In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds read) via a crafted file.
https://access.redhat.com/errata/RHSA-2019:2101
https://github.com/Exiv2/exiv2/issues/246
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html