CVE-2025-26623
Published: 18 February 2025
Summary
CVE-2025-26623 is a medium-severity Use After Free (CWE-416) vulnerability in Exiv2 Exiv2. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Exiv2 is a C++ library and command-line utility used to read, write, delete, and modify Exif, IPTC, XMP, and ICC metadata in image files. A heap buffer overflow vulnerability, tracked as CVE-2025-26623 and assigned CWE-416, affects versions 0.28.0 through 0.28.4; earlier releases such as 0.27.7 are unaffected. The flaw is triggered specifically during metadata write operations on a crafted image file.
An attacker can exploit the issue by supplying a malicious image to a victim who then invokes Exiv2 to write metadata, for example by using the fixiso argument in the command-line tool. Successful exploitation can result in code execution on the victim system, though the attack requires user interaction and targets a less common write path rather than the more frequent read operations.
The GitHub security advisory and associated issue confirm that the vulnerability is resolved in version 0.28.5, with users advised to upgrade; no workarounds are available.
EPSS scores remain low, moving only from 0.0110 to a peak of 0.0113 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4463
Vulnerability details
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as…
more
v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The heap buffer overflow in Exiv2 enables arbitrary code execution via a crafted image file processed by the victim, directly mapping to exploitation for client execution (T1203) and user execution of malicious file (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and correction of the heap buffer overflow flaw in Exiv2 versions v0.28.0 to v0.28.4 by upgrading to v0.28.5.
Implements memory protections such as ASLR, DEP, and heap safeguards to prevent arbitrary code execution from the heap buffer overflow during Exiv2 metadata writing.
Requires vulnerability scanning to identify deployed vulnerable Exiv2 instances and subsequent remediation to prevent exploitation via crafted image files.