Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20410-1 advisory.

    Update to exiv2 0.28.8:

    - CVE-2024-24826: out-of-bounds read in QuickTimeVideo: NikonTagsDecoder (bsc#1219870).
    - CVE-2024-25112: denial of service due to unbounded recursion in QuickTimeVideo: multipleEntriesDecoder     (bsc#1219871).
    - CVE-2024-39695: out-of-bounds read in AsfVideo: streamProperties (bsc#1227528).
    - CVE-2025-26623: heap buffer overflow via writing metadata into a crafted image file (bsc#1237347).
    - CVE-2025-54080: out-of-bounds read in `Exiv2: EpsImage: writeMetadata()` when writing metadata into a     crafted image       file (bsc#1248962).
    - CVE-2025-55304: quadratic performance algorithm in the ICC profile parsing code of `JpegBase:
    readMetadata`       (bsc#1248963).
    - CVE-2026-25884: out-of-bounds read in `CrwMap: decode0x0805` (bsc#1259083).
    - CVE-2026-27596: integer overflow in `LoaderNative: getData()` leads to out-of-bounds read (bsc#1259084).
    - CVE-2026-27631: crash due to uncaught exception when trying to create `std: vector` larger than     `max_size()`       (bsc#1259085).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:7457 advisory.

    * exiv2: Use After Free in Exiv2 (CVE-2025-26623)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1049 advisory.

    Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and     ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior     to v0.28.0, such as v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for     reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when     Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the     vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image     file. Note that this bug is only triggered when writing the metadata, which is a less frequently used     Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line     application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version     v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    (CVE-2025-26623)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 10 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2025-7457 advisory.

    [0.28.3-3.2]
    - Revert: remove rpath patch       Resolves: RHEL-80106
    - Fix CVE-2025-26623 exiv2: Use After Free       Resolves: RHEL-80106

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0188 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2025-26623:
    Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and     ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior     to v0.28.0, such as v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for     reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when     Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the     vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image     file. Note that this bug is only triggered when writing the metadata, which is a less frequently used     Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line     application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version     v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:7457 advisory.

    Exiv2 is a C++ library to access image metadata, supporting read and write access to the Exif, IPTC and     XMP metadata, Exif MakerNote support, extract and delete methods for Exif thumbnails, classes to access     Ifd, and support for various image formats.

    Security Fix(es):

    * exiv2: Use After Free in Exiv2 (CVE-2025-26623)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6ae77556-f31d-11ef-a695-4ccc6adda413 advisory.

    Kevin Backhouse reports:
    A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4.
              Versions prior to v0.28.0, such as v0.27.7, are not affected. Exiv2 is a               command-line utility and C++ library for reading, writing, deleting, and               modifying the metadata of image files. The heap overflow is triggered when               Exiv2 is used to write metadata into a crafted image file. An attacker               could potentially exploit the vulnerability to gain code execution, if               they can trick the victim into running Exiv2 on a crafted image file.
    Note that this bug is only triggered when writing the metadata, which               is a less frequently used Exiv2 operation than reading the metadata. For               example, to trigger the bug in the Exiv2 command-line application, you               need to add an extra command-line argument such as fixiso.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
304230	openSUSE 16 Security Update : exiv2 (openSUSE-SU-2026:20410-1)	Nessus	SuSE Local Security Checks	medium
269242	RockyLinux 10 : exiv2 (RLSA-2025:7457)	Nessus	Rocky Linux Local Security Checks	medium
241766	Amazon Linux 2023 : exiv2, exiv2-devel, exiv2-libs (ALAS2023-2025-1049)	Nessus	Amazon Linux Local Security Checks	medium
240866	Oracle Linux 10 : exiv2 (ELSA-2025-7457)	Nessus	Oracle Linux Local Security Checks	medium
239520	TencentOS Server 4: exiv2 (TSSA-2025:0188)	Nessus	Tencent Local Security Checks	medium
237858	RHEL 10 : exiv2 (RHSA-2025:7457)	Nessus	Red Hat Local Security Checks	medium
216779	FreeBSD : exiv2 -- Use after free in TiffSubIfd (6ae77556-f31d-11ef-a695-4ccc6adda413)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2025-26623

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium