CVE-2025-54080
Publication date 29 August 2025
Last updated 18 March 2026
Ubuntu priority
Description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6.
Why is this CVE low priority?
This is just an out of bounds read when writing metadata to a bad file
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| exiv2 | 25.10 questing |
Fixed 0.28.5+dfsg-1ubuntu0.1
|
| 24.04 LTS noble |
Fixed 0.27.6-1ubuntu0.1
|
|
| 22.04 LTS jammy |
Fixed 0.27.5-3ubuntu1.1
|
|
| 20.04 LTS focal |
Fixed 0.27.2-8ubuntu2.7+esm1
|
|
| 18.04 LTS bionic |
Fixed 0.25-3.1ubuntu0.18.04.11+esm1
|
|
| 16.04 LTS xenial |
Fixed 0.25-2.1ubuntu16.04.7+esm5
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialReferences
Related Ubuntu Security Notices (USN)
- USN-8103-1
- Exiv2 vulnerabilities
- 18 March 2026