Cyber Resilience

CVE-2025-26623

MediumPublic PoC

Published: 18 February 2025

Published
18 February 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0110 78.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26623 is a medium-severity Use After Free (CWE-416) vulnerability in Exiv2 Exiv2. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Exiv2 is a C++ library and command-line utility used to read, write, delete, and modify Exif, IPTC, XMP, and ICC metadata in image files. A heap buffer overflow vulnerability, tracked as CVE-2025-26623 and assigned CWE-416, affects versions 0.28.0 through 0.28.4; earlier releases such as 0.27.7 are unaffected. The flaw is triggered specifically during metadata write operations on a crafted image file.

An attacker can exploit the issue by supplying a malicious image to a victim who then invokes Exiv2 to write metadata, for example by using the fixiso argument in the command-line tool. Successful exploitation can result in code execution on the victim system, though the attack requires user interaction and targets a less common write path rather than the more frequent read operations.

The GitHub security advisory and associated issue confirm that the vulnerability is resolved in version 0.28.5, with users advised to upgrade; no workarounds are available.

EPSS scores remain low, moving only from 0.0110 to a peak of 0.0113 with no material increase after disclosure.

EU & UK References

Vulnerability details

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A heap buffer overflow was found in Exiv2 versions v0.28.0 to v0.28.4. Versions prior to v0.28.0, such as…

more

v0.27.7, are **not** affected. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `fixiso`. The bug is fixed in version v0.28.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The heap buffer overflow in Exiv2 enables arbitrary code execution via a crafted image file processed by the victim, directly mapping to exploitation for client execution (T1203) and user execution of malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25884Same product: Exiv2 Exiv2
CVE-2026-27596Same product: Exiv2 Exiv2
CVE-2026-27309Shared CWE-416
CVE-2025-21345Shared CWE-416
CVE-2025-21159Shared CWE-416
CVE-2025-24079Shared CWE-416
CVE-2026-27292Shared CWE-416
CVE-2025-13845Shared CWE-416
CVE-2026-21329Shared CWE-416
CVE-2025-27181Shared CWE-416

Affected Assets

exiv2
exiv2
0.28.0 — 0.28.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and correction of the heap buffer overflow flaw in Exiv2 versions v0.28.0 to v0.28.4 by upgrading to v0.28.5.

prevent

Implements memory protections such as ASLR, DEP, and heap safeguards to prevent arbitrary code execution from the heap buffer overflow during Exiv2 metadata writing.

preventdetect

Requires vulnerability scanning to identify deployed vulnerable Exiv2 instances and subsequent remediation to prevent exploitation via crafted image files.

References