← back
CVE-2026-27631

Exiv2: Uncaught exception - cannot create std::vector larger than max_size()

CVSS 2.7 LOWEPSS 0.3%CWE-248
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.7EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
02 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
Affected products
Exiv2 · exiv2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Exiv2/exiv2/commit/659db316eef745899a778a1e0b760a971d1b69dfhttps://github.com/Exiv2/exiv2/issues/3513https://github.com/Exiv2/exiv2/pull/3514https://github.com/Exiv2/exiv2/security/advisories/GHSA-p2pw-7935-c73j