USN-8103-2
- Source
- https://ubuntu.com/security/notices/USN-8103-2
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8103-2
- Upstream
- Published
- 2026-03-19T07:08:49Z
- Modified
- 2026-03-20T06:46:18.129224Z
- Summary
- exiv2 regression
- Details
-
USN-8103-1 fixed vulnerabilities in Exiv2. The update caused a regression for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Exiv2 did not correctly handle reading certain buffers. An attacker could possibly use this issue to leak sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-18771)
Wen Cheng discovered that Exiv2 did not correctly handle certain memory allocation. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-18899)
It was discovered that Exiv2 did not correctly handle writing certain metadata. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2025-54080)
It was discovered that Exiv2 did not correctly handle parsing certain metadata. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-55304)
It was discovered that Exiv2 did not correctly handle parsing certain images. If a user or system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2026-25884)
It was discovered that Exiv2 did not correctly handle previewing certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-27596)
It was discovered that Exiv2 did not correctly handle certain integer arithmetic. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-27631)
- References
Affected packages
Ubuntu:Pro:20.04:LTS / exiv2
Package
- Name
- exiv2
- Purl
- pkg:deb/ubuntu/exiv2@0.27.2-8ubuntu2.7+esm3?arch=source&distro=esm-infra/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.27.2-8ubuntu2.7+esm3
Affected versions
0.*
Ecosystem specific
{
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "exiv2",
"binary_version": "0.27.2-8ubuntu2.7+esm3"
},
{
"binary_name": "libexiv2-27",
"binary_version": "0.27.2-8ubuntu2.7+esm3"
},
{
"binary_name": "libexiv2-dev",
"binary_version": "0.27.2-8ubuntu2.7+esm3"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2025-55304",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:Pro:20.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json"
Ubuntu:22.04:LTS / exiv2
Package
- Name
- exiv2
- Purl
- pkg:deb/ubuntu/exiv2@0.27.5-3ubuntu1.3?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.27.5-3ubuntu1.3
Affected versions
0.*
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "exiv2",
"binary_version": "0.27.5-3ubuntu1.3"
},
{
"binary_name": "libexiv2-27",
"binary_version": "0.27.5-3ubuntu1.3"
},
{
"binary_name": "libexiv2-dev",
"binary_version": "0.27.5-3ubuntu1.3"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2025-55304",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json"
Ubuntu:24.04:LTS / exiv2
Package
- Name
- exiv2
- Purl
- pkg:deb/ubuntu/exiv2@0.27.6-1ubuntu0.3?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.27.6-1ubuntu0.3
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "exiv2",
"binary_version": "0.27.6-1ubuntu0.3"
},
{
"binary_name": "libexiv2-27",
"binary_version": "0.27.6-1ubuntu0.3"
},
{
"binary_name": "libexiv2-dev",
"binary_version": "0.27.6-1ubuntu0.3"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2025-55304",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json"
Ubuntu:25.10 / exiv2
Package
- Name
- exiv2
- Purl
- pkg:deb/ubuntu/exiv2@0.28.5+dfsg-1ubuntu0.3?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.28.5+dfsg-1ubuntu0.3
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "exiv2",
"binary_version": "0.28.5+dfsg-1ubuntu0.3"
},
{
"binary_name": "libexiv2-28",
"binary_version": "0.28.5+dfsg-1ubuntu0.3"
},
{
"binary_name": "libexiv2-data",
"binary_version": "0.28.5+dfsg-1ubuntu0.3"
},
{
"binary_name": "libexiv2-dev",
"binary_version": "0.28.5+dfsg-1ubuntu0.3"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2025-55304",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-2.json"