."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All builds of Exiv2 older than version 0.28.8 that expose the preview functionality run by the \u2013pp flag are affected. The library is available for Linux, macOS, and Windows, so any system that installs or compiles such a vulnerable version and uses the preview option may be impacted.", "description_and_impact": "The Exiv2 library contains an integer underflow in LoaderNative::getData, which allows an out\u2011of\u2011bounds read at a 4\u202fGB offset when the preview feature is forced by the command\u2011line flag \u2013pp. The overread corrupts heap memory and typically leads to a crash. This weakness is categorized as CWE\u2011125 and CWE\u2011191.", "risk_and_exploitability": "The CVSS score of 2.7 indicates a low severity, and the EPSS score of less than 1\u202f% confirms a very low probability of real\u2011world exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local execution of the Exiv2 binary with the preview flag, making the attack vector local. Because the flaw only causes a crash, it constitutes a denial\u2011of\u2011service with limited strategic impact."}}}}, "created": "2026-03-03T08:41:02.319350+00:00", "updated": "2026-04-16T14:30:16.119423+00:00", "vendors": ["exiv2", "exiv2$PRODUCT$exiv2"]}