CVE-2025-26623
Published: 18 February 2025
Summary
CVE-2025-26623 is a critical-severity Use After Free (CWE-416) vulnerability in Exiv2 Exiv2. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 21.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of the heap buffer overflow flaw in Exiv2 versions v0.28.0 to v0.28.4 by upgrading to v0.28.5.
Implements memory protections such as ASLR, DEP, and heap safeguards to prevent arbitrary code execution from the heap buffer overflow during Exiv2 metadata writing.
Requires vulnerability scanning to identify deployed vulnerable Exiv2 instances and subsequent remediation to prevent exploitation via crafted image files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The heap buffer overflow in Exiv2 enables arbitrary code execution via a crafted image file processed by the victim, directly mapping to exploitation for client execution (T1203) and user execution of malicious file (T1204.002).
NVD Description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as…
more
v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-26623 is a heap buffer overflow vulnerability (CWE-416) in the Exiv2 C++ library and command-line utility, which handles reading, writing, deleting, and modifying Exif, IPTC, XMP, and ICC metadata in image files. The issue affects Exiv2 versions from v0.28.0 to v0.28.4; earlier versions such as v0.27.7 are not vulnerable. The overflow occurs specifically during metadata writing operations on a crafted image file.
An unauthenticated remote attacker can exploit this vulnerability by providing a maliciously crafted image file and tricking a victim into processing it with Exiv2 using a write operation, such as the `fixiso` command-line argument. Successful exploitation could lead to arbitrary code execution on the victim's system, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites beyond user interaction.
The Exiv2 security advisory (GHSA-38h4-fx85-qcx7) and related GitHub issue (#3168) confirm the vulnerability is fixed in version v0.28.5, recommending that users upgrade immediately. No workarounds are available.
Details
- CWE(s)