CVE-2025-55304

Publication date 29 August 2025

Last updated 18 March 2026

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

Why is this CVE low priority?

Resource consumption issue that has been rated low by upstream developers

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
exiv2	25.10 questing	Ignored changes too intrusive
	25.04 plucky	Ignored end of life, was needs-triage
	24.04 LTS noble	Ignored changes too intrusive
	22.04 LTS jammy	Ignored changes too intrusive
	20.04 LTS focal	Ignored changes too intrusive
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
exiv2	Upstream: e5bf22e Upstream: b7f153f

References

Related Ubuntu Security Notices (USN)

USN-8103-1
Exiv2 vulnerabilities
18 March 2026