OESA-2026-1564

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1564

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-1564

Upstream

CVE-2026-25884

CVE-2026-27596

CVE-2026-27631

Published

2026-03-15T05:53:31Z

Modified

2026-03-15T06:19:36.308555Z

Summary

exiv2 security update

Details

Exiv2 is a Cross-platform C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata and the ICC Profile embedded within digital images in various formats.

Security Fix(es):

An out-of-bounds read was found in Exiv2 version v0.28.7. The vulnerability is in the CRW image parser. The bug is reproducible with our fuzz target, but we have not been able to reproduce it with the exiv2 command line application. Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. The out-of-bounds read is triggered when Exiv2 is used to read the metadata of a crafted video file.(CVE-2026-25884)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8.(CVE-2026-27596)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.(CVE-2026-27631)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP4

exiv2

Package

Name: exiv2
Purl: pkg:rpm/openEuler/exiv2&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.27.5-7.oe2003sp4

Ecosystem specific

{
    "aarch64": [
        "exiv2-0.27.5-7.oe2003sp4.aarch64.rpm",
        "exiv2-debuginfo-0.27.5-7.oe2003sp4.aarch64.rpm",
        "exiv2-debugsource-0.27.5-7.oe2003sp4.aarch64.rpm",
        "exiv2-devel-0.27.5-7.oe2003sp4.aarch64.rpm"
    ],
    "noarch": [
        "exiv2-help-0.27.5-7.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "exiv2-0.27.5-7.oe2003sp4.src.rpm"
    ],
    "x86_64": [
        "exiv2-0.27.5-7.oe2003sp4.x86_64.rpm",
        "exiv2-debuginfo-0.27.5-7.oe2003sp4.x86_64.rpm",
        "exiv2-debugsource-0.27.5-7.oe2003sp4.x86_64.rpm",
        "exiv2-devel-0.27.5-7.oe2003sp4.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json"

openEuler:22.03-LTS-SP4

exiv2

Package

Name: exiv2
Purl: pkg:rpm/openEuler/exiv2&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.27.5-7.oe2203sp4

Ecosystem specific

{
    "aarch64": [
        "exiv2-0.27.5-7.oe2203sp4.aarch64.rpm",
        "exiv2-debuginfo-0.27.5-7.oe2203sp4.aarch64.rpm",
        "exiv2-debugsource-0.27.5-7.oe2203sp4.aarch64.rpm",
        "exiv2-devel-0.27.5-7.oe2203sp4.aarch64.rpm"
    ],
    "noarch": [
        "exiv2-help-0.27.5-7.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "exiv2-0.27.5-7.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "exiv2-0.27.5-7.oe2203sp4.x86_64.rpm",
        "exiv2-debuginfo-0.27.5-7.oe2203sp4.x86_64.rpm",
        "exiv2-debugsource-0.27.5-7.oe2203sp4.x86_64.rpm",
        "exiv2-devel-0.27.5-7.oe2203sp4.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json"

openEuler:24.03-LTS

exiv2

Package

Name: exiv2
Purl: pkg:rpm/openEuler/exiv2&distro=openEuler-24.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.2-8.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "exiv2-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-0.28.2-8.oe2403.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403.aarch64.rpm",
        "exiv2-0.28.2-8.oe2403sp1.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp1.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp1.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp1.aarch64.rpm"
    ],
    "noarch": [
        "exiv2-help-0.28.2-8.oe2403sp2.noarch.rpm",
        "exiv2-help-0.28.2-8.oe2403sp3.noarch.rpm",
        "exiv2-help-0.28.2-8.oe2403.noarch.rpm",
        "exiv2-help-0.28.2-8.oe2403sp1.noarch.rpm"
    ],
    "src": [
        "exiv2-0.28.2-8.oe2403sp2.src.rpm",
        "exiv2-0.28.2-8.oe2403sp3.src.rpm",
        "exiv2-0.28.2-8.oe2403.src.rpm",
        "exiv2-0.28.2-8.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "exiv2-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-0.28.2-8.oe2403.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403.x86_64.rpm",
        "exiv2-0.28.2-8.oe2403sp1.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp1.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp1.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp1.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json"

openEuler:24.03-LTS-SP1

exiv2

Package

Name: exiv2
Purl: pkg:rpm/openEuler/exiv2&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.2-8.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "exiv2-0.28.2-8.oe2403sp1.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp1.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp1.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp1.aarch64.rpm"
    ],
    "noarch": [
        "exiv2-help-0.28.2-8.oe2403sp1.noarch.rpm"
    ],
    "src": [
        "exiv2-0.28.2-8.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "exiv2-0.28.2-8.oe2403sp1.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp1.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp1.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp1.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json"

openEuler:24.03-LTS-SP2

exiv2

Package

Name: exiv2
Purl: pkg:rpm/openEuler/exiv2&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.2-8.oe2403sp2

Ecosystem specific

{
    "aarch64": [
        "exiv2-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp2.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp2.aarch64.rpm"
    ],
    "noarch": [
        "exiv2-help-0.28.2-8.oe2403sp2.noarch.rpm"
    ],
    "src": [
        "exiv2-0.28.2-8.oe2403sp2.src.rpm"
    ],
    "x86_64": [
        "exiv2-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp2.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp2.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json"

openEuler:24.03-LTS-SP3

exiv2

Package

Name: exiv2
Purl: pkg:rpm/openEuler/exiv2&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.28.2-8.oe2403sp3

Ecosystem specific

{
    "aarch64": [
        "exiv2-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp3.aarch64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp3.aarch64.rpm"
    ],
    "noarch": [
        "exiv2-help-0.28.2-8.oe2403sp3.noarch.rpm"
    ],
    "src": [
        "exiv2-0.28.2-8.oe2403sp3.src.rpm"
    ],
    "x86_64": [
        "exiv2-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-debuginfo-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-debugsource-0.28.2-8.oe2403sp3.x86_64.rpm",
        "exiv2-devel-0.28.2-8.oe2403sp3.x86_64.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1564.json"