CVE-2026-32775
Published: 16 March 2026
Summary
CVE-2026-32775 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Libexif Project Libexif. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer underflow enables local memory corruption/RCE in EXIF-parsing apps (no privs, UI:N) matching local priv-esc and client-side exploitation vectors.
NVD Description
libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.
Deeper analysisAI
CVE-2026-32775 is an integer underflow vulnerability in the libexif library, specifically in the exif_mnote_data_get_value function during MakerNotes decoding. When a zero size is passed, the function causes an underflow that overwrites the input buffer. The flaw affects libexif versions through 0.6.25 and is classified under CWE-191 (Integer Underflow), with a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. Successful exploitation leads to high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution or system compromise via crafted EXIF data processed by affected applications.
Mitigation is available via a patch in libexif commit 7df372e9d31d7c993a22b913c813a5f7ec4f3692, as detailed in GitHub issue #247. Security practitioners should update to a patched version of libexif and audit dependent applications that parse EXIF metadata from untrusted sources.
Details
- CWE(s)