DEBIAN-CVE-2026-27631

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-27631

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27631.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-27631

Upstream

CVE-2026-27631

Published

2026-03-02T20:16:27.390Z

Modified

2026-03-08T05:01:09.555532Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.

References

https://security-tracker.debian.org/tracker/CVE-2026-27631

Affected packages

Debian:11 / exiv2

Package

Name: exiv2
Purl: pkg:deb/debian/exiv2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.27.3-3

0.27.3-3+deb11u1

0.27.3-3+deb11u2

0.27.3-3.1

0.27.5-1

0.27.5-2

0.27.5-3

0.27.5-4

0.27.6-1

0.28.0+dfsg-1

0.28.0+dfsg-2

0.28.0+dfsg-3

0.28.0+dfsg-4

0.28.1+dfsg-1

0.28.1+dfsg-2

0.28.1+dfsg-3

0.28.2+dfsg-1

0.28.3+dfsg-1

0.28.3+dfsg-2

0.28.4+dfsg-1

0.28.4+dfsg-2

0.28.5+dfsg-1

0.28.7+dfsg-1

0.28.7+dfsg-2

0.28.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27631.json"

Debian:12 / exiv2

Package

Name: exiv2
Purl: pkg:deb/debian/exiv2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.27.6-1

0.28.0+dfsg-1

0.28.0+dfsg-2

0.28.0+dfsg-3

0.28.0+dfsg-4

0.28.1+dfsg-1

0.28.1+dfsg-2

0.28.1+dfsg-3

0.28.2+dfsg-1

0.28.3+dfsg-1

0.28.3+dfsg-2

0.28.4+dfsg-1

0.28.4+dfsg-2

0.28.5+dfsg-1

0.28.7+dfsg-1

0.28.7+dfsg-2

0.28.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27631.json"

Debian:13 / exiv2

Package

Name: exiv2
Purl: pkg:deb/debian/exiv2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.28.5+dfsg-1

0.28.7+dfsg-1

0.28.7+dfsg-2

0.28.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27631.json"

Debian:14 / exiv2

Package

Name: exiv2
Purl: pkg:deb/debian/exiv2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.8+dfsg-1

Affected versions

0.*

0.28.5+dfsg-1

0.28.7+dfsg-1

0.28.7+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-27631.json"