CVE-2025-26623
Published: 18 February 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-26623 is a heap buffer overflow vulnerability (CWE-416) in the Exiv2 C++ library and command-line utility, which handles reading, writing, deleting, and modifying Exif, IPTC, XMP, and ICC metadata in image files. The issue affects Exiv2 versions from v0.28.0 to v0.28.4; earlier versions such as v0.27.7 are not vulnerable. The overflow occurs specifically during metadata writing operations on a crafted image file.
An unauthenticated remote attacker can exploit this vulnerability by providing a maliciously crafted image file and tricking a victim into processing it with Exiv2 using a write operation, such as the `fixiso` command-line argument. Successful exploitation could lead to arbitrary code execution on the victim's system, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites beyond user interaction.
The Exiv2 security advisory (GHSA-38h4-fx85-qcx7) and related GitHub issue (#3168) confirm the vulnerability is fixed in version v0.28.5, recommending that users upgrade immediately. No workarounds are available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The heap buffer overflow in Exiv2 enables arbitrary code execution via a crafted image file processed by the victim, directly mapping to exploitation for client execution (T1203) and user execution of malicious file (T1204.002).