CVE-2026-27631

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27631

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27631.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27631

Aliases

GHSA-p2pw-7935-c73j

Downstream

DEBIAN-CVE-2026-27631

UBUNTU-CVE-2026-27631

Published

2026-03-02T19:40:45.351Z

Modified

2026-03-03T02:56:38.198535Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Exiv2: Uncaught exception - cannot create std::vector larger than max_size()

Details

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.

Database specific

{
    "cwe_ids": [
        "CWE-248"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27631.json"
}

References

Affected packages

Git / github.com/exiv2/exiv2

Affected ranges

Type

GIT

Repo

https://github.com/exiv2/exiv2

Events

Introduced

Fixed

2cd987a731236037b6b78cbff897d08685a8ef49

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.28.8"
        }
    ]
}

Affected versions

0.*

0.27

0.27-RC2

0.27-RC3

0.27.1

Other

testIPO

testIPO_2

testIPO_3

testIPO_exiv2-xmp-OBJECT

testNoConanCache

v0.*

v0.10

v0.11

v0.12

v0.13

v0.14

v0.15

v0.16

v0.16-pre1

v0.17

v0.17.1

v0.18

v0.18-pre1

v0.18-pre2

v0.18.1

v0.18.2

v0.19

v0.20

v0.21

v0.21.1

v0.22

v0.23

v0.23.1

v0.24

v0.25

v0.26

v0.27-RC1

v0.27.0

v0.27.1

v0.27.1-RC1

v0.27.2

v0.27.2-RC1

v0.27.2-RC2

v0.27.2-RC3

v0.27.3

v0.27.3-RC1

v0.27.3-RC2

v0.27.4-RC1

v0.27.4-RC2

v0.28.0

v0.28.1

v0.28.2

v0.28.3

v0.28.4

v0.28.5

v0.28.6

v0.28.7

v0.3

v0.4

v0.5

v0.6

v0.6.1

v0.6.2

v0.7

v0.8

v0.9

v0.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27631.json"