Exiv2 version 0.28.8 was released yesterday (2026-03-01) with fixes for three CVEs:
CVE-2026-25884: Out-of-bounds read in CrwMap::decode0x0805 Impact: low severity, because we're only able to reproduce this with our fuzz target, not with the exiv2 command-line application. Credit: found by Google OSS-Fuzz CVE-2026-27596: Integer overflow in LoaderNative::getData() causes out-of-bounds read Impact: low severity, because it is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which typically causes a crash. Credit: found by @zerojackyi CVE-2026-27631: Uncaught exception: cannot create std::vector larger than max_size() Impact: low severity, because it is only triggered when running Exiv2 with an extra command line argument, like -pp. This issue causes Exiv2 to crash with an uncaught exception. Credit: found by team Exiv2 The second issue (CVE-2026-27596) is perhaps the most interesting because it looks to me like it was found by AI. I think the report looks AI-generated, but it's also unusual for a poc to be written in Python, since most Exiv2 bugs are found by fuzzing. In the past, a poc like this would have indicated that it was hand-crafted by a human, but these days AI seems more likely. Although we've rated it low-severity, it was a useful report to receive because it uncovered a gap in our fuzzing coverage. We have now added a new fuzz-target to address that gap, which is how we found the third issue (CVE-2026-27631). One more thing that I'd like to mention: we have stopped supporting older versions of Exiv2. If you haven't done so already, please consider upgrading to the 0.28 series. Thanks, Kev Links: https://github.com/Exiv2/exiv2/releases/tag/v0.28.8 https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7 https://github.com/Exiv2/exiv2/security/advisories/GHSA-p2pw-7935-c73j
