CVE-2026-25884

HighPublic PoC

Published: 02 March 2026

Published

02 March 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

EPSS Score 0.0006 19.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25884 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Exiv2 Exiv2. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching and remediation of the out-of-bounds read vulnerability in Exiv2 by upgrading to version 0.28.8 or later.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent exploitation of the out-of-bounds read for information disclosure or denial of service.

SI-10 Information Input Validation partial match

prevent

Requires validation of image inputs prior to parsing to reject malformed CRW files that trigger the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1566.001 Spearphishing Attachment Initial Access

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

OOB read in image parser is triggered by user processing a malicious CRW file (T1204.002), commonly delivered as phishing attachment (T1566.001); also directly enables application DoS via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This…

issue has been patched in version 0.28.8.

Deeper analysisAI

CVE-2026-25884 is an out-of-bounds read vulnerability (CWE-125) affecting Exiv2, a C++ library and command-line utility for reading, writing, deleting, and modifying Exif, IPTC, XMP, and ICC image metadata. The flaw resides in the CRW image parser and impacts all versions prior to 0.28.8. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating high severity due to potential impacts on confidentiality and availability.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring only user interaction such as processing a malicious CRW image file via the Exiv2 library or utility. Successful exploitation enables high-impact confidentiality violations, such as disclosure of sensitive memory contents, and high-impact availability disruptions, like application crashes or denial of service, without affecting integrity.

Mitigation is available through upgrading to Exiv2 version 0.28.8 or later, where the issue has been patched. Relevant resources include the fixing commit at https://github.com/Exiv2/exiv2/commit/cbba4d206512fe63e12d164fdd1881562f072a9d, the associated pull request at https://github.com/Exiv2/exiv2/pull/3462, and the security advisory at https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp.