CVE-2026-27631
Publication date 2 March 2026
Last updated 18 March 2026
Ubuntu priority
Description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| exiv2 | 25.10 questing |
Fixed 0.28.5+dfsg-1ubuntu0.1
|
| 24.04 LTS noble |
Fixed 0.27.6-1ubuntu0.1
|
|
| 22.04 LTS jammy |
Fixed 0.27.5-3ubuntu1.1
|
|
| 20.04 LTS focal |
Fixed 0.27.2-8ubuntu2.7+esm1
|
|
| 18.04 LTS bionic |
Fixed 0.25-3.1ubuntu0.18.04.11+esm1
|
|
| 16.04 LTS xenial |
Fixed 0.25-2.1ubuntu16.04.7+esm5
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialReferences
Related Ubuntu Security Notices (USN)
- USN-8103-1
- Exiv2 vulnerabilities
- 18 March 2026