Cyber Posture

CVE-2026-40385

Medium

Published: 12 April 2026

Published
12 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 4.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score 0.0001 2.6th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40385 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Libexif Project Libexif. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the integer overflow flaw in libexif through 0.6.25, directly preventing crashes and information leaks on 32-bit systems.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning and monitoring detects deployments of the vulnerable libexif library on 32-bit systems.

SI-10 Information Input Validation partial match
prevent

Validates malformed EXIF inputs, including Nikon MakerNote data, to block triggers of the unsigned 32-bit integer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Integer overflow enables local exploitation causing application crashes, directly aligning with T1499.004 Application or System Exploitation for DoS; info leak does not map to any specific technique.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. This only affects 32bit systems.

Deeper analysisAI

CVE-2026-40385 is an unsigned 32-bit integer overflow in the Nikon MakerNote handling functionality of libexif through version 0.6.25. This vulnerability, classified as CWE-190, affects only 32-bit systems and carries a CVSS v3.1 base score of 4.0 (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L). It was published on 2026-04-12.

Local attackers can exploit this issue to trigger crashes or information leaks in applications using the affected libexif code. Exploitation requires local access, high attack complexity, no privileges, and no user interaction. Successful attacks result in low-impact confidentiality loss or availability disruption, with no integrity impact and unchanged scope.

The libexif project mitigates this vulnerability through a specific commit available at https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58. Security practitioners should update libexif beyond version 0.6.25 on 32-bit systems to apply the fix.

Details

CWE(s)
CWE-190

Affected Products

libexif project
libexif
≤ 0.6.25

CVEs Like This One

CVE-2026-40386Same product: Libexif Project Libexif
CVE-2026-32775Same product: Libexif Project Libexif
CVE-2026-35092Shared CWE-190
CVE-2026-33040Shared CWE-190
CVE-2026-33666Shared CWE-190
CVE-2026-24173Shared CWE-190
CVE-2026-33662Shared CWE-190
CVE-2026-27951Shared CWE-190
CVE-2026-31814Shared CWE-190
CVE-2026-20639Shared CWE-190

References